Password vs passphrase

What is a passphrase? Comparing passwords vs. passphrases

When securing a system or your online accounts, setting a strong password is the most important thing you can do. But what’s stronger — a password of apparently random characters or a passphrase of several unrelated words? 

This article explains which you should use and when. To start, though, let’s look at what a passphrase is.

What does passphrase mean?

When you identify yourself to get access to an online account or file, you usually use a password of some kind. You could also opt to use a passphrase. A passphrase is a sequence of four or more words, with each word in the phrase having four or more letters. Spaces aren’t necessary, so you can have a passphrase that looks like table chair book candle or tablechairbookcandle.

In function, passphrases are the same as passwords, but they differ in important ways. The first and most obvious difference is length. While passwords should be at least 15 characters long, passphrases, by their nature, are usually going to be at least 20 characters. 

This is a massive advantage. Password entropy — the measure of a password’s difficulty — increases with length. Though longer doesn’t necessarily mean more secure, something we’ll talk about more in a bit, using a passphrase is one easy way to make a password stronger without too much hassle.

Despite being longer, though, passphrases are much easier to remember. For example, the table chair book candle passphrase from before is a simple mnemonic device, a way to recall memories. You sit at the table on a chair reading a book by the light of a candle. Though it’s a lot longer than the average password, it’s a lot easier to remember.

The memory problem

Passphrases solve a huge disadvantage of passwords, which are hard to recall if they’re even remotely secure. While a short word (like your pet’s name and the year you were born) can be easy to keep in mind, it’s also extremely easy to crack through dictionary attacks(new window), where the attacker’s software “guesses” your password by running through known combinations of words.

To fix this issue you need to add special characters to passwords, which is why online platforms often ask you to add numbers and special characters when creating your account. By adding numbers, capitalized letters, and special characters, you’re misdirecting dictionary attacks, and the more random-seeming you make a password, the harder it is to guess.

For example, if you decide to use the word aardvark as your password, you’d have to make it harder to guess by adding numbers, maybe replacing the A’s with the number four, so 44rdv4rk. To add some randomness, you might want to spare the first A that treatment, and maybe make it a capital, for good measure, turning it into A4rdv4rk. Then, add some symbols to make it really weird, so you end up with #A4rdv@rk!

This all looks good, and adds some nice randomness to the word, but you’ve just made the issue not one of security, but of memory. If you sign up now, forget about that account and then try to sign in a month or two later, you’re going to struggle to remember which letters you substituted and how. (Writing passwords in a notebook is not usually a good idea for many reasons.) 

While your brain likely remembers “aardvark” just fine, all the other stuff is just too random to remember correctly. Plus, since you should never reuse passwords, this is just one of dozens you’ll need to recall.

This tension between security and memory was best summarized by cartoonist Randall Munroe, author of the science-themed cartoon XKCD(new window):

XKCD comic on passwords and passphrases

It seems clear, then, that passphrases are better than passwords. However, this argument relies heavily on human memory as a premise. Let’s see what happens if we take that out of the equation.

Adding randomness

Passphrases are easier to remember and, by virtue of being longer (i.e., having more entropy), are more secure than short passwords. However, that isn’t the whole story. As we discussed, the weak link is human memory; what if we replaced it with a computer’s memory?

Enter password managers, programs that store passwords for you and autofill them wherever you need as you browse the internet. They make life a lot easier by autofilling passwords wherever you go, but, more importantly, they also add a lot of security by generating and remembering long, complex passwords for you.

For example, if you’re using our password manager, Proton Pass, any time you create a new account on a site, the Pass browser extension will offer to create and store the password for you. Where normally you’d do something like our “aardvark” from before or a combination of your hometown and birthday, Proton Pass’ password will be something like rZa;8g=6^P”kL*3 which is impossible to remember for most people. 

This kind of password with over 15 characters will be practically impossible to crack through brute force attack, and you won’t need to remember it. As long as you have a password manager and use it to create long, complex passwords, the password vs. passphrase debate is irrelevant. Your account is secure.

But what about securing your password manager itself? A random password would be great but hard to remember. This is where a passphrase comes back into play: A passphrase like table chair book candle will work fine.

Passphrase vs. password: which should you use?

To summarize what we’ve covered: If you compare a passphrase to a truly random password, the password is the better, more secure option. The problem is human memory. The only way to remember a random password is to use a password manager of some kind, which you can protect in turn with a much easier-to-recall passphrase.

Of course, in this case you also need to make sure the password manager itself is secure, private, and easy to use. We developed Proton Pass with these goals in mind. It uses end-to-end encryption to keep your data safe and also benefits from Swiss privacy laws that make it easy to keep your private information private.

Besides that, it also comes with some more direct benefits, like two-factor authentication, which adds an extra authentication step in case your password is compromised in some way. (Remember, a good password protects against brute force attacks, not against phishing where an attacker tricks you into giving your password away.)

On top of that, Proton’s mission is to make your emails, files, passwords, and other data private by default. Your logins and personal email addresses in particular are part of your digital identity, which is worth protecting in the same way you protect your passport or ID numbers. Proton Pass offers hide-my-email aliases in addition to secure password storage to give you additional privacy.

If that sounds good to you, you can sign up for Proton Pass for free and join the fight for a better internet.

Protect your passwords
Create a free account

Related articles

Email threads are so ubiquitous you might not realize what they are. An email thread is basically a series of related emails grouped together.  This article will tell you everything you need to know about what exactly an email thread is and when you
Identity theft is a major sector of criminal activity. About 24 million people fell victim in the United States alone in 2021, costing them over $16 billion. Credit card fraud is the most common type, but criminals target all kinds of personal data.
Google is one of the biggest obstacles to privacy. The Big Tech giant may offer quick access to information online, but it also controls vast amounts of your personal or business data. Recently, more people are becoming aware of the actual price you
What to do if someone steals your Social Security number
If you’re a United States citizen or permanent resident, you have a Social Security number (SSN). This number is the linchpin of much of your existence, linked to everything from your tax records to your credit cards. Theft is a massive problem, whic
compromised passwords
Compromised passwords are a common issue and probably one of the biggest cybersecurity threats for regular people. How do passwords get compromised, and is there anything you can do to prevent it? * What does compromised password mean? * How do pa
Is WeTransfer safe?
  • Privacy basics
WeTransfer is a popular service used by millions worldwide to send large files. You may have wondered if it’s safe or whether you should use it to share sensitive files. We answer these questions below and present a WeTransfer alternative that may su