Skip to Content

Identity And Access Management

Password vs. Passphrase: Which Is More Secure?

May 04, 2023

7 minutes

A blue keyboard with blank gray keys.

“Instead of using a short, complex password that is hard to remember, consider using a longer passphrase.” – Federal Bureau of Investigations

Are passphrases more secure than passwords? The simple answer is yes, but let’s go into a little detail in this blog post and give you a full understanding of why it’s important to think more carefully about the way we use passwords.

An infographic with statistics about password usage among average users.

Additionally, since World Password Day is celebrated on May 4th, we encourage all readers and organizations to update any password by changing them to robust passphrases and implementing MFA (multi-factor authentication) to improve your cybersecurity.

If you’d first like to learn about all the different factors affecting an organization’s cybersecurity, download The State of Cybersecurity for Small Businesses eBook.

What Is a Password?

A password is a string of characters used to authenticate or verify the identity of a user who is trying to access a computer system, device, or account. Passwords are typically created by the user and are kept confidential in order to prevent unauthorized access to sensitive information or resources.

In order to ensure security, passwords should be complex, long (use at least 16 characters) unique, and changed regularly to prevent them from being guessed or hacked.

A passphrase acts like a password but is longer and better for a number of reasons.

What Is a Passphrase?

A passphrase is a sequence of words, rather than just a single word, used as a security measure for authentication or encryption purposes.

Passphrases are similar to passwords in that they are secret and used to verify the identity of a user or protect sensitive information. However, passphrases tend to be longer and more complex than traditional passwords, making them more difficult for hackers to guess or crack.

Unlike passwords, which are typically shorter and more straightforward, passphrases are often easier to remember and more user-friendly, making them a popular choice for secure authentication and encryption methods.

For example, of a strong passphrase made up of four random words can look like “GreenSharkLovesSkating5!” This passphrase works because:

  • It has a reference only the individual user will remember
  • It is difficult to guess and will not appear in a common password database
  • It uses symbols and numbers
  • It is longer than 16 characters

It might seem like a bad idea to use random words for your passphrase, but in actual fact these types of passwords are far more secure than a simple word with a number or punctuation mark after it.

Why Are Passphrases Important?

Simple passwords are not as secure today as they once were, and yet many people still use them every day despite the risks of being breached.

91% of respondents understand the risks of using the same password across multiple accounts, but 59% do it anyway.

Nearly two-thirds of people use the same password for their accounts, most of which contain extremely sensitive data which is valuable to cybercriminals.

Simply adopting newer techniques like passphrases instead of one-word passwords is an easy way of heading off potential attacks.

Human Error and Cybersecurity

You can use every solution in the world, and it still won’t matter if someone clicks enough times on the wrong kind of link.

The unfortunate reality is that human error plays a critical role in successful cyberattacks. When cybercriminals perform attacks, they send out thousands (or even millions) of spam messages in an attempt to fool someone into following a malicious link. All it takes for them to succeed is for one person to fall for their scam, which happens on an all-too-regular basis.

Once something malicious has been clicked or downloaded, the hacker has a number of ways to breach that end user’s device—including tactics like installing a keylogger to determine their password. They can then access sensitive personal or business data by logging in at will and stealing information.

This is a common way organizations are breached and continues to be a major problem today. 52% of companies acknowledge staff are their biggest weakness to security.

But it’s not as simple as the employee being at fault. For example, if their password is stolen, an organization that has implemented multifactor authentication (MFA) will find that the hacker—even with a password—can’t do anything with it, and so the breach is prevented.

In this way, it’s crucial not to play a blame game, but rather to do everything possible to give employees the best chance of not falling victim to attack—MFA is a common way of doing this

Weak Credentials Are Key

Now to the question of are passphrases more secure than passwords?

Absolutely. Passphrases, a combination of several words to form one password, are far more complex and impenetrable than a simple password.

37% of credential theft breaches use stolen or weak credentials.

A substantial number of data breaches occur primarily due to a simple lack of strong passwords—often because the company policy doesn’t enforce strong credentials.

Brute Force Attacks

When cybercriminals look to hack someone’s account, they don’t sit there typing in different combinations of a password. They get a computer algorithm to do it for them.

The algorithm will test tens of millions of combinations again and again until eventually the password is cracked.

The simpler the password, the quicker this process is. This is referred to as a brute-force attack and is very common today.

Over 80% of breaches caused by hacking involve brute force or the use of lost or stolen credentials.

With brute-force hacking, what determines the success or failure of a password is its length, rather than the variety of the characters used.

FBI Recommendation

Finally, we have the FBI’s recommendation on the use of passphrases for businesses.

The FBI launched a project called Protective Voices, the intention of which was to provide cybersecurity recommendations to political campaigns operating in the US.

The project called for passphrases and multifactor authentication to be used in order to best ensure that sensitive data was protected effectively. Passphrases were strongly advised to improve their security and protect data.

As we can see from the FBI's recommendation to campaigns who store so much secretive and sensitive data, passphrases work and should be used by every organization.

Bottom Line

Cyberattacks have been increasing in volume and sophistication as of the last few years.

Because of this, many passwords and habits employed by end users today are not fit for purpose, and therefore more secure passphrases are strongly advised in order to lessen the chances that they are hacked.

Businesses should strongly consider implementing MFA and passphrase policies for their staff to give cybercriminals the smallest chance of success possible.

To discover other factors affecting the cybersecurity of businesses, download DOT Security's report, The State of Cybersecurity for Small Businesses.