Security guide
Password vs Passphrase
Compare random character passwords and random-word passphrases, including memorability, entropy, storage, and safe use cases.
Summary
A password is usually a string of random characters. A passphrase is usually a sequence of words. Either can be strong if it is generated randomly, unique, and stored or memorized safely. The right choice depends on whether you need maximum compactness, easy typing, or memorability.
Use the passphrase generator when you want random words, or the password generator when a site expects a compact character password.
Random character passwords
Random character passwords are efficient: every character can add search space. They are ideal for password managers, admin panels, WiFi, banking, email, and developer secrets. The downside is that they are hard to memorize and unpleasant to type on small keyboards.
Random-word passphrases
Passphrases are easier to read and type. The important word is “random.” A sentence you invent, a quote, a song lyric, or a familiar phrase may be guessed by pattern-based tools. A passphrase should be made from independently selected words from a sufficiently large list.
Practical recommendations
- Use random character passwords for most accounts stored in a manager.
- Use passphrases for credentials you may need to remember.
- Do not reuse either format.
- Avoid personal phrases, quotations, names, and dates.
- Check whether spaces or separators are accepted by the destination.
Detailed guidance
This guide focuses on deciding between random character passwords and random passphrases. It is written for people who need both secure stored passwords and memorable login secrets, so the practical goal is not to create a dramatic security claim. The goal is to choose a password habit that can survive everyday use: sign-in forms, password managers, mobile keyboards, account recovery, shared devices, and the occasional service with strange validation rules. A secure recommendation is only useful if a real person can follow it consistently.
The safest starting point is randomness plus uniqueness. Randomness means the value is selected from a large space by a cryptographically suitable random source, not invented from a birthday, a pet name, a keyboard pattern, or a favorite quote. Uniqueness means the same password is not used anywhere else. A password that is long but reused can fail quickly after one unrelated breach, while a unique random password limits the damage to the single account where it was used.
For this topic, a practical preset is four to six random words for memorability, or random characters for password-manager storage. You can apply that preset with the passphrase generator and then store the final value in a trusted password manager. PwdGen generates values locally in the browser with Web Crypto; the generated password is not sent to a PwdGen server. That local design reduces server-side exposure, but it does not protect against every threat. A malicious browser extension, a compromised device, a phishing page, or unsafe clipboard handling can still expose a secret after it is generated.
The most common problems to avoid are handwritten phrases, famous quotes, song lyrics, personal slogans, and dictionary phrases chosen by a human. These problems matter because attackers rarely need to brute-force every possible password when human habits give them a shortcut. Credential stuffing, phishing, leaked password lists, and account-recovery abuse are often more realistic than a pure mathematical search. That is why the best advice combines password quality with account-level controls such as MFA, passkeys, recovery-code storage, and regular review of recovery email or phone settings.
Use this checklist when applying the recommendation:
- Use randomly selected words, not a sentence you invent.
- Keep separators consistent with the destination form.
- Do not reuse a passphrase across accounts.
- Use a manager for long random passwords.
If a website rejects the ideal setting, do not force the password into a weaker pattern by hand. Adjust one variable at a time. If symbols are rejected, keep uppercase, lowercase, and numbers enabled and increase length. If a maximum length is low, use the largest accepted length and make sure the value is unique. If a password must be read aloud, printed, or typed on a television or router screen, consider excluding confusing characters and increasing the length to compensate for the smaller alphabet.
Finally, remember the boundary of password advice. A strong password is one layer of defense, not a guarantee. It cannot make a phishing page safe, fix malware, or compensate for a service that stores credentials poorly. The useful habit is boring but durable: generate a unique value, store it safely, protect the recovery path, and replace it quickly if you suspect exposure.
Frequently asked questions
Is a passphrase always stronger than a password?
No. A random passphrase can be strong, but a familiar quote or sentence is not equivalent to randomly selected words.
When should I choose a passphrase?
Choose a passphrase when you may need to remember or type it manually, especially for a password-manager master credential.
How many words should a passphrase use?
Four random words is a practical starting point; add more words for higher-value uses or smaller wordlists.