diff --git a/ChangeLog b/ChangeLog
index c88aff274..f7d078a1d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -23,6 +23,9 @@
    - markus@cvs.openbsd.org 2001/11/21 15:51:24
      [key.c]
      mem leak
+   - stevesk@cvs.openbsd.org 2001/11/21 18:49:14
+     [ssh-keygen.1]
+     more on passphrase construction; ok markus@
 
 20011126
  - (tim) [contrib/cygwin/README, openbsd-compat/bsd-cygwin_util.c,
@@ -6945,4 +6948,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1673 2001/12/06 16:41:41 mouring Exp $
+$Id: ChangeLog,v 1.1674 2001/12/06 16:43:21 mouring Exp $
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 622cb5c99..d8baa43bc 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.50 2001/10/25 21:14:32 markus Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.51 2001/11/21 18:49:14 stevesk Exp $
 .\"
 .\"  -*- nroff -*-
 .\"
@@ -111,10 +111,14 @@ The program also asks for a passphrase.
 The passphrase may be empty to indicate no passphrase
 (host keys must have an empty passphrase), or it may be a string of
 arbitrary length.
-Good passphrases are 10-30 characters long and are
+A passphrase is similar to a password, except it can be a phrase with a
+series of words, punctuation, numbers, whitespace, or any string of
+characters you want.
+Good passphrases are 10-30 characters long, are
 not simple sentences or otherwise easily guessable (English
 prose has only 1-2 bits of entropy per character, and provides very bad
-passphrases).
+passphrases), and contain a mix of upper and lowercase letters,
+numbers, and non-alphanumeric characters.
 The passphrase can be changed later by using the
 .Fl p
 option.