At this point, many people have heard similar password advice. It’s always been recommended to use a mixture of randomized letters, special characters, numbers, and both upper and lower case to make for a strong password. However, they can also be challenging to remember.
The average person can’t realistically memorize dozens of complex passwords without a password manager. That’s why 61% of people use the same or similar password everywhere. Even if a password is well written, if it’s being reused elsewhere, all the accounts are at risk if just one account is breached. That’s why this week, we’re highlighting a strong and easier-to-remember alternative: passphrases.
Table of Contents
What Is a Passphrase?How Secure Are Passphrases?
Dictionary Attacks: A Risk To Remember
Phishing Attacks Can Still Steal Your Login Info
Passwords vs. Passphrases: Comparing Their Strength
How To Write a Good Passphrase
Passphrases: Secure When Done Right
What Is a Passphrase?
A passphrase is a type of password that uses a string of words to log into an account. They’re typically four or more words long and form a sentence for easy remembering. For additional security, some people add additional characters or numbers. Even though they’re simpler to remember overall, they can be just as difficult to hack when they’re long enough.
How Secure Are Passphrases?
Even though they’re simpler to remember, due to their length, they can be just as difficult to guess as a shorter randomized password. That’s due to the hacker not knowing how the password was written or the length. In turn, they’re forced to test every letter and character combination as guesses get increasingly longer. While dictionary attacks may target words and phrases, they focus on more common combinations.
Dictionary Attacks: A Risk To Remember
A dictionary attack is a method used by hackers to break into accounts by systematically trying every word in a list, or “dictionary,” of common passwords and phrases. It exploits weak passwords that are simple words or commonly used combinations, making it effective against accounts with poor password security practices.
While these types of attacks can threaten passphrases, they’re only effective against ones that use common words and combinations. They’re unable to test every word in the dictionary and don’t usually account for many variations, such as numbers at the end. Additionally, they’re commonly limited to 4 or fewer words in a phrase, as five or more words become harder to crack.
Phishing Attacks Can Still Steal Your Login Info
No matter how well-written your password is, phishing attacks get around that by tricking people into giving up their login info. These cyberattacks are commonly done through email or text. The criminals may pretend to be a friend, co-worker, or someone from a well-known company. They’ll often lead people to fake websites where any information they submit is stolen. Besides login info, they also target credit card information, so it’s essential to be careful with any suspicious or unusually urgent messages you receive.
Passwords vs. Passphrases: Comparing Their Strength
To show how passphrases compare to different types of passwords, we’ll share how long it would take a computer to crack them. We’ll use the strength tester at Bitwarden to generate those estimates, which is a good choice for comparing shorter passwords.
Common Passwords |
Random Passwords |
Passphrases |
| Password: 123456789 Strength: <1 second |
6 characters: mTu6;2 Strength: 2 minutes |
1 word: sycamore Strength: 1 second |
| Password: QWERTY Strength: <1 second |
8 characters: Eb]Nd4G- Strength: 3 hours |
2 words: goldenaspen Strength: 3 minutes |
| Password: P@s$w0rd Strength: <1 second |
10 characters: X>=Duf@q4/ Strength: 12 days |
3 words: giantmapletree Strength: 24 days |
| Password: admin Strength: <1 second |
12 characters: K#^&Y7/@xht9 Strength: 3 years |
4 words: redleavesfallearly Strength: 4 years |
| Password: baseball Strength: <1 second |
14 characters: Yv}DrpCm6&y-=B Strength: 100+ years |
5 words: hawksaboveanoakforest Strength: 100+ years |
As seen with the above data, longer passwords are best. Yet, 80% of people still use passwords that are 11 or less characters. Remember that technology constantly evolves, so a password that’s ‘good enough’ today might be poor tomorrow. That’s why it’s important to be thoughtful when writing them and to always aim for above average.
How To Write a Good Passphrase
There are many ways to approach a passphrase. As shown in the prior section, passphrases that use more words are more secure. Additionally, things like hyphens between words, using uppercase, and adding numbers can greatly increase the password’s strength.
Step 1: Create Your Passphrase
First, choose a combination of four to five words that are easy to remember. Being original is key; avoid using popular movie quotes or phrases. It can be as simple as a phrase related to a favorite pet or a notable life event. A mixture of random unrelated words is fine, too, if you can easily recall them.
Example: fernthecatishungry
Step 2: Strengthen Your Passphrase
While having a four-to-five-word phrase is a good start, adding an extra layer or two will further strengthen it. Do one or more of the below to improve the security of your passphrase:
- Capitalize the first letter of each word.
- Put a hyphen, underscore, or other character between each word.
- Add a memorable number at the end.
Example: Fern-The-Cat-Is-Hungry2024
Step 3: Test Your Passphrase
If comparing multiple passphrases, we recommend using a single password strength tester. Bitwarden tends to have more modest and realistic estimates, making it better for comparing shorter passwords. Security.org has a limitless range, making it good for comparing long ones. While they both calculate the strength differently, longer passwords are always better.
Passphrases: Secure When Done Right
Passphrases aren’t just a catch-all solution. There is a right and wrong way to write them. Being too short or copying popular movie quotes may still leave you at risk. However, if you can write and remember a simple four- or five-word phrase, you’re already ready to use a strong passphrase. Combine that with a password manager, and your accounts will be much more secure from many types of threats.
