Time for some very big numbers.
In short, because there are many more words than there are characters.
At first blush, even that might not seem like enough, but it gets even better.
Buckle up for some really big numbers.
Become a Patron of Ask Leo! and go ad-free!
Passphrases are better
There are as many, or more, combinations of four or five random words as there are 16 random characters. Given that they can be just as secure and significantly easier to remember, passphrases can be a useful approach to password-based security.
Random characters
First let's look at how hard it is to break passwords of varying lengths.
Let's say that, if you include upper and lower case, digits, and an assortment of, say, 10 arbitrary special characters to choose from, you end up with 72 possible characters to choose from for each character of your password.1
- a-z: 26
- A-Z: 26
- 0-9: 10
- Special: 10
So, an eight-character password, each character of which can have any of 72 different values, has a total of 72^8 (72 multiplied by itself eight times) or 722,204,136,308,736 (~ 7.2 × 10^14) different possibilities. That's just over 722 trillion possible eight-character passwords.
For a 12-character password, the numbers are 72^12 or 19,408,409,961,765,342,806,016 (~1.9 × 10^22) possible passwords.
For 16, it's 521,578,814,501,447,328,359,509,917,696 (~5.2 × 10^29), and for 20, it's 14,016,833,953,562,607,293,918,185,758,734,155,776 (~1.4 × 10^37).
It's easiest to compare the orders of magnitude: 10^14, 10^22, 10^29, and 10^37. Eight-character passwords are considered crackable by brute force (using a computer to try every possible password) in a few seconds, 12-character passwords in a few months, 16-character passwords in a few million years, and 20 characters in numbers larger than I can comprehend.2
Random words
Now we can look at passphrases and see if we can compare apples to apples (spoiler: it's not easy).
First, we have to start with figuring out how many words are in the English language.3 Sources differ, but the approximate numbers I see thrown about are:
- 1,000,000 total, perhaps ever.
- 600,000 words in the Oxford English Dictionary (traditionally the largest dictionary).
- 170,000 words in use.
- 30,000 words in a common individual's vocabulary.
We'll run with those last two numbers, since few of us are prone to using obscure, old-fashioned words.
A four-word passphrase would then be on the order of:
- 30,000^4 = 810,000,000,000,000,000 (8.1 × 10^17) if we're talking about words in our common vocabulary.
- 170,000^4 = 835,210,000,000,000,000,000 (8.3521 × 10^20) drawing from all words currently in use.
Five words would result in:
- Common vocabulary: 24,300,000,000,000,000,000,000 (2.43 × 10^22)
- All current words: 141,985,700,000,000,000,000,000,000 (1.419857 × 10^26)
If you focus on just the orders of magnitude (10^17, 10^20, 10^22, 10^26), these numbers don't look that impressive, compared to the random-character numbers.
And this is where most people stop and give up on passphrases.
But so far, we're comparing apples to oranges.
Random words for real
What the comparison above overlooks is simply this: passwords are case sensitive, and most phrases have inter-word characters. That might be as simple as a space between two words, although not all services allow spaces in passwords (though I would hope that most explicitly asking for a passphrase would allow for spaces). In reality any character supported by the service can be used to separate the words -- I often use underscore (_) in place of space.
Yes, you can use passwords like "correcthorsebatterystaple", and the calculations above would apply if all of the cracking was happening against only all lower-case passphrases with all the words smooshed4 together.
On the other hand, if you add simple variations like capitalization and spacing -- "Correct Horse Battery Staple" -- the number of possible passphrases resulting from the various combinations of words explodes. Every word takes on multiple variants depending on length and capitalization, and every passphrase takes on even more possibilities as we vary the characters separating the words.
And that's the real, more meaningful, comparison.
Unfortunately, it's also difficult to quantify with hard numbers. We have to make some very gross assumptions.
Let's say the average length of a word is five characters. If we alter capitalization for all possible combinations ("aaaaa", "Aaaaa", "AAaaa", and so on) we get 2^5 or 32 possible variations. Suddenly our word list increases by a factor of 32. Our 30,000 common vocabulary becomes a little over a million words, exceeding even the OED's list.
A four-word passphrase would then result in 1,099,511,627,776,000,000,000,000 (~1 × 10^24) combinations. Five words would be 1,125,899,906,842,624,000,000,000,000,000 (~1.1 × 10^29), putting it on a par with 16-character random passwords.
And that's not even factoring in inter-word spacing or adding one or more "archaic" words that might have special meaning to you.5
Do this
Passphrases are perfect when you have to remember them on your own (i.e., without a password manager).
The real takeaway here is not to let invalid comparisons fool you. A four- or five-word random passphrase is plenty secure and significantly easier to remember. Spice it up a little with your own easy-to-remember capitalization and spacing rules (e.g., "correcT?horsE?batterY?staplE"), and they're near perfect.
Don't forget: password strength doesn't matter if your password is compromised through a data breach at a service you use, malicious keystroke logger on your computer, or a successfully executed phishing attempt. Be sure to stay safe by using a different password or passphrase on every site.
Something else you can do to stay safe: Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: Yes, I'm assuming the US English character set here. The order of magnitude doesn't change much if you use another Roman-ish set. Similarly, some services let you choose from more than 10 special characters and others limit you to less.
2: Literally. The charts I looked at stopped at 18 characters, where the cracking time was measured in quadrillions of years, which is already multiple eons. Via Are Your Passwords in the Green? Be sure to scroll down to the 2023 table. It stops at 18-character passwords, which take 18 billion years.
3: If you're using a different language, your numbers will certainly be different.
4: Technical term, that. OK, it should be "concatenated" -- but I'm told not everyone knows that word, exemplifying the difficulty of measuring vocabulary.
5: Grandiloquent Word of the Day is a great source.
When you said smooshed together, I had a picture of tightly kerned text, another technical word not everyone knows.
My definition of kerning:
Smooshing and unsmooshing of text.
I let my password manager create a unique 12-character password with upper & lower case, numbers and special characters for every site that needs a password. Regrettably there are still sites that limit length to 8 upper/lower case and numbers only. For my master password to access the password manager I use a line from a centuries-old, obscure poem my Dad used to read to us kids until we could recite it with him. Hard to forget, and uses non-current English words and words with archaic spelling scattered throughout. Of course I also use multi-factor wherever it’s available.
WOW! That’s a lot of math! That makes perfect sense to me! I will definatly change some of my passwords going foward. Not bad advice to my rather simplistic outlook.
But. The hacker doesn’t know or care if a user is concatenating words as such or simply characters. Regardless of the combinatorics of English words (or words in any other language–the hacker doesn’t know or care about that, either), the pass phrase is still composed of characters. Pass phrases are a subset of character-based authentication strings, and for that reason are just as hard to guess as any other string of the same length. Their advantage, in my mind, is just that they are far easier to remember. And I think Frederick St John has exactly the right idea–his pass phrase is not random, but it’s long, and we’d have to know a lot about him to try to guess it.
One other thing, though. We speak of ‘random’ words. But the example offered here “correcthorsebatterystaple”, is not random. It’s the same example that Randall Munroe used in the XKCD comic dealing with the same subject. I imagine there are thousands of people using that exact pass phrase, because copying somebody else’s is way easier than coming up with a new. Random isn’t easy.
My point is simply that pass phrases make it easier to make longer passwords. And length, as you point out, trumps everything.
And most sites like my own use “correct horse battery staple” specifically because Mr. Munro did such a good and simple job of explaining why passphrases are better in a 4 panel comic. It’s become internet lore, of a sort, and should never actually be used. It’s an example, nothing more.
When it comes to four words, random is easy. CoffeeWristwatchLampWD40. I came up with those instantly just looking at objects on my desk.
I’m sticking with LastPass for now, mostly because I’ve been impressed with how much they’ve ‘cleaned’ up their act since the breach. Following the breach, I changed my master password to a phrase consisting of at least 16 characters, increased my password iterations count to 600,000, then I went through all the passwords I have stored in my vault, one at a time, changing each one to consist of 16 characters, and I set up/enabled 2FA (where not yet in use, but available). For any sites I found that didn’t support that many characters or 2FA, I noted the website’s URL for potential cancellation (creating a cancellations list) and contacted the ‘web master’ to ask why. If I didn’t receive a satisfactory reply (meaning they’re working on it with a completion date) or no reply at all within a week, I began the procedure to delete my account and all my data from that site. For the one or two sites that did not have a cancel/delete option and that did not reply satisfactorily or at all, I changed my name to something like “Joe Blow”, my user name to something like “I-quit”, my email address to something like “notme@nowhere.com” and anything else I could to some nonsensical phrases/words etc. then I removed as much information as possible from my profile and elsewhere on each such site, noting what I did on my site cancellations list. When I finished going through all my passwords, I deleted the entries for the sites whose accounts I had cancelled/deleted/or changed my information on using my completed site cancellations list (noted above). Following all that effort, for any new site for which I want to create an account, I check that they support 16-character passwords and 2FA, or I don’t sign up, and I go through my vault annually to make sure no site has fallen between the cracks.
The end result of my effort is that going forward, all the sites I have an account for have 16-character passwords with 2FA enabled. I’ll be very satisfied with that until site passkeys become ubiquitous.
Ernie (Oldster)
Very informative article. However, many applications requiring you to set up a password are very specific as to min. and max. characters, alpha numeric characters, special signs (#@& etc.) and upper and lower case letters. In these instances, which are frequent, how would one set up a passphrase? Thank you.
As best you can within those limitations, or simply revert to long random passwords.
Leo,
I have long appreciated the knowledge you share.
I was intrigued by your recent advice about passwords.
I have one Windows 11 computer connected to the Internet.
Is your advice appropriate for signing on to this computer with a complex password?
I’m concerned about the potential for hackers getting to my data on that computer.
Thank you.
When in doubt, yes, but the advice is mostly about online accounts. Your computer presents a different set of vulnerabilities. The one protected by password is simply someone walking into your house and using your computer. (It can also be used for some forms of remote access, but those are prevented by your router.)
More important for protecting your computer is good security software, not opening unexpected attachments, and just general good security hygiene and skepticism. Internet Safety: 7 Steps to Staying Safe Online is a good start.
Hi Leo, while I accept the point of your article I think your maths is a little suspect. A dictionary word (of any length) is only a very small subset of all the combinations of characters of a similar length. Also you cite 30,000 or 170,000 words in use, but those numbers include every length from 1 to say 15 letters, the number of 5 letter words will be much much smaller. Any word of any length will always have a considerably smaller number of combinations than random characters of the same length. I agree, of course, that 3 or 4 words will be far easier to remember than random characters but that only matters if you are not using a good password manager.
Those numbers are rough estimates and since it’s a meaningless passphrase, it doesn’t matter much the frequency of those words in the dictionary as a dictionary can’t be used against a passphrase like that. All of your web passwords can be random as they are encrypted and managed by yout password manager, but some passwords like the password to yout password manager need to be something you can remember. Of course, you can create a text file to hold those passwords, but that would need a memorizable password.
Your title “How can four random words be more secure than 16 random characters?” implies that they can, which is impossible as the possible password combinations using 16 random characters would include all of the possible passwords using four random words, assuming the 16 random characters available include all of the upper and lower case letters plus spaces, dashes, underscores, etc.
The example Leo gives, CorrectHorseBatteryStaple contains 25 characters which is much better than a password of 20 characters using 20 characters.
For 25 alpha characters the total number of possible combinations is 52^25 (52 with 25 zeros)
If the password is 20 characters long including numbers ans special characters , then the total number of possible combinations is 95^20.
The 25 character password is much more difficult to crack.
Got it now. I misunderstood the recommendation as I was thinking the password alternatives were of the same length. If they were then I think I’d be correct. If so you are somewhat comparing apples and oranges. But you have a valid viewpoint.
Hi Leo
I have a question somewhat related to this topic.
For websites that do not allow entering wrong passwords after a few attempts, do we still bother to use a very strong password since hackers cannot do the brute force attacks anyway. A moderately strong password would be sufficient and as secure as a very strong one. Am I correct?
Thanks
Narin
NO. You MUST use a strong password. Here’s why: How Can a Hacker Try All Possible Passwords If Systems Block Failed Login Attempts?
It sounds like a good idea if I only needed one password, but isn’t the standard advice to have a unique password for each website? I am signed up for over 200 websites and would not be able to remember the four words assigned to each site. Maybe I’m missing something here.
This is why we use password managers.