Reply from JP Aumasson about password entropy quoted here verbatim until it appears on whonix-devel:

Hi!

You want the passphrase to have at least as much entropy as the bit length

of the symmetric key that is derived from it.In theory, Grover’s quantum search algorithm could lower down the cost of

searching the right passphrase from ~2^128 to (very) roughly ~2^64.How to get higher entropy passphrase? You can have a longer passphrase, a

longer dictionary (that is, more entropy per word), or both.BIP 39 for example supports 128 to 256 bits of entropy per passphrase, iirc

with 2048-word lists, thus longer passphrase for higher entropy, see

https://github.com/bitcoin/bips/blob/master/bip-0039.mediawikiHope this clarifies!

Best,

JP