Let’s settle the password vs. passphrase debate once and for all

Share this page

Several years ago, the science comic blogger Randall Munroe, otherwise known as XKCD, posted a comic(new window) comparing passwords and passphrases. The illustration attempts to demonstrate mathematically, using information theory(new window), that passwords tend to be weaker than passphrases while also being more difficult to remember. Because of this, people use simpler passwords, write them down, or reuse them, thus weakening password security further.

Munroe concludes, “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”

Many people think a password is meant to protect them from someone targeting them specifically. That’s usually not how people get hacked though.

When you create an online account, the company stores your password in encrypted form on its servers. If hackers get their hands on that password database, then it’s only a matter of running password-guessing programs against the list to see if they match. There are computers that can guess hundreds of billions of passwords per second, though companies typically use encryption methods that slow down the process of guessing.

What is a passphrase?

While everybody knows what is a password, fewer people know about passphrases. A passphrase is a kind of password that uses a series of words, separated by spaces or not (it doesn’t really matter). “correcthorsebatterystaple” is the passphrase in the comic. Although passphrases often contain more characters than passwords do, passphrases contain fewer “components” (four words instead of, say, 12 random characters). This makes passphrases easier to remember, typically by using a mnemonic device(new window).

A passphrase is more secure… sometimes

After the XKCD comic came out, there was a wave of discussion(new window) online about whether the advice was correct. Much of the debate centered around the amount of entropy each of his examples contained. Entropy is a concept in information theory which basically refers to the amount of randomness contained in a password. Generally, the more randomness is contained in a password, the harder it is to crack the password. This is why longer passwords are favored, because they presumably contain more “randomness.”

XKCD assumes the attacker knows the user has generated a passphrase by choosing four of the most common (top 2,048 in this example) dictionary words at random. Even so, the passphrase contains more entropy than the password. There are only 94 possible options for each password character, meaning, less uncertainty. So, mathematically speaking, a passphrase could be more secure.

But not always. By lengthening the password or adding words to the passphrase, you can increase the entropy. For example, a 20-character password consisting of random lower-case letters is much stronger than a four-word passphrase composed of common words. Such a password cannot be dictionary attacked, so it must be brute-forced, which would take modern computers billions of years(new window) to do.

AviD’s Rule of Usability

But XKCD’s argument is not primarily about mathematics. It’s about how to create the most secure systems possible in light of human imperfections.

For decades, the advice from information security experts was to change your passwords frequently and use numbers, capitals, and special characters. But we humans are bad at creating randomness, and we’re bad at remembering things. So inevitably people used simple words, names, birthdates, and sayings, swapping out letters with similar-looking special characters. Hackers can crack these kinds of passwords in a matter of seconds.

In an effort to make secure systems, the prevailing password advice actually made the systems less secure. Or, as the user AviD now-famously put it on Stack Exchange(new window), responding to the XKCD comic: “Security at the expense of usability comes at the expense of security.” In other words, if your “secure system” isn’t easy to use, people won’t use it, negating the security benefit. (This is actually the founding principle of Proton Mail.)

Our recommendation on the password vs. passphrase debate

Both passwords and passphrases can be secure, and if you are using a password manager, the security and usability differences between passwords and passphrases will not be significant. However, if you are setting a password that you must remember by heart, for usability reasons, we recommend using passphrases.

When you use passphrases, also keep the following in mind:

  • Four words should be sufficient. Five words is better.
  • Don’t choose from the most common words, and don’t choose quotes or sayings. The words should be as random as possible.
  • Use a unique passphrase for every account you own. That way, if one passphrase is ever exposed, the other accounts remain secure.

This article is part of our series on password security. You can also check out our previous article about how long a password should be(new window).

Best Regards,
The Proton Mail Team

Sign up and get a free secure email account from Proton Mail.

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.

Protect your privacy with Proton
Create a free account

Share this page

Ben Wolford

Ben Wolford is a writer and editor whose work has appeared in major newspapers and magazines around the world. Ben joined Proton in 2018 to help to explain technical concepts in privacy and make Proton products easy to use.

Related articles

Whether it’s personal documents such as your birth certificate or confidential business files like work contracts, we all have sensitive documents we need to store securely. With so many storage options available, it’s important to understand the dif
At Proton Mail, your security is our number one priority. Normally, this means protecting your inbox from unauthorized outside access. However, rather than trying to hack your software, phishing emails try to hack you. By spoofing emails from trusted
Learn all about email clients and why you might use one instead of webmail. If you’ve used an app like Gmail on your mobile phone or Outlook on your computer, you’ve used an email client. We explain how an email client works and the pros and cons of
No email service is completely anonymous. Learn how to send an email as anonymously as possible using private email, aliases, and a VPN or Tor. Do you need to send an email without revealing who you are? Unfortunately, you can’t just sign up for a f
Today, we’re introducing Proton Family, our all-in-one plan to protect your family’s privacy.  When you’re a parent, you do everything you can to prepare for the unexpected and keep your family safe. But extending this protection online is difficult
Starting last year, Google began to increase the number of ads displayed in Gmail. It started with more ads in the Promotions tab on mobile. And now it has grown to include advertising messages between regular emails on Gmail’s desktop site. Gmail u