HOW-TOJuly 1, 2025·6 min read

How to Use a Passphrase Generator: The NIST 800-63B Guide

Four random words beats a complex 10-character string. NIST says so. Here is the correct way to generate, use, and manage passphrases.

Why NIST recommends passphrases

NIST Special Publication 800-63B, the US government's authoritative authentication guidance, made a significant shift in 2017: it recommends length over complexity. Specifically, it recommends passphrases — multiple random words — over complex character requirements, and explicitly discourages mandatory periodic rotation and complexity rules that produce predictable patterns.

The reason is entropy. Four random words from a 7,776-word wordlist (standard Diceware) give you roughly 51 bits of entropy. That beats any 8-character complex password (52 bits at most, much less in practice due to predictable patterns) while being dramatically more memorable.

How to use PassGeni's passphrase generator

PassGeni's passphrase tab generates NIST 800-63B compliant passphrases entirely in your browser:

  1. Go to the generator and click the Passphrase tab
  2. Select your profession — this seeds the word pool with domain-relevant vocabulary, making the result 30% more recognisable without reducing entropy
  3. Set word count: 4 words for personal accounts, 5+ for high-security accounts
  4. Choose a separator: hyphens, spaces, dots, or none
  5. Generate — your passphrase is created with crypto.getRandomValues(), never transmitted to any server

When to use a passphrase vs a password

Use a passphrase when:

  • You need to type the credential manually (TV apps, terminal, phone keyboard)
  • The account requires memorisation without a password manager
  • You want something you can say over the phone to IT support
  • Password manager master password (you can't autofill this)

Use a password when:

  • The account has strict format requirements (some systems reject spaces)
  • Maximum entropy is the priority over memorability
  • The credential will be stored in a password manager and never typed

The entropy math

A 4-word Diceware passphrase: 7776^4 ≈ 3.6 × 10^15 combinations = 51.7 bits of entropy. A 5-word passphrase: 62.5 bits. A 6-word passphrase: 77.5 bits — exceeding the NIST recommendation for most use cases.

For comparison: an 18-character random password with all character types (95 chars) has approximately 118 bits of entropy — more than a 6-word passphrase, but impossible to remember. The passphrase wins on the memorability/security tradeoff for accounts that require human memory.

Key topics
passphrase generatorNIST 800-63Bdicewarepassword entropymemorable passwords
Was this post useful?
Frequently asked questions

Questions about this topic

How secure is a 4-word passphrase?

+

Can I choose the words myself or does it have to be random?

+

Are passphrases better than random character passwords?

+
More posts

Related reading

Password Security for Marketing Teams: Shared Accounts and Agency Access

7 min read →

Multi-Factor Authentication: The Complete Setup Guide for 2025

9 min read →

Password Security for Nonprofits: Budget-Friendly and Compliant

6 min read →