What is a passphrase?
A passphrase is a sentencelike string of words used for authentication that is longer than a traditional password, easy to remember and difficult to crack. Typical passwords range, on average, from eight to 16 characters, while passphrases can reach up to 100 characters or more.
Using a long passphrase instead of a short password to create a digital signature is one of many ways that users can strengthen the security of their data, devices and accounts. The longer a passphrase is, the more likely a user is to incorporate bits of entropy, or factors that make it less predictable to a potential attacker. As more websites, applications and services increase their user security requirements, a passphrase is a fast and easy way to meet these criteria. For example, Phil Zimmermann's popular encryption program, Pretty Good Privacy, or PGP, requires the use of a passphrase to sign or decrypt a message.
While passphrases can be used as a substitute for a password anywhere that longer strings of characters are accepted -- such as Windows and macOS operating systems (OSes) -- the most common use of a passphrase is as an encryption key. Because a passphrase is typically longer than a password, it provides better protection against potential attempts to guess or crack it. The use of passphrases to secure password manager applications or services is also common. This provides added security for common passwords -- or those passwords that are difficult to remember.
Comparing a password to a passphrase
There are several differences between a password and a passphrase, as shown in the graphic. Here, the example password is a single string of alphanumeric characters, while the example passphrase consists of four seemingly random words.
Why are passphrases considered superior to passwords?
While passwords and passphrases are designed to accomplish the same goal, there are distinct differences between the two, including the following:
- Passphrases generally are easier to remember than passwords. People find it easier to remember four to eight random words that are more than 30 characters compared to a password that is typically only eight to 16 characters.
- Passphrases are more secure than passwords. Passphrases can be upwards of 100 characters, including capitalizations and punctuation. Thus, a properly scripted passphrase can be significantly more difficult to guess than a password.
- Passphrases can be created that are almost impossible to crack. Although cybercriminals have an arsenal of password cracking tools, even the most advanced tools are not be able to brute force a passphrase that uses random words and is of significant length. The same cannot be said for passwords that are much shorter.
- Applications and OSes support passphrases. Most modern OSes, applications and services accept passwords that are more than 100 characters. Thus, passphrases could potentially replace passwords in enterprise organizations that have adopted single sign-on methodologies.
How to use a passphrase
The best way to create a passphrase is to combine a group of words into a phrase that makes sense to the user and is easily remembered but makes no sense to anyone else. Thus, it should not use common phrases or famous quotes, as these can be guessed or cracked far more easily. Instead, passphrases should include words and punctuation that only the user would understand.
Passphrase best practices
Best practices that users can incorporate when creating strong passphrases include the following:
- Use an easy to remember but uncommon group of four to eight words.
- Add spaces within and between words.
- Use capital letters or capitalize certain words.
- Add punctuation and special characters that make sense to the user but no one else.
- Use unusual or abbreviated spellings of words.
- Make some letters into numbers.
Some ways of developing a passphrase include a personal story or memory specific to the user. Keywords can be used to tell this story -- but, to all others, the words seem completely random. Other methods include the use of mnemonics or random, dice-generated passwords, along with a random document or word list to select words from.
Organizations can implement several digital authentication methods to safeguard their systems and users.