Skip to Content

Identity And Access Management

Cybersecurity Tips: Passphrase vs Password

December 09, 2022

7 minutes

cybersecurity tips passphrase vs password

Are passphrases more secure than passwords? The simple answer is yes. Passphrases give businesses another layer of security that passwords can't, especially when up against cybercriminals today who have modern tools to crack simple or short passwords.

Let’s go a little deeper into it with this blog post and give you a complete understanding of why it’s important to think carefully about the way we use passwords.

Human Error and Cybersecurity

You can use every solution in the world, and it still won’t matter if someone clicks enough times on the wrong kind of link.

The unfortunate reality is that human error plays a critical role in successful cyberattacks.

When cybercriminals perform attacks, they often send out thousands (often millions) of spam messages in an attempt to fool someone into following a malicious link.

All it takes for them to succeed is for one person to fall for their scam, which happens on an all-too-regular basis.

Once something malicious has been clicked or downloaded, the hacker has a number of ways to breach that end user’s device—including tactics installing a keylogger to determine their password.

They can then access sensitive personal or business data by logging in at will and stealing information.

This is a common way organizations are breached and continues to be a major problem today.

52% of companies acknowledge staff are their biggest weakness to security.

But it’s not as simple as the employee being at fault.

For example; if their password is stolen, an organization that has implemented multifactor authentication (MFA) will find that the hacker—even with a password—can’t do anything with it, and so the breach is prevented.

In this way, it’s crucial not to play a blame game, but rather to do everything possible to give employees the best chance of not falling victim to attack—MFA is a common way of doing this

Weak Credentials Are Key

Now to the question of are passphrases more secure than passwords?

Absolutely. Passphrases, a combination of several words to form one password, are far more complex and impenetrable than a simple password.

37% of credential theft breaches use stolen or weak credentials.

A not substantial number of data breaches occur primarily because of a simple lack of strong passwords—often because the company policy doesn’t enforce strong credentials.


What Is a Passphrase?

A passphrase, as we noted, has several words combined to make up a single password.

They are longer than typical passwords and because of this are far more complex and difficult to crack.

Passphrases are usually something the end user can easily remember, even if the words themselves make little sense.

It’s recommended when creating a passphrase not to use a common phrase. “mydogiscalledharry” would be an example of a poor passphrase—it may be determined from knowing the user and forms a complete sentence.

A better example would be a number of words that bear no relation to each other, but that the user is capable of remembering easily. An example of this would be something like “socrateslifestylecookiegrandson”.

It might seem like a bad idea to use random words for your passphrase, but in actual fact these types of passwords are far more secure than a simple word with a number or punctuation mark after it.

Why Are Passphrases Important?

Simple passwords are not as secure today as they once were, and yet many people still do so, despite the risks of being breached.

91% of respondents understand the risks of using the same password across multiple accounts, but 59% do it anyway.

Nearly two-thirds of people use the same password for their accounts, most of which contain extremely sensitive data which is valuable to cybercriminals.

Simply adopting newer techniques like passphrases instead of one-word passwords is an easy way of heading off potential attacks.

importance of passphrases

Why is a Passphrase Better Than a Password?

Passphrases are more secure than passwords. It’s really that simple and even NIST agrees. Here’s why:

  1. Passphrases are easier to remember for users without sacrificing security. When using passwords, users tend to create ones that are easy to remember by simplifying them or reusing old ones which is not recommended. Passphrases can easily satisfy complexity requirements without being impossible to remember.
  2. Passphrases are harder for cybercriminals to crack using brute force attacks because they’re longer.
  3. Passwords are easier to guess as most people tend to pick words they can remember or things that are highly related to them, like pets, family members, or locations.

Brute Force Attacks

When cybercriminals look to hack someone’s account, they don’t sit there typing in different combinations of a password, they get a computer algorithm to do it for them.

The algorithm will test tens of millions of combinations again and again until eventually the password is cracked.

The simpler the password, the quicker this process is.

This is referred to as a brute-force attack and is very common today.

Over 80% of breaches caused by hacking involve brute force or the use of lost or stolen credentials.

With brute-force hacking, what determines the success or failure of a password is its length, rather than the variety of the characters used.

Take a look at this useful chart, created by Hive Systems, which shows how powerful different types of passwords are.

What Hive’s chart shows is that passphrases are considerably more effective at protecting users than passwords.

Take a seven-word password that includes uppercase letters, lowercase letters, numbers, and punctuation. This can be cracked in about six minutes using the brute-force method of attack, despite containing such a variety of characters.

Compare this to a passphrase consisting of only lowercase letters—no upper case, no numbers, nothing else. The only difference is that it has double the number of character, this time at 14 instead of seven—this would take 51 years to hack with brute-force.

Six minutes versus 51 years! The power of passphrases!

Password Length vs Complexity: NIST’s Recommendations for Creating Strong Passphrases

According to NIST, password length is more important than complexity. Simply put, it’s easier for cybercriminals to crack a shorter passphrase, even if it’s a highly complex series of symbols, numbers, and letters.

NIST guidelines for passphrase management

But adding complexity to your long passwords is still recommended, and the best practice is to create a long AND complex password. Include a mix of uppercase and lowercase letters, numbers, and symbols in your long passphrase to make it as hard as possible for brute-force attacks to figure it out.

Additionally, there are some general best practices to follow to keep your passphrases as secure as possible, including:

General Recommendations for Passphrase Security

To help you create stronger passphrases, here are some general guidelines to follow to avoid common pitfalls in passphrase security:

  • Don’t choose song lyrics or a common phrase or saying
  • Consider nonsensical or random words
  • Use as many different words as possible
  • Remember: passphrases do not need to make sense or follow grammar rules. Get creative!

FBI Recommendation

Finally, we have the FBI’s recommendation on the use of passphrases for businesses.

The FBI launched a project called Protective Voices, the intention of which was to provide cybersecurity recommendations to political campaigns operating in the US.

The project called for passphrases and multifactor authentication to be used in order to best ensure that sensitive data was protected effectively.

In a video from their Protected Voices initiative, which seeks to provide cybersecurity recommendations to political campaigns across various functions, passphrases were strongly advised to improve their security and protect data.

Guidance from the National Institute of Standards and Technology, or NIST, advises that password length is much more beneficial than complexity. – FBI, Protected Voices: Passphrases and Multifactor Authentication

In Conclusion

Establishing proper passphrase management protocols in an organization is a major step toward being more secure. It’s important for everyone within an organization to understand the benefits of passphrases, why passwords can be such a huge vulnerability, and how it can impact the entire company if a password is cracked by a cybercriminal.

With cyberattacks on the rise, businesses should go the extra mile when protecting their network from unwanted visitors. Passphrases are just one step toward stronger identity and access management in an organization. Protecting the ways in which people access your network is a critical layer in a complete cybersecurity strategy that goes beyond passphrases.

Learn more about some key identity protection best practices in our blog, 5 Identity and Access Management Best Practices.