For decades, we’ve been told that strong passwords must be a jumble of uppercase letters, numbers, and symbols. But what if the conventional wisdom is wrong? What if the most secure passwords are actually the ones you can remember?
The Entropy Problem
Entropy, in the context of passwords, measures how unpredictable a password is. A higher entropy means more possible combinations, making brute-force attacks exponentially harder.
A typical 8-character password using uppercase, lowercase, numbers, and symbols has roughly 52 bits of entropy. That sounds impressive until you consider that modern GPU clusters can attempt billions of hashes per second.
Why Words Beat Symbols
A passphrase like “correct-horse-battery-staple” has approximately 44 bits of entropy per the original XKCD comic, but a properly generated 5-word Diceware passphrase actually provides about 64 bits — far exceeding most traditional passwords.
The key advantages:
- Memorability: Humans naturally remember narratives and sequences of words
- Length: Passphrases are typically 25-40 characters long, making them resistant to brute-force
- Typability: No need to remember which characters are uppercase or where the symbols go
The Diceware Method
The Diceware method uses physical dice (or a cryptographically secure random number generator) to select words from a curated list. Each die roll narrows the selection, ensuring true randomness that human minds cannot replicate.
The Mathematics
- Each word from the EFF wordlist adds ~12.9 bits of entropy
- A 4-word passphrase: ~51.7 bits (adequate for most uses)
- A 5-word passphrase: ~64.6 bits (recommended standard)
- A 6-word passphrase: ~77.5 bits (high-security applications)
Practical Recommendations
For everyday accounts, a 4-word passphrase provides sufficient security. For your master password — the one that protects all others — use at least 5 words, preferably 6.
Always use a separator between words (hyphens, spaces, or periods) and consider capitalizing one word for additional entropy without sacrificing memorability.
The future of authentication is human-friendly and mathematically robust. It’s time to think in words, not characters.