Home

 › 

Articles

 › 

What Is A Passphrase? Is It More Secure?

information security

What Is A Passphrase? Is It More Secure?

In cybersecurity, a password is a series of characters, usually around six to ten, that provides access to a computer system, online account, or other data. If you need more security than that, you might consider using a passphrase, which is a collection of words or acronyms used to secure data.

What Are the Technical Specifications of a Passphrase?

A passphrase is a selection of digital characters longer than a typical password for added security. Generally, passphrases can be distinguished from passwords in that they contain multiple words or acronyms representing various words present in a sentence or other sequence.

For instance, you could make your passphrase “TheQuickBrownFoxJumpsOverTheLazyDog” or shorten that sentence to “TQBFJPOTLD,” representing the same sentence with fewer characters.

How Secure Are Passphrases?

One must consider several factors when determining whether passphrases are deemed secure. One is the entropy of the language the password is written in. However, length is statistically the most influential factor in passphrase security. 

While the available character set influences the number of possible character combinations one would theoretically have to try before successfully brute-forcing a passphrase, the sequence length is, statistically, most important; simply put, the most secure passphrases are the longest.

Consider, for instance, the passphrase “IamtheCapitanofthePina4.” The National Institute of Standards and Technology (NIST) considers this passphrase to have an estimated 45-bit strength. The calculation doesn’t, however, take into account the fact that this passphrase is a prevalent quote from H.M.S. Pinafore. Information from crackstation.net shows that this phrase is found in cracking databases, and an MD5 hash of this passphrase can be brute-forced in just four seconds.

NIST’s password guidelines recommend a bit-strength of 80 bits for high-security, non-military passwords. Using their traditional algorithm, it would require the passphrase to be 58 characters long to achieve this.

However, there is also some debate on whether NIST’s equation is correct. For instance, you can calculate the entropy of characters in five-letter words to have 2.3 bits of strength. Thus, 80 bits would only require 35 characters.

Language Entropy and Passphrase Security

passphrase
Passphrases can suffer from a degradation of security due to language entropy.

Another consideration of passphrase entropy is natural human language, which can be analyzed and accounted for by cracking programs. Consider again the passphrase, “IamtheCapitanofthePina4.” While the raw entropy of this sequence might be 45 bits, the functional security of it is lowered because the phrase is a common-knowledge quote.

Other common knowledge quotes will be similarly easy for brute-force hackers to guess. Additionally, there are considerations for natural language. Consider English spelling rules, such as “I before E, except after C” or that U will always follow the letter Q in natural English spelling.

These rules make it easier to guess the following letter in a sequence using machine learning. For instance, if the current letter in the sequence is E, you can tell a machine to try the letter I before other options. This predicted sequence will often be successful if the word is in English. You can even have the program take the other letters besides just the immediate preceding one into account.

How Do Passphrases Compare to Passwords?

The difference between a passphrase and a standard password is not nominal. While passphrases have a varying level of security dependent on language entropy and length, they are generally more secure than a traditional password.

However, passphrases also have some notable security flaws, namely the susceptibility to hardcopy theft through phrase and quote dictionaries. Following best practice guidelines for creating a passphrase or using a password generator can improve your data security.

Best Practices for Selecting a Passphrase

  • Not a quote from literature, holy books, movies, etc.
  • Has not appeared in a publication
  • Difficult to guess by intuition, even if you know the user well
  • Easy to remember and type accurately
  • Long enough to be difficult to guess
  • Not reused between sites or applications
  • Memorable encoding can be used based on the user’s personal knowledge level
Lock the phone with a password for mobile cybersecurity or a password to confirm login in the online banking application. Cyber security threats. Laptop and smartphone.
Follow best practice guidelines for creating a passphrase if you want to improve your data security.

Methods of Choosing a Passphrase

One common method of choosing a passphrase is known as diceware. This method uses dice to choose words from a random list. It doesn’t violate the “not found in a dictionary” rule because it is based on the list from which you choose the words, not the secrecy of the words themselves.

For instance, if you have a list of 7,776 words and throw five dice to choose words from the list, you’ll end up with a password with around 78 bits of entropy. 

Another possible method is to choose two phrases that are not relevant to each other. Then, turn one phrase into an acronym and use that acronym to replace one of the words in the other phrase.

Frequently Asked Questions

What is a passphrase?

A passphrase is a sequence of alphanumeric and special characters used to secure data.

What makes a passphrase different from a password?

A passphrase typically has multiple words or letters representing words (an acronym) and is longer than a password.

Are passphrases more secure than passwords?

Assuming best practices are followed, passphrases are more secure than passwords.

How do I choose a passphrase?

There are many methods of choosing a random collection of words for your passphrase, including diceware and making acronyms.

How do I remember my passphrase?

Word matrices and the method of loci are common ways people remember passphrases without sacrificing security by writing them down. Additionally, you can forgo the memory process entirely by using a password manager like Bitwarden.

To top