Password vs passphrase

Password on sticky note

One of the key layers of cybersecurity is good password hygiene. But today’s security can make the situation more complex. Now you have password managers, two factor authentication using apps, fingerprint protection, and even facial identification.

To help simplify cybersecurity a bit, one alternative to a password is a passphrase. And often it will work with a system that already supports a password.

For years, the advice of cybersecurity experts focused on the complexity of your password and making sure you changed it often. In practice, people had trouble remembering complicated passwords that changed frequently. So what did they do? They wrote them down on a sticky note and stuck it next to their keyboard!

Not only was that an issue, but brute force attacks were as well. A brute force attack tries different combinations of letters and characters over and over again until it eventually guesses the password. Even if your password was complex, the shorter the password, the quicker a brute force attack would guess it.

In other words, that password advice wasn’t good enough!

That’s when the passphrase entered the picture. It’s such a better option than passwords that the National Institute of Standards and Technology changed their guidelines to recommend them.

It turns out that a phrase like “TheWhiteDogDownTheStreet!” is much easier to remember and more secure than a short, complex password. First, you don’t have to write it down to remember it. And second, since it’s longer than most passwords, a brute force attack will take much longer and usually won’t be practical.

I recommend having some uppercase letters in your passphrase and one or two punctuation marks. And you may still want to use password management software to make things easier on yourself or to securely share your passphrase with others.

Beware that a long passphrase may not work on all systems. Often systems have very specific requirements that came out of the older recommendations. And they might even have a maximum limit for the number of characters in your password.

But over time, more and more systems will be updated to allow for—and even encourage—a passphrase instead of a password.