Use a long random password when software can store and autofill it. Use a random passphrase when you must reliably type or occasionally remember the credential. Both must be unique and generated from independent random choices.
Rule of thumb: Machine-handled login → random password. Human-entered master secret → random passphrase.
Random passwords are compact
A mixed-character password draws from a large pool at every position, packing substantial entropy into fewer characters. It is ideal for websites when a password manager handles storage and entry.
Passphrases are easier to enter
Words create longer strings with visible boundaries, making them friendlier on physical keyboards and easier to verify. The security comes from random word selection—not from using a meaningful sentence.
Do not use quotations as passphrases
Lyrics, movie lines, mottos, and grammatical sentences come from a much smaller and more predictable space than independently selected words. Adding substitutions does not make a famous phrase random.
Use cases compared
- Website account: random password saved in a manager
- Password manager master credential: random passphrase
- Encrypted drive: random passphrase stored with a recovery plan
- Wi-Fi: random password, possibly with a reduced symbol set
- Device PIN: separate numeric credential with rate limiting
Passkeys are a third option
When supported, a passkey can provide a phishing-resistant sign-in without a shared password. Keep a careful recovery plan and continue using unique credentials for services and devices that still require them.