Some researchers at
University of Cambridge Computer Laboratory have
taken a closer look at the recently popular claim that multi-word passphrases, being several times longer, are more secure than a regular password (generally 8 to 12 characters).
The results are discouraging: by our metrics, even 5-word phrases would be highly insecure against offline attacks, with fewer than 30 bits of work compromising over half of users. The returns appear to rapidly diminish as more words are required.
They recommend a tool such as
Diceware for generating passphrases.