A passphrase uses real words, generally separated by spaces, in an uncommon order, with at least 4 words to create a long unique, difficult to brute force password. Passphrases are usually easier to remember then a random password. Try it out, is "Js8#1kOjs9*&@" or "Senator Driving Tire Rabbits!" easier to remember?
Length is an important part of a secure password. The longer the length the more difficult to crack or brute force. By using common words in uncommon order with spaces, you can create very secure passphrases that are easy to remember.
Here's a few examples of randomly generated Passphrases:
"Senator Driving Tire Rabbits!"
"division stucco tapping blurb"
"accompany retreat strenuous elaborate"
There's one real reason Passphrases aren't used more and that's because many websites only support passwords up to a specific length of characters. Many sites will limit the password length to 20 characters, which many times is not long enough for a passphrase.
Why would a website limit the length of a password if it's more secure?
There are really two main reasons.
Backwards compatibility with legacy systems, specifically databases. If the system was configured with maximum character limit which is lower than needed.
Hashing Computating long hashes takes longer per request.
It is a pain to manually keep track of your passphrases when you are using a new passphrase for every site. That's why WpSafeScan recommends you use a passphrase management tool or Password Vault such as Keepass (FREE) or Bitwarden (FREE).