Passphrase is another security layer on top of PIN and has to be used in combination with recovery seed (it’s like a 25th or 13th seed word), so it’s important to understand that only if the attacker has access to both 1) seed or unlocked device and 2) the passphrase - he/she can access the wallet and compromise funds.
The passphrase should be easily memorable for users but not easy to guess for the attacker (no birth date, name etc.). Yet remember to use such a passphrase that is easily memorable for you. Further info in our article: Is your passphrase strong enough?