Password vs. passphrase: What’s best?

joanne profile
Joanne Yip|September 14, 2023
Security cover image 1
Security cover image 1

Passwords can be just as secure as passphrases — if they have the right length and complexity, are securely stored, and can be easily retrieved. We'll take you through the pros and cons of passwords and passphrases, what makes them different, and whether one is really more secure than the other.  

What is a password? 

A password is a sequence of characters used to verify user identity when accessing an account, app, or system. Password characters can include letters, numerals, and symbols. And the average password is between eight and eleven characters long. Below is a list of some of the world’s most common (and hackable) password examples, according to industry research:  

  • 123456789 

  • password1  

  • iloveyou 

  • 1q2w3e4r 

  • qwerty123 

Disclaimer: The simple passwords listed above are probably not robust enough to stop a fly. Use them at your own risk.  

Advantages of passwords 

A strong password offers better security. The keyword here is strong. Passwords that are appropriately long and complex are harder to crack and offer more reliable protection for sensitive data. With secure passwords in place, no one will ever find out what really went down at the office Halloween party last year. 

Disadvantages of passwords 

Passwords have a couple of disadvantages: Those that are sufficiently complex and secure are difficult to recall without a password manager, while those that are easier to use tend to be predictable and less secure.  

Difficult to remember 

Passwords that satisfy complexity rules can be hard for the average human to remember. Unless you have a photographic memory, a 15-character complex password containing various uppercase and lowercase alphabets, numbers, and symbols is virtually impossible to memorize. (Heck, some of us can’t even recall what we ate for dinner last night.) 

Predictable 

When it comes to passwords, humans tend to be dangerously predictable, preferring to choose the path of least resistance even if it means less security. Rather than dealing with strings of utter gibberish, most people end up creating simple passwords using familiar or personal references like birthdays or (gasp) social security numbers. While users are less likely to forget these types of passwords, they’re also much weaker and easier to hack.  

What is a passphrase? 

A passphrase is a password that comprises a series of random words with or without spaces. A passphrase doesn’t have to form a complete or grammatically correct sentence. Passphrases are usually between four and five words long and can also contain numbers and symbols.  Here’s a list of passphrase examples generated with the help of my trusty password manager:  

  • mobility mower stalling eardrum (Alliteration!) 

  • sprite emphasize ravioli shininess (Love a good pasta reference.) 

  • smell entering divinely enchilada (My personal favorite.) 

  • tavern riposte junior drippy (Is it just me or does this sound like a bad bar joke…) 

Advantages of passphrases 

One of the main benefits of passphrases is that they’re both easy to recall and difficult to hack. For instance, smell entering divinely enchilada is so much more memorable than 2In;{d;[t;{6X^ccA=q,

Because of its length and degree of randomness, a strong passphrase is also difficult to crack. Plus, it’s far less of a pain to type a passphrase containing four to five words in lowercase than it is to type a 15-character password with upper and lowercase letters, numbers, and symbols. 

Disadvantages of passphrases 

The disadvantages of passphrases include length and predictability. Here’s why.  

Too long 

The downside of using passphrases is that some websites or apps may have limits on how many characters you’re allowed to enter. So, you’re forced to choose between using a shorter passphrase (which is less secure) or a strong password (which can be harder to remember). 

Predictable 

Predictability can be a problem for passphrases as well. Quoting famous lines from The Godfather may impress your coworkers, but using them as your passphrase is less ideal. After all, you never know if the one hacking your systems could also be a hardcore Martin Scorsese fan.  

Consider a password manager 

You may have the strongest password or passphrase in the world, but if you save it by writing it on a Post-it stuck to your monitor, it’s about as useful as the snow globe Grandma Betty gave you for Christmas. We get it — it’s impossible to remember unique passwords for all your apps and devices. That’s where password managers can help out. And yes, they’re way more secure than Post-it notes.

Are passwords and passphrases the same?  

Yes and no. Passwords and passphrases have the same primary function, it’s true. But it’s like comparing a Mini Cooper and a Ford F-150: Both vehicles can take you places, but they’re each built very differently. In short, all passphrases are passwords, but not all passwords are passphrases. (Woah, that’s deep.) 

What’s the difference between a password and a passphrase? 

Compared to passwords, passphrases are generally longer and have a different structure comprising words instead of just characters. And unlike passwords, passphrases can contain spaces. Because the average password tends to be shorter, it has significantly less entropy (randomness) than a passphrase.  

Passwords vs. passphrases: Which is more secure?  

Passphrases are generally viewed as more secure than passwords and less vulnerable to cyberattacks. Even the FBI recommends using passphrases. But this is mainly because the average password tends to be too short, too predictable, or is a victim of poor password practices. 

In comparison, the average passphrase tends to be longer with greater variability, making it much harder to crack — a point that xkcd famously illustrates: 

Comic strip depicting the different levels of entropy between a password (Tr0ub4dor&3) and a passphrase (correct horse battery staple).

According to industry research, there’s also a strong correlation between length and the time it takes for a brute force attack to decode a password or passphrase.  

A table showing the time it takes a hacker to brute force your password based on how long and complex it is.

Whether you use passwords or passphrases, the level of security depends on their length and complexity and your information security practices. E.g., by using a password manager, you can easily generate and store a longer password that is just as secure as a passphrase.  

Passwords vs. passphrases FAQs 

How do I choose a strong password or passphrase? 

To create secure passwords or passphrases, keep these pointers in mind:  

  • Use at least 15 characters (for passwords) or five to seven words (for passphrases). 

  • Avoid using personal information or common quotes. 

  • Use unique, random words (for passphrases).  

  • Use a password manager to generate and store passwords and passphrases. 

  • Use uppercase and lowercase, special characters, numbers, and spaces, where possible. 

To increase information security, you’re also strongly recommended to use multifactor authentication (MFA) and vary your passwords or passphrases across different accounts. 

What are common password mistakes?  

Many common password mistakes revolve around poor practices, such as: 

  • Using personal information or common words 

  • Using the same password or passphrase across multiple accounts 

  • Using simple passwords or passphrases that are too short 

  • Sharing passwords or passphrases  

  • Storing passwords or passphrases as plain text 

  • Varying only one character when changing passwords  

  • Using recognizable keyboard patterns (e.g. 7ujm8ik<) 

Avoiding the above blunders can significantly reduce your risk of a security breach.  

Check out this video by SmartDeploy’s tech experts as they chat about industry trends, important security issues, and their take on the password vs. passphrase debate. 

Loading...

How do I create a corporate password policy?

To create a corporate password policy, start with a few tried-and-true best practices, such as implementing multifactor authentication or single sign-on and securing your most privileged users.


You know what else can enhance the security of your endpoint environment? Setting up user devices with a custom golden image and keeping operating systems, apps, and drivers up to date throughout the device lifecycle. Thankfully, computer imaging software like SmartDeploy makes the process a lot simpler and less painful than it used to be. You can download a free 15-day trial and see for yourself. 

joanne profile
Joanne Yip

Joanne has always loved the impact that words can make. When she isn’t typing away in the world of sysadmin, Joanne loves hiking with her husband and dog, true-crime podcasts, and dreaming of her next scuba diving adventure.

Related articles

Ready to get started?

See how easy device management can be. Try SmartDeployfree for 15 days — no credit card required.