You’ve probably heard the word “passphrase” a time or two out there on the internet. But how is it different from a password? And is it better, worse, or the same when it comes to security?
A “passphrase” really is what it sounds like: multiple words strung together and used alongside usernames to log in to online accounts.
Sometimes, passphrases are paired with numbers and characters: for example, NirvanaTacosRaccoon#2Pencil. Seems like a secure choice because it includes upper and lowercase letters, a symbol, and a number. Plus, it’s easy to say out loud and simple to remember: favorite band, favorite food, favorite animal, favorite writing utensil. And at 27 characters, it’s certainly long enough.
Check out our personal password manager plans or get started with a free business trial.
While the passphrase above is pretty secure, the reason passwords are often the better choice comes down to entropy. Not in the thermodynamic way, but in the random way: Good passwords lack order and predictability, which is why it’s best not to use dictionary words from any language in your passwords. This randomness keeps them safe from brute force attacks, in which cybercriminals use an automated system to quickly try different combinations of passwords. They’ve got the whole dictionary—and then some—fed into these systems, which is why the best passwords aren’t words at all.
Back to entropy. In information theory, entropy is measured in bits. There’s a big complicated formula that goes along with this, but all you really need to know is the more bits of entropy in your password, the better. That means the more random it is, the stronger it is. And the best way to make it random is to take the human brain out of the equation and let a password generator do the work for you.
Let’s compare our above passphrase with a randomly generated password.
A passphrase with four random words has about 44 bits of entropy, which means it’s weak. A password with 16 random alphanumeric letters and symbols, however, has between 200 and 250 bits of entropy. This is extremely strong and extremely difficult to crack.
Some websites limit the number of characters you can use in your password or passphrase, but you’ll notice that in the above example, the shorter password is still much stronger than the longer passphrase. So even if you’re working with fewer characters, strong passwords are still the more secure choice.
If you’re still interested in using passphrases, make sure you make them as strong as possible by including multiple, unrelated words, symbols, and numbers throughout. Just don’t substitute common characters (@ for a, ! for i, and so on) because cybercriminals are wise to that, and it doesn’t slow them down for a second. And please, please, do not use the word “password” anywhere in your password. We shouldn’t even have to say this, but unfortunately, it’s still the most common password in the U.S.
If you want to make sure you’re as secure as you can be, though, stick with long, unique, and random passwords generated by and stored securely in a password manager.