Why Plume-Jardin-Corail Is Stronger Than x7$kQ!9m

The myth: more complexity means more security

For years, websites have trained us to create "complex" passwords: at least one uppercase letter, one number, one special character. The result? Passwords like January2026! or Password1$. They look secure. They aren't.

These complexity rules were designed in the 1980s, when computers tested a few thousand passwords per second. Today, a standard gaming computer can test several billion combinations per second. And attackers know these patterns perfectly: capital first, number at the end, exclamation mark as special character.

In 2017, NIST (the US cybersecurity standards body) officially abandoned mandatory complexity rules and periodic password rotation. The reason: they produce predictable passwords without improving real security.

The mathematical reality

Password security is measured by the number of possible combinations an attacker must try to find it - not how it looks. Experts call this entropy.

A fundamental principle in cryptography - Kerckhoffs' principle - states that we always assume the attacker knows your method. What they don't know are your randomly chosen words. The key word here is "randomly." A phrase that makes sense - even a long one - is predictable. My-Cat-Sleeps-On-The-Couch is a sentence. Plume-Jardin-Corail-Forge-Sapin is a word string. The difference: the words have no connection to each other.

Attack speed depends on how the website protected your password. When a site does it poorly — which still happens far too often — an attacker can try billions of combinations per second. But when a site uses modern protection (which serious services do today), each attempt is deliberately slowed down. The speed drops from billions to about 10,000 attempts per second. That's the speed we use in the table below — the realistic scenario for a properly protected service. LegaKeep uses this type of modern protection for all accounts.

* These numbers assume the best-case scenario for the attacker: they know our exact method (the 5,898-word list, the number of words, the character set). This is Kerckhoffs's principle, the golden rule of cryptography: never rely on secrecy of the method, only on the randomness of the draw. Attack speed: 10,000 attempts/second (bcrypt/Argon2, stolen hash).

The takeaway: 5 French words you can visualize in 10 seconds resist cracking for over 23 million years (bcrypt). That's plenty. But let's be precise about what that means.

Let's be honest: words ≠ characters at equal length

We don't want to mislead you. A 5-word string like Plume-Jardin-Corail-Forge-Sapin is 31 characters long. But it is not as secure as 31 random characters. It's equivalent to roughly 10 random characters.

Why? Because an attacker who knows you're using words from a list of 5,898 won't test letter by letter. They'll test word by word. Each word adds ~12.5 bits of entropy, not the ~6.6 bits per character that fully random characters would provide.

So why recommend word strings? Because the real comparison isn't "at equal length" - it's "at equal memorability". Nobody remembers kR4$mP2!xQ. Everyone remembers Plume-Jardin-Corail-Forge-Sapin. And a password you can't remember ends up on a sticky note or gets replaced by January2026!.

The real enemy of security isn't theoretical entropy - it's human behavior. 62 memorable bits beat 80 bits on a sticky note.

This is also why every number on this page - in the table, the generator, and the tester - is calculated under this conservative assumption. One formula, transparent and verifiable.

Why complexity rules fail

Complexity rules ("must include uppercase, number, special character") have a documented perverse effect: they push users toward predictable passwords following patterns well known to attackers.

In 2017, NIST SP 800-63B explicitly discouraged composition rules and mandatory rotation. The official recommendation: length and randomness, not apparent complexity.

What complexity rules don't teach: real security comes from the number of possibilities, not the "random" look. An attacker who knows you use firstname + year + symbol can test billions of combinations following that pattern in seconds. Length and randomness have a far greater impact on security than character variety - though adding numbers and symbols does increase entropy too.

What LegaKeep does

Our generator uses 5,898 common French words from the Lexique 3.83 academic corpus - a linguistic database developed at the University of Savoie. These words were filtered: nouns and adjectives only, 4 to 8 letters, frequent in films and literature. No accents (for universal keyboard compatibility), capitalized for readability.

This is the same principle as Diceware, used by security experts since the 1990s and recommended by the EFF (Electronic Frontier Foundation). This approach is aligned with current NIST guidelines (SP 800-63B). Our list is in French, optimized to be memorable - words you actually know, chosen randomly by the machine, never manually by the user.

Everything is computed locally in your browser or on your phone, using a cryptographically secure random number generator (CSPRNG) that ensures true unpredictability. The generated password never leaves your device. We don't see it, store it, or can recover it.

Try it yourself: password generator →

A strong password isn't enough

Even the strongest password is useless if it's reused. If one site is breached and you use the same password elsewhere, all your accounts fall like dominoes. The rule is simple: one unique password per service, ideally stored in a password manager.

Also enable two-factor authentication (2FA) wherever possible. A temporary code on your phone adds a barrier that no password alone can provide - not even a 5-word random string.