Cybersecurity Awareness Tip 11: Consider a passphrase instead of a password

Even if you use more than one factor to identify yourself, chances are one of those factors is something you know, typically called a password. But you can often use a passphrase instead of a cryptic, hard-to-remember password. You should still use a password manager with unique passwords (or passphrases) to help remember them. In fact, Lastpass recommends using a passphrase for your Lastpass Master Password.

How is a Passphrase Different From a Password?

The main difference between a passphrase and a password is that passwords do not have spaces. Passphrases are usually longer than a random string of letters and have spaces. But passphrases can also contain symbols. Although it might make it easier to remember, a passphases does not have to be a proper sentence or be grammatically correct.

Image: XKCD.com/936/

Passphrases Are Better Than Passwords

Password Dragon offers 5 reasons why passphrases are better than passwords:

1. Passphrases are easier to remember than a random of symbols and letters combined together. It would be easier to remember a phrase from your favorite song or your favorite quotation than to remember a short but complicated password.

2. Passwords are relatively easy to guess or crack by both human and robots. The online criminals have also leveled up and developed state of the art hacking tools that are designed to crack even the most complicated password.

3. Satisfies complex rules easily. The use of punctuation, upper and lower cases in Passphrases also meets the complexity requirements for passwords.

4. Major OS and applications supports passphrase. All major OS including Windows, Linux and Mac allow pass-phrases of up to 127 characters long. Hence, you can opt for longer passphrases for maximum security.

5. Passphrases are next to impossible to crack because most of the highly-efficient password cracking tools breaks down at around 10 characters. Hence, even the most advanced cracking tool won’t be able to guess, brute-force or pre-compute these passphrases.

The FBI agrees.

But privacy-focused email provider ProtonMail argues passphrases are only sometimes more secure than passwords: ProtonMail recommends you keep the folloowing in mind when using passphrases:

• Four words should be sufficient. Five words is better.
• Don’t choose from the most common words, and don’t choose quotes or sayings. The words should be as random as possible.
• Use a unique passphrase for every account you own. That way, if one passphrase is ever exposed, the other accounts remain secure.

Even though Lastpass recommends using a passphrase for your Lastpass Master Password, the otherwise fully-featured password manager can't generate passphrases yet. You can use an online passphrase generator, but be careful to use one that doesn't log the generated passwords.

SwampGeek recommends

SwampGeek.com recommends using the Diceware passphrase generator with EFF wordlist wIth multi-factor authentication. And, if you can't switch from a bank or other online account that allows password resets with correct (and easily guessable) answers to security questions, try answering with lies.

Resources

How Secure is your password? (password checking tool)

Diceware passphrase generator with EFF wordlist