How strong does your passphrase actually need to be
Passphrase strength is measured in bits of entropy, which count how many guesses an attacker would need in the worst case. Length adds bits fast; symbol substitutions barely help, and the math only applies when the passphrase is chosen randomly. In an end-to-end encrypted system the passphrase is the only wall, so use a randomly generated passphrase of five or more words and accept that losing it means losing the data.
Entropy in plain words
Entropy is a count of how many equally likely passphrases you could have picked, written as a power of two. A passphrase with 40 bits of entropy is one draw from about a trillion possibilities (2 to the 40th). Each extra bit doubles the attacker's worst-case work. That is the whole concept: bits are doublings.
The math is simple when, and only when, every element is chosen at random. Each random element contributes log2 of the pool size: a random digit gives about 3.3 bits (log2 of 10), a random lowercase letter about 4.7 bits (log2 of 26), a random printable ASCII character about 6.6 bits (log2 of 95), and a random word from the EFF long wordlist about 12.9 bits (log2 of 7,776). Multiply by the number of elements and you have the entropy.
The catch is the word random. A passphrase you invent is not a random draw. People pick names, dates, keyboard walks, and predictable substitutions, and cracking tools try exactly those patterns first, with published rule sets that mangle dictionary words automatically. Character-set math wildly overstates the strength of human-chosen passwords. The honest fix is to let dice or a generator choose for you, then the math above actually holds.
What attackers can actually do
The threat that matters for entropy math is offline guessing: the attacker has a copy of your ciphertext or password hashes and can run guesses on their own hardware with no rate limit and no lockout. GPU-based tools like hashcat exist for exactly this, and their speed depends on the hardware and on how expensive each guess is to check. Against a fast unsalted hash a single modern GPU checks guesses at rates measured in billions per second; against a deliberately slow key derivation function the same hardware manages orders of magnitude fewer.
Because real rates vary by hardware and algorithm, the worked examples below use one clearly labeled assumption: an attacker who can test ten billion guesses per second (10 to the 10th), which is the right ballpark for fast hashes on current GPUs. Every number that follows is computed from that assumption and the entropy math above, nothing else.
The math, not the vibes
Each row below is length times log2 of the pool size, rounded. These figures hold only for randomly chosen elements.
| Pattern | Pool size | Bits per element | Approx total entropy |
|---|---|---|---|
| 10 random digits | 10 | 3.3 | 33 bits |
| 8 random lowercase letters | 26 | 4.7 | 38 bits |
| 8 random printable ASCII characters | 95 | 6.6 | 53 bits |
| 4 random words (EFF long wordlist) | 7,776 | 12.9 | 52 bits |
| 6 random words (EFF long wordlist) | 7,776 | 12.9 | 78 bits |
| 12 random printable ASCII characters | 95 | 6.6 | 79 bits |
Now apply the assumed rate of ten billion guesses per second against a fast hash. Exhausting 33 bits (2 to the 33rd is about 8.6 billion guesses) takes under a second. Exhausting 52 bits (about 4.5 quadrillion guesses) takes around five days. Exhausting 78 bits (about 3 times 10 to the 23rd guesses) takes on the order of a million years. On average an attacker finds the answer after searching half the space, so halve those times; the conclusion does not change.
A slow key derivation function moves every row. If each guess requires 200,000 PBKDF2-SHA256 iterations instead of one fast hash, the effective rate in this example drops from ten billion guesses per second to about fifty thousand. The same 52-bit passphrase now costs roughly 2,900 years to exhaust instead of five days. The derivation function did not add entropy; it made each guess 200,000 times more expensive. That is why the two levers, passphrase entropy and guess cost, multiply.
Why end-to-end encryption makes your passphrase the whole wall
In a conventional service your password gates access, but the operator can still read your data and can reset the password. In an end-to-end encrypted system the encryption key is derived from your passphrase on your device and never leaves it, so there is nothing behind the passphrase except math.
Violet's sync protocol is built this way. The client derives a non-extractable AES-256-GCM key from the passphrase using PBKDF2-SHA256 with 200,000 iterations and a per-account salt, and the server stores only nonce-plus-ciphertext envelopes it cannot open. The salt means precomputed tables are useless and each account must be attacked separately; the iteration count multiplies the cost of every guess by 200,000. But the strength of the whole wall still starts with the entropy of the passphrase you picked. A weak passphrase behind a strong key derivation function is still a weak wall.
Length beats complexity
NIST SP 800-63B, the United States federal guideline for digital identity, is direct about this. It favors allowing long passphrases, recommends screening new passwords against lists of known-compromised ones, and recommends against both composition rules (forced symbols and mixed case) and mandatory periodic changes, because those rules push people toward predictable patterns without adding real entropy.
The table shows why. Four random common words beat eight fully random characters that include symbols, and the words are dramatically easier to remember and to type on a phone. Complexity requirements optimize the look of a password. Length, with random selection, optimizes the math.
Practical guidance
- Use a randomly generated passphrase, not one you invented. Physical dice with the EFF long wordlist, or any reputable generator, both work.
- For a passphrase that guards end-to-end encrypted data, use at least five random words (about 65 bits) and prefer six (about 78 bits). This is your only wall; size it accordingly.
- Do not bother with forced symbol substitutions. Swapping a for @ adds at most a bit or two and costs you memorability.
- Never reuse the passphrase anywhere else. Reuse converts someone else's breach into your problem.
- Store a written copy somewhere physically safe, or keep it in a password manager you already trust. Memory alone is a single point of failure.
- Do not rotate it on a schedule. Change it only if you believe it has been exposed.
The honest tradeoff: nobody can reset it
End-to-end encryption removes the operator from the trust equation, and that cuts both ways. Because the server never sees the passphrase or the derived key, there is no reset flow, no support ticket, and no recovery email that can bring your data back. Lose the passphrase and the ciphertext is permanently opaque, to the operator and to you alike. Any service that claims end-to-end encryption and also offers effortless password recovery is holding a second key, which means the wall has a second door.
Violet accepts this tradeoff openly rather than hiding it: the passphrase-derived key exists only on your device, so unrecoverability is not a missing feature, it is the proof that the encryption is real. Plan for it with a written backup, then enjoy the property you paid for: a wall with exactly one door, and you hold the only key.
Questions
Is a 12-character password enough?
Twelve fully random printable characters carry about 79 bits of entropy, which is strong even against offline GPU attacks. But a human-invented 12-character password is usually far weaker than the character math suggests, because people choose predictable patterns that cracking tools try first. A randomly generated six-word passphrase reaches similar strength and is easier to remember.
Do symbols and numbers make my passphrase stronger?
Only slightly, and only if they are placed at random. Growing the character pool adds under two bits per character, while adding one random word from a 7,776-word list adds about 13 bits. NIST SP 800-63B recommends against forced composition rules because they push people toward predictable substitutions instead of real entropy. Length with random selection wins.
What happens if I forget my passphrase in an end-to-end encrypted app?
The data is gone. In a real end-to-end encrypted system the key is derived from your passphrase on your device and the server stores only ciphertext it cannot open, so no reset or recovery flow is possible. That unrecoverability is the evidence that the operator truly cannot read your data. Keep a written copy of the passphrase somewhere physically safe.
How many words should a diceware passphrase have?
Each word drawn at random from the EFF long wordlist of 7,776 words adds about 12.9 bits of entropy. Four words give about 52 bits, five about 65, and six about 78. For a passphrase protecting end-to-end encrypted data, where offline guessing is the threat that matters, five words is a sensible floor and six is comfortable.