Guide
How Strong Are Six-Word Passphrases?
Six random words feel too simple to be secure. The math says otherwise: what 77 bits of entropy actually means, and why randomness matters more than complexity.
A passphrase like "maroon-tremor-canal-oxide-jubilee-drift" looks almost too friendly to protect anything important. There are no symbols, no digits, no capital letters, and every word is in the dictionary. Yet a passphrase built from six words chosen truly at random from a well-designed wordlist is far stronger than a typical human-invented password full of substitutions and punctuation.
The reason is entropy: a measure of how many equally likely possibilities an attacker must search. Strength comes from the size of the space the passphrase was drawn from, not from how complicated it looks.
The arithmetic of word entropy
SecretPNG's passphrase generator draws words from the EFF Large Wordlist, which contains 7,776 words selected to be memorable, distinct, and free of confusing lookalikes. Each word drawn uniformly at random from that list contributes log2(7776), roughly 12.9 bits, of entropy. Six independent draws give about 77 bits in total.
Seventy-seven bits means an attacker who knows exactly how the passphrase was generated, including the full wordlist and the word count, still faces around 2^77 possibilities: roughly 150 quintillion million candidates. Knowing the method does not help, because the security lives entirely in the random selection.
What 77 bits means against real attacks
Attack cost depends on how fast each guess can be checked. When a passphrase protects a SecretPNG vault, every guess must first run through PBKDF2-HMAC-SHA-256 at 600,000 iterations before it can be tested, which slows the fastest hardware to a relative crawl. Even granting an attacker a trillion PBKDF2-hardened guesses per second, which is far beyond published capabilities, exhausting a 77-bit space would take on the order of billions of years.
Contrast that with a human-chosen password like "Tr0ub4dor&3". Patterns like a capitalized word, predictable substitutions, and a trailing digit-symbol pair are exactly what cracking tools model first, so its effective entropy is a small fraction of what its character variety suggests. To match six random words with random characters drawn from the full keyboard, you would need around twelve of them, and the passphrase remains dramatically easier to memorize and type correctly on a phone keyboard.
Randomness is the entire guarantee
The entropy math holds only if the words are selected by a real random process: dice, as in the original Diceware scheme, or a cryptographically secure generator. SecretPNG's passphrase generator uses the browser's crypto.getRandomValues with rejection sampling, so every word is drawn uniformly and no network request is involved.
Picking six words yourself out of your head does not work. Humans gravitate toward common words, themed words, and grammatical phrases, and attackers model all of it. A memorable-feeling phrase you invented might have 20 to 30 bits of real entropy while looking identical in shape to a 77-bit generated one.
When six words is enough, and when to use more
For most purposes, including encrypting files, protecting a password manager, or securing an account with rate-limited login attempts, six words is a comfortable margin. For secrets that must survive decades of offline attack, or where the protecting KDF is weak or unknown, adding words is cheap insurance: each one adds another 12.9 bits, so eight words reaches roughly 103 bits.
The practical advice is short. Generate, do not invent. Use six words as a strong default and more for long-lived, high-value secrets. And since a passphrase this strong is unrecoverable if forgotten, decide up front how you will back it up.
- Six EFF-wordlist words: about 77 bits, strong for nearly all personal use.
- Seven words: about 90 bits, a solid step up for long-lived archives.
- Eight words: about 103 bits, suited to worst-case offline threat models.
Limitations to keep in mind
- The entropy figures assume truly random word selection; a passphrase you composed yourself, however similar in appearance, does not get these guarantees.
- A strong passphrase cannot protect you on a compromised device where malware can capture it as you type.
- Entropy estimates describe brute-force resistance, not phishing, shoulder surfing, or reuse across services.
- SecretPNG is in beta and not independently audited; the generator's design is documented, but it has not had a formal third-party review.