Password vs. passphrase: What’s best?

Technology and data serve as both fuel and currency for the world we live in today. This also makes them highly coveted resources that are often used by hackers to undermine business, institutions, and even entire countries.  

Since the start of the global pandemic, many organizations have moved to remote or hybrid work environments, increasing their reliance on digital connectivity and online platforms. While this has led to greater efficiency in some ways, it has also exposed existing security vulnerabilities, increasing the risk of cyberattacks and data breaches, and the need for increasing cybersecurity.  

In 2021, the global number of cyberattacks reported were alarming.  

  • 10.4 million encrypted threats (+167% from 2020) 
  • 623.3 million ransomware attacks (+105% from 2020) 
  • 97.1 crypto jacking attacks (+19% from 2020) 
  • 5.3 trillion intrusion attempts (+11% from 2020) 
  • 5.4 billion malware attacks 

Yikes.  

Making information security and data protection a priority 

Many people would agree on the importance of using passwords to ensure data security. Password rules, however, are a different matter altogether. Does complexity trump length, or the other way round? How random is random? (Hint: read on to find out.)  

Experts frequently debate whether passphrases are indeed better than passwords in protecting individuals and organizations from cyber risks. To get to the bottom of that discussion, we first need to understand the differences between passwords and passphrases. 

Are passwords and passphrases the same?  

Not quite, other than the fact that both passwords and passphrases are used to secure accounts and prevent unauthorized access to sensitive information.  

A password is typically a continuous string of eight or more letters, numbers, and/or symbols. Ideally, these should be randomized, which would make it harder to decode. An example would be “W=aXBt<P#Y]SG.04pN1)”, as generated by my trusty password manager.  

A passphrase, on the other hand, comprises a series of 4 to 10 random words (with or without spacing) and is usually longer than a password. For instance, “gnomechalkkimchihurricane”. Again, the more nonsensical and unrelated the selected words are to one another, the better.  

A recent research study has shown that men use swear words as passwords more often than woman. The study also found that Ferrari and Porsche are the top car brands featured in bad passwords, and that in several countries, One Direction is among the most common passwords used. (For all the non-millennials, One Direction is an English-Irish boy band that produced chart-topping hits in the 2010s, inspiring a whole generation of professional bathroom singers.)  

Password vs. passphrase: what is best?  

In general, the consensus is that password-oriented practices tend to be less effective largely because of human fallibility. Left to their own devices, humans tend to form passwords from familiar words or personal references that can be easily decoded by hacking algorithms.  

To counter this, organizations may mandate longer and more complex passwords, or require frequent password changes. Very often, the result is a system in which people can no longer remember their passwords, store them in an insecure way, or give up and default on security requirements entirely.  

In contrast, passphrases are easier to remember, especially with the use of mnemonic devices. Passphrases also tend to be longer than passwords — 4 to 10 words versus 8 to 12 characters. This makes them harder to predict, with each word requiring a separate dictionary hack. If formed using uncommon words with strategically placed special characters, passphrases are exponentially more difficult to crack. 

Useful tips when creating passwords or passphrases 

Whether you use passwords or passphrases, it’s crucial to ensure that they are strong enough to serve their purpose. Here is a list of useful tips to keep in mind:  

Use a password manager  

A reliable password manager will do what the human brain cannot when it comes to generating passwords, injecting it with enough randomness to make it powerful and effective. Password managers are also handy tools for storing passwords and passphrases securely, ready for immediate retrieval when needed.  

Be as random and as unpredictable as possible 

 Avoid using personal references (names and birthdays are far too publicly available), dictionary words, or common sayings. Hackers often tap on word lists from multiple languages, so Google Translate won’t help you either.  

Check the strength of your chosen password or passphrase  

Use tools that check for the strength and viability of your password or passphrase. Some examples include NordPass’ free online password strength checker and the University of Illinois at Chicago’s password strength test. Some of these tools also enable you to check if your chosen password or passphrase has been previously hacked or compromised.   

How to create a strong and memorable passphrase? 

Use inside jokes or unusual words 

Humor sticks. Use words from an inside joke, a funny but obscure memory, or something that makes you laugh that no one else would be able to guess. Uncommon words can also be a good shortcut — and if you pick the right one (like wabbit, a Scottish term for being exhausted), they can make you laugh, too.  

U5e a mix of symb0l5, number5, upPErCaSe & lowercase  

Although length trumps complexity — and passphrases are long enough — it doesn’t hurt to use selectively placed symbols, numbers, uppercase, and lowercase letters to create a more complex passphrase. To create less predictability, try using a symbol or number in one place as opposed to applying it to an entire word.  

Use substitutes that make sense only to you 

When choosing words to use in a passphrase, you can always get creative by making unique substitutes that only you would know and easily remember. For instance, does the figure 8 make you think of a cello? Or perhaps “(“ looks like a cookie to you? Instead of a passphrase like “cellodismalcookiegigaplasmid”, you could go with “8dismal(gigaplasmid”. 

How to create a strong and memorable password 

Choose password length over password complexity 

Google recommends a minimum length of 12 characters. If you use a password manager and opt for a password that contains letters, numbers, and symbols, you’ll likely end up with one that’s even longer. (A quick click on mine generated a password with 20 characters.)  

Avoid commonly used password patterns 

Hackers are always on the lookout for clues or patterns that would enable their nefarious mission. By avoiding the use of predictable password patterns, you would make it a lot harder for them to succeed. An earlier study on passwords by DARPA, a research and development agency under the U.S. Department of Defense, identified the following common password patterns:  

  • One uppercase, five lowercase, and three digits  
  • One uppercase, six lowercase, and two digits 
  • One uppercase, three lowercase, and five digits

Make it easy to remember but hard to guess

A series of random characters is difficult for most people to memorize. Considering that the average person has 70 to 80 passwords to track and maintain, this becomes an impossible task. To create a password that’s memorable but not predictable, try using the first letter of every word in a sentence that resonates with you. A favorite song, book or movie are good places to look.  

How to create a password or passphrase policy for your organization? 

Almost all security breaches involve a human element. That’s why organizations need robust security policies that are designed to minimize cybersecurity risk and cultivate healthy password habits. The U.S. National Institute of Standards and Technology (NIST) lists the following recommendations and guidelines for organizations to consider including in their password or passphrase policy: 

  • Prioritize length over password complexity 
  • Password length should be a minimum of eight characters and should not require special characters 
  • Do not require password resets more than once a year 
  • Enable “show password” when typing 
  • Allow copy and paste in password fields 
  • Disable password hints 
  • Use a password manager 
  • Use a password checker to test the strength and validity of passwords or passphrases 
  • Limit password attempts to protect against brute-force attacks 
  • Require two-factor or multifactor authentication  
  • Secure password databases 
  • User passwords should be adequately salted and hashed for more secure storage 

SmartDeploy’s take on the password vs. passphrase debate 

Hear from SmartDeploy’s Support Team Manager, Jeff Harris, and General Manager, Spencer Dunford, as they chat about the latest customer trends and security issues, demonstrating why they think passphrases are more secure than passwords.