Reply from JP Aumasson about password entropy quoted here verbatim until it appears on whonix-devel:
You want the passphrase to have at least as much entropy as the bit length
of the symmetric key that is derived from it.
In theory, Grover’s quantum search algorithm could lower down the cost of
searching the right passphrase from ~2^128 to (very) roughly ~2^64.
How to get higher entropy passphrase? You can have a longer passphrase, a
longer dictionary (that is, more entropy per word), or both.
BIP 39 for example supports 128 to 256 bits of entropy per passphrase, iirc
with 2048-word lists, thus longer passphrase for higher entropy, see
Hope this clarifies!