≡ Menu

Password Vs Passphrase: Here’s 5 Reasons to Use Passphrase

The debate between passwords versus passphrase is currently the trending buzz online nowadays. Just after all the password hacking and identity theft incidents have caught media attention, a lot of online users have now become aware of the ominous danger that is lurking in the scam-infested world of the internet.

Hence, the recommendation to use passphrases instead of passwords by IT experts just came at the right time to soothe everyone from the hangover of the password disaster phenomenon.

However, not everyone is techno savvy and there are some who are still confused as to the difference between a password and a passphrase, and why the latter is more reliable.

The difference between password and passphrase

Just to put everyone on the same page, a password as you know it is typically composed of not more than 10 letters or symbols, or a combination of both. It could be a string of random symbols such as “B@3!&O$$” or just a lousy word like “yourname”, or a combination of both such as “sh@tup!”.

On the other hand, a passphrase is longer than a password and contains spaces in between words such as this: “The road to success is always under construction!”.

A passphrase can also contain symbols, and does not have to be a proper sentence or grammatically correct. The main difference of the two is that passwords do not have spaces while passphrases have spaces and are longer than any random string of letters.

So why is passphrase better than passwords?

  1. Passphrases are easier to remember than a random of symbols and letters combined together. It would be easier to remember a phrase from your favorite song or your favorite quotation than to remember a short but complicated password.
  2. Passwords are relatively easy to guess or crack by both human and robots. The online criminals have also leveled up and developed state of the art hacking tools that are designed to crack even the most complicated password.
  3. Satisfies complex rules easily. The use of punctuation, upper and lower cases in Passphrases also meets the complexity requirements for passwords.
  4. Major OS and applications supports passphrase. All major OS including Windows, Linux and Mac allow pass-phrases of up to 127 characters long. Hence, you can opt for longer passphrases for maximum security.
  5. Passphrases are next to impossible to crack because most of the highly-efficient password cracking tools breaks down at around 10 characters. Hence, even the most advanced cracking tool won’t be able to guess, brute-force or pre-compute these passphrases.

Using a passphrase instead of a password will ultimately give you some peace of mind when going about your business online. Just ensure that the phrase you will be choosing is also easy to remember but preferably not a common or popular quote or song that can be easily guessed by someone who knows you.

It should also be at least more than 14 characters long as well to ensure its maximum security. With this new strategy of using pass-phrases in all your important accounts and websites, you can now enjoy a fully-secured online experience.

{ 7 comments… add one }
  • william C August 4, 2013, 7:21 am

    Nothiing is 100% secure when it is on line. The hackers that developed systems for cracking 10 symbol passwords will eventually figure out how to crack passcodes. But it is worth a try for now.

  • walter f bauer August 13, 2013, 1:38 pm

    what do we do change all our password? this is a difficult and tedious job.

  • Jack November 7, 2013, 11:20 am

    “The online criminals have also leveled up and developed state of the art hacking tools that are designed to crack even the most complicated password.” Which for some reason wouldn’t work against a passphrase? Because of what?

    Please explain how this: )@#($lkfl2lx0294_!@)ro9lku$Jamb0kai#3
    Is less secure than this: crypt the fox mud dossier bowling!

  • Robert Sansom March 11, 2015, 12:24 pm

    Passphrases are great passwords – no argument there, however depending on what the password is intended to protect a phrase of random words is not enough. If you are a merchant that accepts, transmits or stores any cardholder data (visa, Mastercard, etc) – there are specific requirements that passwords must meet including:

    – The merchant must disable accounts that are inactive for 90 days.
    – The merchant must lockout an account for 30 minutes after 6 failed attempts to login (admin can let the user in immediately after verifying identity).
    – The merchant must require the user to re-authenticate after a session is idle for 15 minutes.
    – Passwords must be a minimum of 7 characters long and contain both numeric and alphabetic characters.
    – User passwords must be changed every 90 days.
    – Merchants can’t allow a user to choose a password that is the same as any of their last four passwords (i.e., the last year).
    – First time use passwords have to require the user to enter a new password after authenticating for the first time.

    So while these rules may seem oppressive, they are in fact not that bad. You can still use a passphrase like “horse table wine oreos”, you just need to add a number in it somewhere like “4 horse table wine oreos”

  • elron November 9, 2015, 4:00 pm

    Hackers are way smarter than people seem to be giving them credit for. Yes, a brute-force method which is tuned to crack passwords of up to 10 randomish letters/digits/special chars *would* be rubbish for breaking a “pass-phrase” because that’s not what that is designed to do. Seeing as everyone is now under the impression that “correct horse battery staple” is impossible to crack – guess what’s at the top of the list in a pass-phrase-brute-forcer?…. yes, “correct horse battery staple”.

    Hackers know that people use passphrases, so what do you do – You get a list of 4000 words, 4 word combos = approx 10^14. As opposed to a ten character (alpha/digit/special) = approx 10^18 – In if the hackers target pass-phrases (which they will) – then the pass-phrase is 10000 times less secure. And we are talking secure passwords and secure pass-phrases with the numbers I have just mentioned.

    What you are better off doing is combining both methods. eg “Michael given T5&ui!£ dove service” – Good luck cracking that.

  • Chris November 17, 2015, 11:43 am

    Please explain how this: )@#($lkfl2lx0294_!@)ro9lku$Jamb0kai#3
    Is less secure than this: crypt the fox mud dossier bowling!

    Technically, it’s obviously not. But most people are not going to remember the first password. The passphrase provides the benefits of a longer string, hence many more iterations of guesses required to crack, yet is easy to remember, unlike your first example. The average person will write down password #1 somewhere so they can remember it, suddenly making it not as secure.

  • Brandon January 4, 2016, 1:47 am


    Read the link at the bottom to understand how passwords are stored so that an app can check to see if the password you entered is actually your password. It also explains how computers “guess” passwords. After that, you can understand that your “random” 37 characters will be harder to brute force than that 34-character phrase solely because there are three more characters. At least it will be more secure if the hashing is implemented correctly. Both of your examples are quite long with a large character set, though, so I think they might be essentially equal. When you need more security than 30 character passwords salted and hashed with bcrypt, you’re probably not even going to be using a password for security anymore. 🙂


Leave a Comment