Password Vs. Passphrase – When & What To Use?

When it comes to secrets, the most popular version, and used most often online, are passwords.

As people dig deeper into internet and computer security, they also learn about passphrases. You tend to see people learn about passphrases when they start using a password manager and need to make a master password or see them in their generators.

Passwords and passphrases are very similar but also very different things, so it makes many people wonder when and what should they use.

We’ll go over the difference between a password and a passphrase and tell you when you should use each one.

What Is A Password?

Merriam-Webster defines a password in relation to computers as:

A sequence of characters required for access to a computer system

https://www.merriam-webster.com/dictionary/password

Some examples of passwords:

  1. P@assword123
  2. Dragon12
  3. QDo77VxTLvkwVT
  4. $]z\S%:x+^T”[9;&d=
  5. eeuytnorx52yeyn35r9cn752rho52r

A password is what most people know and use most often. Most people use a single word and often add numbers or make substitutions (“a” for “@”).

Password examples above, one and two, are not ideal and should be avoided as they’re too simple and been in breaches before.

Passwords three to five are ideal, as they’re all randomly generated, long, and complex. To make this easy, you should use a password manager, but if you use a password manager you need to make a master password. When making a master password, you should use a passphrase, so what is a passphrase?

What Is A Passphrase?

Merriam-Webster does not have a definition of passphrase, but Google does:

A string of words that must be used to gain access to a computer system or service.

Some examples of a passphrase:

  1. gusty-distrust-pug-deflation
  2. Laborer4-Backslid-Coziness
  3. kingdom error company purse pool song alpha resemble talk slice pepper credit
  4. UnsoldUnlovingFlatwareCleanCalciumSpur
  5. OunceEstimate360Kleenex

A passphrase is very similar to a password, but what makes it different is the use of multiple words. Some definitions say a passphrase is a longer password, which is somewhat correct, but not fully.

To me, a passphrase is a password that uses more than one word.

So “CopyBoaster” would be a passphrase, a weak passphrase, but one for sure. It’s also long, 12 characters long, so it does follow the other definition that some like to use. “ArtCarBat” would also be a passphrase, but it’s only 9 characters long, and if “ArtCarBat” was randomly generated it would be more secure than “CopyBoaster” (excluding brute-force character guessing), so you can see how going off only length is not a good definition.

Also, a passphrase is easier to type, say and remember compared to a password.

As you can see, a passphrase and a password are very similar, so it’s common to see people use them interchangeably. I’m guilty of this myself, as I see a passphrase as just another type of password. We also have alphanumeric, numeric, hexadecimal and more in the password family. There are many flavors of passwords, so I see no harm in using the general term of “password”.

So, why would you use a passphrase? When should you use a passphrase?

Password Vs. Passphrase

When you should use a passphrase or password is very simple to determine.

If you ever need to manually enter it, you use a passphrase, for everything else, use a password.

The big advantage that a passphrase has over a password is that it is easier to type, say, see and remember compared to a password.

A passphrase is perfect for:

  1. Master password to your password manager.
  2. Security Questions.
  3. Netflix password.
  4. Cryptocurrencies.
  5. Email password.

If you think you’ll need to manually enter a password, then you should use a passphrase. This is especially true if you need to remember the password, as a passphrase will be far easier.

You have to remember and type in your master password, so a passphrase is needed, and we go over that here.

Security questions are still a thing, and saying “W7u^J@~wq2hfhrESHLi7Hm@z#LRqj5” over the phone is a lot harder than “UnboltedScrounger900”.

Some services make you enter your password over difficult mediums, like your TV remote, and entering “Band86Vacancy” on your TV remote will be easier than “HY3f!ur?qCjUYxbS9VR#pb”.

One account that is often overlooked and should have a passphrase is your email account. Sometimes you won’t have your password manager able to fill the password, especially when setting up a new device, so using a passphrase is smart with your email accounts.

Can I Use Passphrase For Everything?

A passphrase is just another type of password, so you could use them for everything.

Using a passphrase may be the best option if you prefer to use a password book, as you’ll be manually entering just about every password. Simple passphrases and complex passwords are what we use in our generator for password books here. Print that page out, keep that sheet in your password book, use it as a bookmark, and have a unique password for every account.

The most important thing is that you don’t reuse passwords. You need to treat passwords like they’re disposable.

You can run into problems with using a passphrase, as some websites will limit the character count.

With passphrases, it’s easy to go over 20 characters. When most people have passwords under 10 characters, it’s quite the feat, and for some silly reason some webmasters limit passwords to lower numbers. So be aware of the character limits of some websites when using a passphrase.

Are Passphrases More Secure?

A passphrase tends to be longer than a password, so many consider it more secure and stronger.

This is not always the case, “iloveyou” is a passphrase, but a very bad one. According to HaveIBeenPwned it’s been seen 2,330,348 times. While “RecolorJava” has not.

So what matters the most is the uniqueness of the passphrase, and that is best left to passphrase generators. Also, using more words is better, but not every passphrase needs to be long. Netflix doesn’t need as many words as your bank or email password, as it’s not as valuable. So the more valuable the thing, the more random words you should use.

It also depends on how the password is stored. If you’re using a password manager you can get away with 4 to 5 random diceware words as they use slow hashing algorithms to better secure your password. If a service doesn’t use slow hashing, then you need to be 6 or more words to be safe.

But is a passphrase more secure than a password? I would say no because you can have more entropy per character when it comes to passwords.

“Backpedal-Carnival-Veto-Cache” is more characters than “$SNiQ^Yk3%cstKni$~yM” but it’s nearly half the entropy. The more entropy, the stronger (more random) the password.

If you never have to manually type it and want the most secure option, go with a password over a passphrase.

Are Longer Passphrases Better?

Longer passphrases are generally better, but length is not the most important factor, uniqueness comes before length!

When creating a passphrase it needs to be unique first, then you worry about the length, while complexity is just fluff.

I know people like to say length is the most important, but it’s not. When you ignore uniqueness you end up with people using phrases from books, songs, poems, and other works. Even when people try to be clever and use different languages, often obscure languages, it’s still not good enough.

One prime example of this is a guy who used a Bitcoin brain wallet passphrase with a line from an obscure poem in Afrikaans. His passphrase was long, it was a line from a poem, but it was not unique, and he lost his money! We have several other examples of this with people using lines from the Bible or Harry Potter books, don’t ever use phrases that could be easily “googled”.

When I say unique, I mean random. The ideal passphrase is one you did not create and instead let a passphrase generator create for you.

Once you have a unique passphrase, then you worry about length. The more important thing you want to protect, the longer the passphrase.

As for complexity, swapping an “a” for an “@” is just fluff and only makes your life harder. Your passphrase will be slightly more secure, but time would be better spent adding just one more word, then making the passphrase harder to type. Think about it, adding one more word will make the passphrase exponentially stronger, and you won’t have to remember that you swapped all the “a” with an “@” and all the “i” with an “1”.

Leave a Comment