Blog
"How many words" is the most important question in passphrase security, and most guides give a vague answer like "more is better." The actual answer is precise: it depends on the threat model. This guide gives you the math, the recommended numbers for common situations, and a tool that calculates entropy as you generate.
Generate a passphrase with entropy displayed.
Open Passphrase Generator →For a passphrase generator using a 2048-word list (BIP-39 size), the entropy per word is log2(2048) = 11 bits. So:
| Words | Bits of entropy | Possible combinations | Threat resistance |
|---|---|---|---|
| 3 | 33 | 8.6 billion | Hours (modern GPU) |
| 4 | 44 | 17.6 trillion | Months |
| 5 | 55 | 36 quadrillion | Decades |
| 6 | 66 | 73 quintillion | Millennia |
| 7 | 77 | 149 sextillion | Effectively forever (today) |
| 8 | 88 | 303 septillion | Effectively forever |
| 9 | 99 | 617 octillion | Effectively forever |
| 10 | 110 | 1.3 nonillion | Effectively forever |
For comparison, a passphrase generator using the EFF Long word list (7776 words) gives ~12.9 bits per word, so a 5-word EFF passphrase is roughly equivalent to a 6-word 2048-word passphrase. Both are excellent.
| Use case | Recommended length | Bits | Why |
|---|---|---|---|
| Throwaway forum account | 3-4 words | 33-44 | Doesn't matter much |
| Personal email | 5 words | 55 | Important but not catastrophic if leaked |
| Bank login | 6 words | 66 | High value, fraud risk |
| Password manager master | 6-7 words | 66-77 | Single point of failure |
| Disk encryption | 7-8 words | 77-88 | Resists offline attack with full GPU farms |
| Crypto wallet | 8+ words | 88+ | Irrecoverable if cracked |
The famous XKCD comic from 2011 recommended 4 words and calculated ~44 bits of entropy. At the time, this was overkill for most accounts. The comic estimated 550 years to crack at 1000 guesses per second.
But cracking has gotten much faster. A modern GPU can guess billions of passwords per second, not 1000. The same 4-word passphrase that took 550 years in 2011 takes hours today on commodity hardware. This is why we now recommend 5-6 words instead of 4.
At 77 bits of entropy (7 words), the passphrase is computationally infeasible to brute force with current technology. Even with the entire Bitcoin mining network's hash rate (~600 exahash/sec), brute forcing a 77-bit passphrase would take longer than the age of the universe.
The only reason to go beyond 7 words is for long-term storage where you're worried about future computing improvements (quantum computers, breakthroughs in cryptanalysis). For storage that needs to be secure for decades, 8-10 words is reasonable.
The threat model matters because attack speeds differ dramatically:
| Attack type | Speed | Bits needed for "decades" of protection |
|---|---|---|
| Online (web login) | ~10 guesses/sec (rate-limited) | ~40 bits (4 words) |
| Online (no rate limit) | ~1000 guesses/sec | ~50 bits (5 words) |
| Offline (CPU brute force) | ~1 million/sec | ~60 bits (5-6 words) |
| Offline (GPU brute force) | ~10 billion/sec | ~70 bits (6-7 words) |
| Offline (specialized hardware) | ~1 trillion/sec | ~80 bits (7-8 words) |
For online attacks (someone trying to log into your account from the web), 5 words is plenty. The website limits how fast they can try.
For offline attacks (someone has stolen a password database and is brute-forcing the hashes), you need more bits because they can guess much faster. 6-7 words is the right answer.
For your password manager master password, full disk encryption, or a crypto wallet seed phrase, ALL of your other security depends on this one passphrase. Don't economize. Use 7+ words. The extra typing time is trivial compared to the catastrophic loss if it's cracked.
Most people can comfortably remember a 5-word passphrase with practice. 6 words is harder but doable. 7+ requires real effort or a mnemonic device. This creates a tension: more words = more security, but also more risk of forgetting.
The solution: use a 6-7 word passphrase for the few critical things you need to type (password manager master, full disk encryption), and let the password manager generate longer random passwords for everything else.
The formula is simple: entropy = words × log2(word_list_size)
If you're using the Bison Passphrase Generator, the entropy is shown directly below the generated passphrase along with a strength label (Weak / Moderate / Strong / Very Strong). You don't need to calculate it manually.
Generate a passphrase with entropy bits shown.
Open Passphrase Generator →