Two general points. First, the benefit of Passphrases is that they make it *easier* for users to generate entropy while still remembering their key. Generating entropy through randomized characters is *hard* - and the harder something is, the less people will do it. The reason that XKCD comic is so cited isn't just the math - it's that people who haven't seen the comic in years can *still* tell you what that password is. That's the point of the comic: that those bytes of entropy were easy for a human to remember. Second, you might want to take a look at: https://wpengine.com/unmasked/ The main highlight? The average password entropy is 21.6. Aka, it's off by a factor of 2-trillion from your 94^8 number. The reason? Users don't choose random ascii characters. They don't choose random letters with randomized capitals. They don't choose randomzied letters. They simply choose a word and decorate it. Basically, it's easier to get a lazy person to generate entropy through a 15-character passphrase than it is to get them to generate entropy through a 8-character password.