A passphrase is a multi-word secret long enough that brute-force becomes impractical regardless of attacker resources. Five to seven random dictionary words is the standard floor; seven words from a 7,776-word list (Diceware) yields around 90 bits of entropy, which is the practical threshold above which offline cracking by any current adversary becomes infeasible. The vault password and the disk-encryption password should both be passphrases, not passwords.
What it means in practice
The shift from passwords to passphrases is structural rather than stylistic. A 12-character “complex” password (uppercase, lowercase, digits, symbols) yields around 80 bits of entropy in theory but far less in practice because human-generated complexity follows predictable patterns (capital first, digit last, symbol substitution). A passphrase generated by rolling dice against a published wordlist eliminates human bias from the entropy calculation. The result is easier for the user to remember (seven concrete words vs random characters) and harder for the attacker to brute-force (the search space is the wordlist length raised to the word count). EFF publishes the canonical Diceware lists; XKCD #936 (correct horse battery staple) popularized the concept.
Where it shows up
The high-leverage applications: master password of your password manager (this single secret unlocks everything; it should be the strongest secret in your life), full-disk-encryption password (FileVault, BitLocker, LUKS, VeraCrypt), GPG private-key passphrase (if you use PGP), recovery passphrase for hardware wallets, the few accounts where 2FA cannot be enabled and the password is the only barrier. Lower-leverage applications: per-site passwords stored in your password manager, where the manager generates random 20-character strings and you never type them. The discipline is to differentiate between the few passphrases you must memorize (3 to 5 in a typical operator’s life) and the hundreds of passwords your manager handles for you.
What you can change today
Generate a new master passphrase this week if your current one is shorter than 5 random words or contains any words you chose for memorability. Roll five dice five times against the EFF long Diceware list (eff.org/dice), write the resulting words on paper, store the paper in a fireproof safe or off-site location until you have memorized the passphrase. Update your password manager master password, your full-disk-encryption password, and any other vault-tier secret. Practice typing the passphrase 30 to 50 times over the next week so muscle memory builds; this is the only secret you cannot afford to forget under stress.
