≡ Menu

Password Vs Passphrase: Here’s 5 Reasons to Use Passphrase

The debate between passwords versus passphrase is currently the trending buzz online nowadays. Just after all the password hacking and identity theft incidents have caught media attention, a lot of online users have now become aware of the ominous danger that is lurking in the scam-infested world of the internet.

Hence, the recommendation to use passphrases instead of passwords by IT experts just came at the right time to soothe everyone from the hangover of the password disaster phenomenon.

However, not everyone is techno savvy and there are some who are still confused as to the difference between a password and a passphrase, and why the latter is more reliable.

The difference between password and passphrase

Just to put everyone on the same page, a password as you know it is typically composed of not more than 10 letters or symbols, or a combination of both. It could be a string of random symbols such as “B@3!&O$$” or just a lousy word like “yourname”, or a combination of both such as “sh@tup!”.

On the other hand, a passphrase is longer than a password and contains spaces in between words such as this: “The road to success is always under construction!”.

A passphrase can also contain symbols, and does not have to be a proper sentence or grammatically correct. The main difference of the two is that passwords do not have spaces while passphrases have spaces and are longer than any random string of letters.

So why is passphrase better than passwords?

  1. Passphrases are easier to remember than a random of symbols and letters combined together. It would be easier to remember a phrase from your favorite song or your favorite quotation than to remember a short but complicated password.
  2. Passwords are relatively easy to guess or crack by both human and robots. The online criminals have also leveled up and developed state of the art hacking tools that are designed to crack even the most complicated password.
  3. Satisfies complex rules easily. The use of punctuation, upper and lower cases in Passphrases also meets the complexity requirements for passwords.
  4. Major OS and applications supports passphrase. All major OS including Windows, Linux and Mac allow pass-phrases of up to 127 characters long. Hence, you can opt for longer passphrases for maximum security.
  5. Passphrases are next to impossible to crack because most of the highly-efficient password cracking tools breaks down at around 10 characters. Hence, even the most advanced cracking tool won’t be able to guess, brute-force or pre-compute these passphrases.

Using a passphrase instead of a password will ultimately give you some peace of mind when going about your business online. Just ensure that the phrase you will be choosing is also easy to remember but preferably not a common or popular quote or song that can be easily guessed by someone who knows you.

It should also be at least more than 14 characters long as well to ensure its maximum security. With this new strategy of using pass-phrases in all your important accounts and websites, you can now enjoy a fully-secured online experience.

{ 9 comments… add one }
  • william C August 4, 2013, 7:21 am

    Nothiing is 100% secure when it is on line. The hackers that developed systems for cracking 10 symbol passwords will eventually figure out how to crack passcodes. But it is worth a try for now.

  • walter f bauer August 13, 2013, 1:38 pm

    what do we do change all our password? this is a difficult and tedious job.

  • Jack November 7, 2013, 11:20 am

    “The online criminals have also leveled up and developed state of the art hacking tools that are designed to crack even the most complicated password.” Which for some reason wouldn’t work against a passphrase? Because of what?

    Please explain how this: )@#($lkfl2lx0294_!@)ro9lku$Jamb0kai#3
    Is less secure than this: crypt the fox mud dossier bowling!

  • Robert Sansom March 11, 2015, 12:24 pm

    Passphrases are great passwords – no argument there, however depending on what the password is intended to protect a phrase of random words is not enough. If you are a merchant that accepts, transmits or stores any cardholder data (visa, Mastercard, etc) – there are specific requirements that passwords must meet including:

    – The merchant must disable accounts that are inactive for 90 days.
    – The merchant must lockout an account for 30 minutes after 6 failed attempts to login (admin can let the user in immediately after verifying identity).
    – The merchant must require the user to re-authenticate after a session is idle for 15 minutes.
    – Passwords must be a minimum of 7 characters long and contain both numeric and alphabetic characters.
    – User passwords must be changed every 90 days.
    – Merchants can’t allow a user to choose a password that is the same as any of their last four passwords (i.e., the last year).
    – First time use passwords have to require the user to enter a new password after authenticating for the first time.

    So while these rules may seem oppressive, they are in fact not that bad. You can still use a passphrase like “horse table wine oreos”, you just need to add a number in it somewhere like “4 horse table wine oreos”

  • elron November 9, 2015, 4:00 pm

    Hackers are way smarter than people seem to be giving them credit for. Yes, a brute-force method which is tuned to crack passwords of up to 10 randomish letters/digits/special chars *would* be rubbish for breaking a “pass-phrase” because that’s not what that is designed to do. Seeing as everyone is now under the impression that “correct horse battery staple” is impossible to crack – guess what’s at the top of the list in a pass-phrase-brute-forcer?…. yes, “correct horse battery staple”.

    Hackers know that people use passphrases, so what do you do – You get a list of 4000 words, 4 word combos = approx 10^14. As opposed to a ten character (alpha/digit/special) = approx 10^18 – In if the hackers target pass-phrases (which they will) – then the pass-phrase is 10000 times less secure. And we are talking secure passwords and secure pass-phrases with the numbers I have just mentioned.

    What you are better off doing is combining both methods. eg “Michael given T5&ui!£ dove service” – Good luck cracking that.

  • Chris November 17, 2015, 11:43 am

    Please explain how this: )@#($lkfl2lx0294_!@)ro9lku$Jamb0kai#3
    Is less secure than this: crypt the fox mud dossier bowling!

    Technically, it’s obviously not. But most people are not going to remember the first password. The passphrase provides the benefits of a longer string, hence many more iterations of guesses required to crack, yet is easy to remember, unlike your first example. The average person will write down password #1 somewhere so they can remember it, suddenly making it not as secure.

  • Brandon January 4, 2016, 1:47 am

    @Jack

    Read the link at the bottom to understand how passwords are stored so that an app can check to see if the password you entered is actually your password. It also explains how computers “guess” passwords. After that, you can understand that your “random” 37 characters will be harder to brute force than that 34-character phrase solely because there are three more characters. At least it will be more secure if the hashing is implemented correctly. Both of your examples are quite long with a large character set, though, so I think they might be essentially equal. When you need more security than 30 character passwords salted and hashed with bcrypt, you’re probably not even going to be using a password for security anymore. 🙂

    Link

  • David Reese September 21, 2016, 7:58 pm

    Passphrases are susceptible to dictionary style attacks. When making your passphrase it is best to do so assuming that the crackers know that this is what you are doing. It is good form to select words for your passphrase that are not common english words also they shouldn’t follow any formal grammars. Doing these things would make them harder to hack. But if you select words like “pizzadiapertrashface” it would be relatively easy to design a dictionary attack against this.

  • ScandallB October 26, 2016, 7:32 am

    @Jack
    As @Brandon stated most users will not remember a 37 character random set without storing it somewhere. The basic principle of passphrase verse password is greater strength through length. So, by definition the 37 character set will be stronger than a 34 character phrase.
    Some math:
    A random set of characters (password) can be made up of
    26 letters – both lower case and upper
    10 numbers – and the characters below
    11 special keys – both characters
    47 usable keys => 94 characters total
    I will assume all characters are usable.
    since any character can be duplicated the password is 94^N where N is the length of the password. 94^10 is on the order of 10^19

    Even if you use all lower case letters and space bar, 27 characters, by 14 characters the complexity is on the order of 10^20. That is three 4-letter words with spaces between, but it could be a 2-letter word with two 5-letter words, etc. What if we used, “Password Dragon” that is 15 letters so 10^21, but we added upper case letters, so that adds to the complexity that the breaker has to account for. (27+26 characters) 53^15 => 10^25
    Can password breakers assume that we did not use any numbers or specials? Not if they are any good. So, they will still have the 94 characters to choose from. => 94^15 => 10^29

    btw a computer does not differentiate between a letter, a number, or a special character unless it is programmed to.

Leave a Comment