When you identify yourself to get access to an online account or file, you usually use a password of some kind. You could also opt to use a passphrase.
Unlike a traditional password, which typically consists of a shorter combination of characters (such as letters, numbers, and symbols), a passphrase can be more complex and longer, and may include spaces between words. Passphrases are often used to provide enhanced security for sensitive accounts or data, as they are more resistant to hacking and can be easier to remember for the user.
Understanding the concept of passphrase
The word passphrase is a portmanteau of the words “phrase” and “password.” It’s used just like a password to gain secure access to a device, computer, account, or network. The difference is in the way it’s structured.
A passphrase is a sentencelike string of words used for authentication that is longer than a traditional password, easy to remember and difficult to crack. Typical passwords range, on average, from eight to 16 characters, while passphrases can reach up to 100 characters or more.
Using a long passphrase instead of a short password to create a digital signature is one of many ways that users can strengthen the security of their data, devices and accounts. The longer a passphrase is, the more likely a user is to incorporate bits of entropy, or factors that make it less predictable to a potential attacker. As more websites, applications and services increase their user security requirements, a passphrase is a fast and easy way to meet these criteria.
While you can use a passphrase as a substitute for a password anywhere that accepts longer strings of characters — such as Windows and macOS operating systems (OSes) — the most common use of a passphrase is as an encryption key. Because a passphrase is typically longer than a password, it provides better protection against potential attempts to guess or crack it.
The use of passphrases to secure password manager applications or services is also common. This provides added security for common passwords — or those passwords that are difficult to remember.
Types of passphrases
- Image-based passphrase: You can draw words from an image to create an image-based passphrase. For example, you may look at family photos from a day at the beach to create Sandwich Gone Thanks 1 N@sty $eagull.
- Keyboard pattern passphrase: This type of passphrase carries a chain of words, with each word starting with the first letter of a keyboard pattern. For example, Quick Wick Eat Rice Tomato Yam follows the qwerty pattern.
- Mnemonic passphrase: A mnemonic passphrase carries a combination of unique words that may appear random but create a memorable sentence. Here is an example of a mnemonic passphrase: Amsterdam-exotic-necromancer.
- Random passphrase. A random passphrase is made up of completely random words. It may be more secure than a mnemonic passphrase, but it’s also more challenging to remember. An example of a random passphrase is DropmangohammerlaptoppeacocK
What makes a strong passphrase?
Complexity
As mentioned, a long passphrase is already stronger than a shorter, more complex password. A strong passphrase contains a combination of different types of characters, such as uppercase and lowercase letters, numbers, and symbols.
Still, you can make your passphrase even stronger by following some of the same rules from when you learned how to create a strong password.
Length
Length is the most critical characteristic of a strong passphrase. Your passphrase must be at least 15 characters, though the longer, the better. Experts say that a 15-character passphrase is harder to crack with a brute force attack than a 12-character sophisticated password. You can also use spaces to lengthen your passphrase.
Memorability
A critical advantage of setting a passphrase is that it’s easier to remember because its strength is length rather than complexity. In other words, a short sentence with random words is easier to memorize than a shorter password with random numbers and symbols.
How to use a passphrase
The best way to create a passphrase is to combine a group of words into a phrase that makes sense to the user and is easily remembered but makes no sense to anyone else. Thus, it should not use common phrases or famous quotes, as these can be guessed or cracked far more easily. Instead, passphrases should include words and punctuation that only the user would understand.
Best practices that users can incorporate when creating strong passphrases include the following:
- Use an easy-to-remember but uncommon group of four to eight words.
- Add spaces within and between words.
- Use capital letters or capitalize certain words.
- Add punctuation and special characters that make sense to the user but no one else.
- Use unusual or abbreviated spellings of words.
- Make some letters into numbers.
Some ways of developing a passphrase include a personal story or memory specific to the user. Keywords can be used to tell this story — but, to all others, the words seem completely random. Other methods include the use of mnemonics or random, dice-generated passwords, along with a random document or word list to select words from.
The pros and cons of passphrases
Passphrases can certainly be considered better in a lot of ways than passwords. However, they have some of the same shortcomings. Here are the advantages and disadvantages of passphrases.
The advantages of passphrases
Let’s look at the two main advantages of passphrases:
Passphrases are long and complex
Password complexity really comes down to two points:
- Longer is more complex.
- Using more types of characters (upper- and lowercase letters, numbers, and characters) is more complex.
Of these, the first point is more important. That’s why just “MonkeyPlainsMilkEurope” is already a very strong password. Changing it to “Monkey.Pl4ins.Milk.Eur0pe!” brings the complexity level even higher.
Comparing both to a very complex password like “ac=oei$EdrN5`2k” above shows how much more complex a passphrase can be.
Passphrases are easy to remember
No human can remember passwords that look like the example above, “ac=oei$EdrN5`2k”. It’s just too hard. However, you can probably already say the passphrase we’ve been using without reading it, “monkey plains milk Europe”.
The disadvantages of passphrases
It’s hard to come up with specific disadvantages of passphrases. However, it is important to remember that they still have three of the same big vulnerabilities as passwords:
Passphrases are still vulnerable to the same storage mistakes
If you store passphrases in unsafe locations, for example, a sticky note on your monitor or a Google Sheets document, then it is still at risk of being stolen. If someone can find your passphrase, then it doesn’t matter if it’s long and complex.
A passphrase is not necessarily more secure
Remember that dictionary attacks exist. If you pick words that are commonly used in passwords to make your passphrase, then you are at risk of a dictionary attack. For example, “PasswordPasswordPassword” is still going to be cracked in seconds. If your words are short, for example, “DogIceUp”, then you still have an easy-to-crack password.
A passphrase is easy to remember, but hundreds are not
You are probably getting tired of “monkey plains milk Europe” at this point because it is stuck in your head. However, if you need 200 accounts, then it might not be the easiest task to remember 800 words.
If you cheat and use the same passphrase across your accounts, this means hackers can get access to all of your information after just one attack.
Should I use a passphrase?
Yes, passphrases are great. If you are looking for a super strong password for your email account or password manager, then a passphrase is a great option. Use a super complex passphrase to keep these key accounts safe.
However, it’s not recommended to use passphrases for every single account you need to access. Trying to remember hundreds of passphrases is impossible. It’s best to use a handful of passphrases to protect key accounts and then let a password manager remember the rest of them for you.
How to create and remember a strong passphrase
Building a passphrase is easy; it can even be fun. Here are some steps to follow to create and remember a strong passphrase:
- Avoid common phrases. Using four random words can create a strong passphrase. Using a common phrase like “RonaldoIsTheGOAT” will leave you vulnerable to dictionary attacks.
- Jokes are easier to remember. If you think something is funny, then you’ll remember it. However, it won’t necessarily be an easy-to-predict phrase for a computer or someone making a social engineering attempt. For example, “NoisyGiraffeInfestation” is funny but not exactly what you’d think would go together.
- Add an unusual word or two. This is the point where you pull out your thesaurus and pick one of the alternative words. For example, I’ve always liked “parsimonious” instead of “cheap” to describe someone unwilling to spend money.
- Avoid common password words. We all know “password” should be avoided, but did you know ice, rice, tea, and pie are the most common food items in passwords? It’s best to avoid anything in the top 100 most common passwords at a minimum.
- Practice typing your passphrase. Type out your passphrase 20 or 30 times to make sure you don’t forget. Even if you’ve memorized “monkey plains milk Europe” for life, “Monkey.Pl4ins.Milk.Eur0pe!” isn’t quite as easy. Since passphrases should be used to protect your most important accounts, you don’t want to forget yours!
- Update your passphrase regularly. Just like all of your passwords, passphrases will eventually be stolen by a hacker. To protect yourself from stolen passphrases, update yours regularly (roughly every three months is recommended).
Why passphrases are superior to passwords
While passwords and passphrases are designed to accomplish the same goal, there are distinct differences between the two, including the following:
- Passphrases generally are easier to remember than passwords. People find it easier to remember four to eight random words that are more than 30 characters compared to a password that is typically only eight to 16 characters.
- Passphrases are more secure than passwords. Passphrases can be upwards of 100 characters, including capitalization and punctuation. Thus, a properly scripted passphrase can be significantly more difficult to guess than a password.
- Passphrases can be created that are almost impossible to crack. Although cybercriminals have an arsenal of password-cracking tools, even the most advanced tools cannot brute force a passphrase that uses random words and is of significant length. The same cannot be said for much shorter passwords.
- Applications and OSes support passphrases. Most modern OSes, applications, and services accept passwords that are more than 100 characters. Thus, passphrases could potentially replace passwords in enterprise organizations that have adopted single sign-on methodologies.
Recommended Articles
- What Do Data Scientists Do: All To Know About Data Scientists
- Data Migration: Meaning, Strategies & Best Practices
- Fraud Score: What Is It & How Does It Work?
- ACH Transfer: What Is It & How Does It Work?
- 11 Best iPhone Spy Apps For 2023
- CIA Triad in Cybersecurity: What Is It & Why Is It Important?