What is a passphrase? Is it better than a password?
A passphrase is a sequence of words combined into one sentence-like phrase and used for authentication. Ideally, the passphrase should contain as random and unrelated words as possible. Here is an example of such a passphrase:
The primary reason behind the popularity of passphrases is the ease of remembering them and increased security. It is challenging to create a credential complying with all the rules of complex passwords. Not to mention the struggle to remember it afterward.
Therefore, a passphrase is an attractive alternative to traditional passwords. And yet, it comes with its own risks.
What is the difference between passphrase and password?
There is a clear difference between a passphrase and a password. Strong passphrases usually consist of a few random words (that can be found in the dictionary). They might have capital letters or spaces in between the words, but not necessarily.
Strong passwords, differently, might not be based on any word at all. A random password might simply consist of a string of random letters (capital too), numbers, symbols, and special characters. See the example below:
Which is safer? A never-ending debate.
The problem with the human brain is that it likes patterns and repetition. It is almost impossible for a human to come up with anything really random. Especially when a person wants to remember what he has just created. On 30+ accounts.
And that is an issue with passphrases and passwords:
- In passphrases, people use a predictable sequence of words, such as: let me use Facebook .
- In passwords, people often take a common word as a base and add one capital letter and a number to the end. Unsurprisingly, the capital letter is first, and the number is 1. And then we get dozens of Password1 s .
Yes, these logins are easy to remember. But it is also very easy for a machine to crack them.
Brute force attack
A hacker (or programmed software) will first try the 10,000 most common passwords. After that, they will try some variations: adding numbers or replacing letters with numbers.
Dictionary attack
The attack that works perfectly for passphrases (if they use general or related words) is a dictionary attack. Every word from the dictionary is typed in as a password until you crack it successfully.
Therefore, in this case, a 20-character random password would be much stronger than a four-word passphrase composed of common dictionary words. However, using completely random and unrelated words might do the trick.
So there is a question – is a passphrase really that secure? If not, are passwords still a better alternative?
It is hard to remember dozens of secure passphrases. Passwords, too.
Hypothetically speaking, passphrases consisting of 4 to 5 random words are secure. But so are the 15+ characters length random passwords. That means a complex passphrase and a complex password are both safe to use. But that is not the biggest issue.
The biggest problem is to remember those secure credentials. Let’s say a person follows security rules and uses different credentials for each platform. It does not remarkably matter – both strong passwords and passphrases are almost impossible to remember.
So, does a fit-for-all solution exist?
Use a password manager.
Ideally, credential security should never be negotiated or simplified because it is hard to remember something complex.
Password managers are the tools built for precisely that. They generate strong, complex, random passwords and store them. If you use an intuitive password manager, it also automatically saves and fills the login credentials for you.
In short, password managers allow you to have a secure password (or a passphrase) for each different account without bothering to remember any of them. It takes one (preferably, unique and complex) password to unlock them all.
When you accustom yourself to a password manager, eventually, it becomes easier to generate a new password than coming up with long random passphrases.
That is an easy (and advisable) security to get used to. It is worth it.