Passwords vs. passphrases: Which one should you use?

Passwords vs. passphrases: Which one should you use?

Passwords have always been the standard when it comes to securing online accounts. For decades, information security experts have promoted the use of complex passwords that contain random letters, numbers, and special characters, such as “h0r5E$Ho3s+ICk”. However, through brute force attacks and other nefarious tactics, cybercriminals can now easily guess even these types of passwords, jeopardizing data security more than ever.

This trend forced the National Institute of Standards and Technology (NIST) to recommend new guidelines, one of which is turning away from hard-to-guess passwords. They are now recommending the use of “passphrases” to better secure online accounts.

What’s a passphrase?

A passphrase is a type of password that uses a series of dictionary words that can either be separated by spaces or combined into one string (e.g., “correcthorsebatterystaple”). While passphrases typically contain more characters than passwords, the former has fewer components to remember for the user than the latter.

For instance, let’s analyze the password “h0r5E$Ho3s+ICk”. It contains a number of strings such as random letters, numbers, and special characters. A user also has to remember if a certain letter is in uppercase or lowercase, and if they used a number or special character in place of a letter. On paper, this password can be harder to hack, but it is also harder to memorize.

To work around this, some people inevitably use simple words, names, and birthdates, and swap out letters with similar-looking characters. Cybercriminals are well-aware of this behavior and have found a way to crack these passwords in a matter of seconds.

A passphrase aims to make remembering passwords easier for the user while still coming up with a secure string of text. To make a secure passphrase, it is generally recommended to come up with a string that contains four random words like “summermiracleshortfreckle”. Because it contains unrelated terms, it is harder for cybercriminals to crack.

Are passphrases safer?

Yes and no. Because passphrases deviate from the decades-old advice of coming up with a password that contains letters, numbers, and special characters, they could be more secure if they contain random dictionary words.

This isn’t always the case, however. For instance, a 20-character password consisting of random letters and numbers is much stronger than a four-word passphrase composed of common words. The former cannot be dictionary-attacked and will take the hackers a very long time to crack.

Download our free eBook!

Read our free eBook: The ABCs of Malware, and find out how to protect your business data from malware and other forms of cyberattack.

Download now!

Which one should you use?

In theory, passphrases should be the better choice for securing accounts, as they are less likely to be guessed by hackers. However, using them shouldn’t only be about using any dictionary words. According to a study by Cambridge University, a significant percentage of passphrases used in a real-world scenario were easy to guess, as some users had a tendency to pick phrases that are part of the usual lexicon, making them easier targets.

Here are some tips on how to create a strong passphrase:

#1. Create a passphrase with four to five words (or more).

Create a password that can’t easily be brute forced or dictionary-attacked. Try to come up with a passphrase containing four to five words. You can add more words if you want to, but make sure it is easy to remember, as using a passphrase that’s hard to remember defeats its purpose.

#2. Choose random words.

Don’t use quotes, sayings, or any sentence that can be easily guessed by hackers. Create a passphrase containing random and unrelated words.

#3. Use unique passwords

It can be very tempting to use one passphrase for all your online accounts. However, doing this will only give hackers easier access to all your data. Create unique passwords for each account, and make sure that they are completely unrelated to the others.

Your business deserves the best protection from cyberattacks. USWired’s cybersecurity solutions protect you from hackers looking to steal your passwords, personal data, and account details. It’s time you experience peace of mind with our cybersecurity solutions. Give us a call today.


Keep cyberattacks and other cyberthreats at bay and secure your SMB's future. Download our free eBook today to learn how!DOWNLOAD HERE
+