XKCD Passphrase Generator (PT-BR)

XKCD passphrases in Brazilian Portuguese

The "XKCD passphrase" is the four-word memorable password popularized by Randall Munroe in xkcd strip #936 ("Password Strength", 2011). The strip's famous example — correct horse battery staple — argued that four random common words ranked higher than the typical 8-character "complex" password on both entropy and memorability. The math: four words drawn uniformly from a 2,048-word list yield log2(20484) ≈ 44 bits of entropy. Stretch the wordlist to 7,776 (Diceware-sized) and four words deliver ~52 bits; six words hit ~77 bits; eight words cross 100.

Portuguese-language wordlists exist in two flavors. The community has translated the EFF Large list to 7,776 Brazilian words, and Brazilian crypto users rely on the BIP39 Portuguese list: 2,048 concrete nouns compiled by SatoshiLabs ("abrigo", "açafrão", "açúcar", ...) used to derive Bitcoin and Ethereum wallet seed phrases. Both lists are clean of slurs, biased toward concrete nouns and chosen for natural Brazilian phonetics, which makes them easier to remember and dictate over the phone than an English list for a native Portuguese speaker.

How many words is enough?

• 4 words (BIP39 PT): ~44 bits — the xkcd baseline; acceptable for accounts behind MFA and rate limiting.
• 5 words: ~55 bits — minimum against an attacker with offline access to a fast hash.
• 6 words: ~66 bits — modern recommended baseline for stand-alone master passwords.
• 7 words: ~77 bits — appropriate for password-manager masters and disk-encryption passphrases.
• 8+ words: ~88 bits — quantum-resistant horizon (Grover's algorithm effectively halves search bits).

Real-world use cases

Reserve passphrases for the small set of secrets you must memorize: your password-manager master password (1Password, Bitwarden, KeePass), the passphrase on a LUKS-encrypted disk, a GPG key passphrase, an SSH key passphrase. Everything else should live inside the password manager as a fully random string. Passphrases also work as a memorable backup of a seed phrase for crypto wallets — BIP39 itself is a passphrase scheme, just with a fixed 12, 18 or 24 words.

Anti-patterns to avoid

A passphrase is only as strong as the randomness behind it. Common mistakes that gut the entropy:

• Words from the same theme — gato-cachorro-pássaro-peixe is guessable by a topic-aware attacker.
• Common phrases or proverbs — quotes from Carlos Drummond, lyrics from Caetano Veloso or popular sayings are in dictionary-attack lists.
• Inserting numbers or symbols at predictable positions — palavra1!palavra2! adds almost zero entropy because the pattern is the giveaway.
• Reusing the same passphrase across services — one breach exposes everything.
• Generating "by hand" — humans are terrible at randomness; always use dice or a CSPRNG.

FAQ

Should I use a Portuguese or English wordlist?

If you speak Portuguese natively, a Portuguese list will be far easier to memorize and dictate. The entropy depends only on the list size and the number of words, not the language: a 6-word BIP39 PT passphrase is mathematically equivalent to a 6-word BIP39 EN one.

What is the minimum safe length?

Six words from a 2,048-word list (~66 bits) for general use; seven or eight (~77–88 bits) for password-manager masters and disk encryption. Below six, your passphrase only survives behind MFA and aggressive rate limiting.

Should I add numbers or symbols?

Generally no. They make the passphrase harder to memorize without meaningfully increasing entropy if the position or symbol set is predictable. The clean way to add bits is to add another random word.

Is the BIP39 list good for general passphrases?

Yes. It is curated for memorability, has 2,048 concrete words (11 bits each) and is available in Portuguese. The only caveat: never reuse your actual crypto seed phrase as a regular passphrase, and never paste a regular passphrase where a seed phrase is expected.