A passphrase is a sentence-like string of words used for authentication that is longer than a traditional password, easy to remember and difficult to crack. Typical passwords range from 8-16 characters on average while passphrases can reach up to 100 characters in length.

Using a long passphrase instead of a short password to create a digital signature is one of many ways that users can strengthen the security of their data, devices and accounts. The longer a password is, the more likely a user is to incorporate bits of entropy, or factors that make the password less predictable to a potential attacker. As more websites increase their user security requirements, a passphrase is a fast and easy way to meet longer lists of criteria. For example, Phil Zimmermann's popular encryption program, Pretty Good Privacy, requires a passphrase when you sign or decrypt a message.

The shorter and more common a password, the easier it is for hackers to use a brute force attack (trying many combinations over and over) to break into a system. Just adding one additional character to the length of a password automatically increases the password's security exponentially, so encouraging password creators to use full phrases has a strong positive impact on security.

Password vs passphrase

Passphrase best practices

Best practices individual users can implement to make passphrases the most secure include:

  • Using an easy to remember but uncommon phrase.
  • Adding spaces.
  • Using capital letters, or making certain words all capitalized letters.
  • Adding punctuation.
  • Using unusual or abbreviated spellings of words.
  • Making some letters numbers.
This was last updated in March 2019

Continue Reading About passphrase

Dig Deeper on Identity and access management