A passphrase, typically, might allow a user to type in 20, 50, or 100 characters. Even though each character is still constrained by probability, there are a lot more of them to start with, so an attacker has many more possible passphrases to worry about. Usually, applying a cryptographic hash will generate a key from a passphrase. The hash gives us a fixed-length output. Widely-used cryptographic hashes have some nice properties that make it possible to sample just the required number of bits from the hash without losing generality or uniformity in the resultant keys. For example, a cryptographic hash like SHA produces 160-bit output, but we lose little by simply using the first 64 of those bits as a key to our encryption algorithm.