Password vs Passphrase

Passphrase vs Passwords: Which is Better for Security?

As identity theft cases continue to rise, cyber security has never been more important. One of the main ways to protect your information is to create a strong password, but would a passphrase do a better job?

While they might both sound similar, there are a lot of differences that can either improve or reduce the security of your account.

Today, I will highlight the advantages and disadvantages of using a passphrase.

PassPhrase vs Password: Overview

Before we go into more detail, let’s do a brief overview of what each one is and how they are different on a fundamental level.

What Is a Password?

A password is a secret set of data that can essentially consist of anything. Upper and lowercase letters, numbers, or symbols are fair game. A password generator creates a random string of characters making it ultra-difficult to crack. This can lead to passwords like this: “ayndeE$$js&*os.”

Unfortunately, passwords have many problems associated with them, which make them a pain to manage.

The main obstacle is the user. It’s no secret that remembering 50 different passwords becomes a hassle. This leads many to use the same password for multiple sites.

However, this has a domino effect.

If one site gets compromised, your password is now compromised on every other site.

What Is a Passphrase?

A passphrase is very similar to a password, but instead of being a single word or string of random characters, symbols, or numbers, a passphrase is a series of words that may or may not include spaces.

Not all security systems support spaces as a character. So, this will be determined by the website or software you’re using.

Here are some passphrase examples that showcase three variations of the same passphrase:

  • “This Is A Bad Example Of A Passphrase”
  • “ThisIsABadExampleOfAPassphrase”
  • “This_Is_A_Bad_Example_Of_A_Passphrase”

Of course, it doesn’t actually have to be a complete sentence or phrase. It can consist of just a random assortment of words like so:

“Giraffe Potato Ninja Guacamole.”

As you can see those words don’t form a sentence, which can be more secure, but more on that later.

So, What’s the Difference Between a Password and a Passphrase?

All passphrases are passwords, but not all passwords are passphrases.

When following proper security recommendations, passphrases are easier to remember than passwords. This means a user is less likely to write them down, which creates a vulnerability by itself.

In terms of security, both can be very secure, but on average a passphrase is stronger. That said, it can also be weaker.

Let’s take a look at which how they stack up to each other.

Passphrases vs Passwords: Best Practices

While both of these are similar in nature, the best practices surrounding them are quite different. Since their usability is directly impacted by what they consist of, it’s important to understand how to make a strong password/passphrase.

How to Make a Strong Password

Even in 2022, people still use horribly weak passwords like “Password” or “123456.” In fact, this isn’t even a small number of people. These are legitimately some of the most popular passwords.

And that makes a hacker’s job very easy. Thus, naturally, the first step to a strong password is not picking something obvious or common.

So, what qualifies as a common password? Any term that is easily guessable. Now, that probably didn’t help, so, let me clarify that with some examples of common passwords:

  • Yankees
  • Monkey
  • Soccer
  • Toaster
  • Your Date of Birth
  • Your Address

The first four examples are quite common words. There is nothing special about them; they are just normal words that anyone could guess. In fact, most bots start with these terms.

The other two might seem like a good choice. Obviously, your address and date of birth are not common, but are they secure? Is your birthday on your Facebook account? Does someone know where you live?

As you can probably imagine, after thinking about it for two seconds, no, these are terrible choices for a password.

So how do I pick a strong password? Easy, you make sure it includes the following:

  • Includes both upper and lowercase letters
  • Includes both numbers and symbols
  • Does not contain a common word
  • Does not match your email
  • Does not include personal information
  • Is a length of at least 12 characters
  • It is not currently being used on another site

If you are following the above rules, you will get a strong password. For example, here is a list of some strong password ideas:

  • aIdfs#_dTn9@
  • qOdr%hj9dEp$
  • Lu6bw*QRgb7&

Obviously, don’t use these. But they are a completely random string of characters that no one could just randomly guess.

Nowadays, some browsers, such as Google Chrome, will provide a randomly generated password anytime it detects that you are creating an account.

How to Make A Strong Passphrase

Remember how I said that all passphrases are passwords? Well, everything I just went over applies here.

Let’s take a moment to touch on common words again. You may think since you are picking multiple words for a passphrase that common words are now okay. After all, it’s four randomly chosen words.

Wrong.

Common words are still something you should avoid. The words should be random and not normally used in a sentence.

Something unique to passphrases is avoiding the use of famous quotes or sayings. For instance, “We Have A Hulk” would be a terrible choice for multiple reasons.

  1. It is a well-known movie quote from the Avengers
  2. All of the words are four characters or less
  3. All of the words are common

So, now that we know what to avoid, what should we incorporate into our passphrases? Again the rules that apply to passwords apply here, which include:

  • Use upper and lowercase characters
  • Use numbers and symbols
  • Use at least four words (the total should be 12 or more characters)

Now, hold on, how would numbers and symbols be used in a passphrase? Isn’t the point to use words? Yes, but you can get creative.

For instance, “Glasses Series Mower Pole” could be “G!@sSeS SeRieS M0wEr P0!e” and it’s quite the difference. Take note of how I replaced the letter “o” with the number “0.” Or the letter “a” with the symbol “@.”

It’s a very easy thing to remember but makes your passphrase more secure. Everybody is different, so coming up with a set of rules that is easy to remember for replacing letters with numbers or symbols can vary depending on personal preference.

Passphrases vs Passwords: Usability

In no uncertain terms, it is clear that for the vast majority of users, remembering your account information across 50 different sites is a nightmare. Usability is an important factor.

Note: When using a web browser’s autofill option or a password manager, there is no difference between a password and a passphrase. The tools will handle everything. This comparison is for the cases where you cannot use them.

Passwords: Usability

Most people are well aware of the problems that come with remembering a lot of different passwords. In fact, that is why password managers have become so successful, people just don’t want to deal with them.

One of the biggest problems with passwords is that websites do not share a set of universal rules. For instance, have you ever tried to create an account to see that the password you entered is not acceptable?

It probably happens a lot if you don’t follow the best practices. Some sites require upper and lower-case letters, numbers, and symbols to be included. Others don’t but may require 12 characters instead of 8.

While there are security advantages to having different standards, one thing is clear, people hate it.

Passphrases: Usability

On a surface level, a passphrase should be quite similar to a password in terms of usability, at least when following the best practices. However, it is typically easier to remember a set of words than a random assortment of characters.

And that’s really where passphrases shine. They are much easier to remember and with a few simple modifications, they can be accepted without issue on all sites and platforms.

Just to be clear, modifications are things like replacing the letter “o” with the number “0” and such. Again, simple things that make the login info more secure but are still easy to remember.

In general, passphrases are more user-friendly than passwords and usually fit the requirements of all sites.

Are Passphrases Less Secure Than Passwords?

After learning about the best practices, it may seem like passwords might be a more secure approach. After all, when using the best practices, they should be completely random characters, numbers, and symbols arranged in a string.

However, most people do not follow these rules. That’s why “Password” is still one of the most popular passwords.

In comparison, a passphrase is typically easier to remember and longer than a traditional password that does not follow the best practices. Even four common words strung together are stronger than a common password.

Thus, in general, a passphrase is more secure, but both of them are equally effective when following best practices, with passphrases being the easiest to remember.

FAQ

One thing this guide does not cover is storing your password or passphrase. Let’s answer a few simple questions most people may have:

Is It Safe to Store Passwords/Passphrases in a Web Browser?

No, it is not safe to store password information in a web browser. And just to be clear, this includes any web browser.

Unfortunately, anyone that can log into your computer can open up the web browser and export all of the password data stored. In fact, there is malware specifically designed to do this.

And even worse, just regular software should do the trick. It’s also worth noting that this does not just store your passwords, it stored your user name and the site they are being used on.

While you can mitigate the risk by using security programs, the risk is quite large.

Are Password Managers Safe to Use?

Password managers are very safe because they encrypt your password information, which prevents hackers from accessing it.

However, they are not flawless.

In fact, very little is when it comes to security. The main risk associated with a password manager is if a hacker is able to obtain the master password to access the software.

If they obtain the password, they now have full access to all of your accounts. That said, it is quite rare for a password manager to be compromised.

They are quite safe for the most part, so don’t be afraid to use one.

Are Usernames Useful for Protecting Your Account?

In the majority of cases, usernames offer very little or no form of protection.

If you stop and think about the average username you enter, you will probably identify the pattern in less than a minute. Most of them simply consist of your email address, the first letter of your first name, and your last name, or are fully viewable on a forum.

None of the above information is secure, especially not your email address. Many people have that listed on their LinkedIn page in hopes of making business contacts.

That said, it is possible to make an email that is exclusively used for one site, but almost no one does that.

Since most usernames are forced upon you by the site or institution they are used for, you really don’t have choice in the matter. Thus, there’s no point in trying to make them hard to remember.

Final Verdict: Passphrase vs Password

From a security standpoint, both passphrases and passwords are equal when following the best practices. They are not something that someone could use guesswork to crack and would take bots years to force.

However, passphrases have a distinct advantage of being more user-friendly. It is much easier to remember a passphrase than a password, but for the majority of users, this is a moot point.

Let’s face it, regardless of how insecure a web browser’s auto-fill feature is, most people still use it or they purchase a password manager.

Thus, it really does not matter which one you use, what does matter is if you follow the best practices.

Do you prefer creating a password or a passphrase to keep your account safe? Do you follow the best practices?