We talk a lot about using strong passwords as an important component of your overall online security. This means choosing passwords that are complex, long, and random, as well as unique—meaning you only use it on one account and don’t repeat it elsewhere. But what about passphrases? They are different in that they form actual phrases you can remember, rather than just gibberish. Find out more about using passphrases and how to safely incorporate them into your login credentials.
What is a passphrase?
A passphrase is a sequence of words or characters used to authenticate or secure access to a computer system, network, or encrypted data. It is similar to a password but typically longer. A commonly used example of a passphrase is “correct horse battery staple”. The longer length and use of multiple words make passphrases more secure because they increase the number of possible combinations and make it harder for attackers to crack them.
What makes a strong passphrase?
A strong passphrase is designed to have the following characteristics.
- Length. A longer passphrase is generally stronger because it increases the number of possible combinations and makes it harder for attackers to guess.
- Complexity. Just like a strong password, a strong passphrase should include a mix of different types of characters, such as uppercase and lowercase letters, numbers, and special characters.
- Unpredictability. Avoid using common phrases, clichés, or easily guessable information in your passphrase. Instead, opt for random combinations of words, or a phrase that is only meaningful to you and no one else.
- Memorability. A strong passphrase should also be user friendly, so it should be something you can remember, despite its length.
- Uniqueness. Each online account or system you use should have a different passphrase. Reusing passphrases across multiple accounts increases the risk of compromise.
How to create a passphrase
There are largely two approaches to creating a passphrase: randomization and personalization.
Randomly generate a passphrase
Randomization improves security, because hackers have nothing with which to base their guesses. There are random passphrase generators online that will give you a passphrase of four or more words.
In our past blog post about diceware, we explain how you don’t even need a generator to randomly create a passphrase. All you need is a dice and this gigantic list of words that correspond to numbers you roll. Keep rolling the dice until you’ve got four words, such ass “correct horse battery staple”.
In order to remember such a phrase, the user might visualize all four items as a single image or make up a story about them.
Create a personalized passphrase
While using personally identifying phrases—such as your name, birthday, or pets—in your passwords is considered poor security, that doesn’t mean you can’t use phrases that are meaningful to you. The caveat is that the phrase should ideally be meaningful only to you.
Let’s say your favorite countries are the U.S. and UK. You might come up with a passphrase like “god save the star spangled banner”, combining the national anthems of both countries to form am unusual phrase.
Passphrase vs. password: What’s the difference?
A password is a string of characters, while a passphrase is made up of a few words, forming a phrase that the user can remember. Passphrases often include spaces between words, while a password often does not have spaces.
A passphrase is not necessarily longer or more complex than a password. Both can be highly secure. The main difference is that a strong passphrase can be remembered more easily than a strong password made up of a meaningless sequence of characters.
Types of passphrases and strong passphrase examples
As mentioned above, passphrases can be randomly generated or personalized by the user. Here is a more in-depth look at the different types of passphrases that someone can come up with using different techniques.
Note: Do not use these examples as your passphrase. They are not strong any more, now that they have been listed here.
Random passphrases. These passphrases are generated using a random combination of words, such as using a random passphrase generator online. They can also be generated with a dice and a list of words corresponding to numbers.
Example: correct horse battery staple. This is an often-seen example of a passphrase that uses four unrelated, seemingly random words.
Mnemonic passphrases. Mnemonic passphrases are created by stringing together a series of words or phrases that are personally meaningful or memorable to the user. They can be based on a favorite quote, song lyrics, or a combination of words that have significance to the user. Mnemonic passphrases are intended to be easier to remember while still maintaining a reasonable level of security.
Example: god save the star spangled banner. This phrase combines the titles of two national anthems, making it easy for someone to remember while not being a common phrase in itself.
Sentence passphrases. Sentence passphrases are created by using a complete sentence or a combination of multiple sentences. The sentence can be personally meaningful or can be a random collection of words that are easy to remember. The length and complexity of the sentence make it more secure and harder to guess.
Example: O say can you see by the dawn’s early light. Note that while the long length of this phrase increases its security, this is not a particularly strong passphrase since it’s a widely known line.
Algorithmic passphrases. Algorithmic passphrases involve applying specific algorithms or transformations to a base word or phrase to generate a unique passphrase. These algorithms can include character substitutions, adding prefixes or suffixes, or using a mathematical formula to derive the passphrase. Algorithmic passphrases can provide a balance between security and memorability.
Example: 0 say can U C by the dawn’s early l1ght. The altered characters in this common phrase make it much harder to guess while still being somewhat easy for the user to remember.
Benefits of using a passphrase
The primary benefit of using a passphrase rather than a password is that it is much more possible to create a long and complex passphrase that you can remember.
The safest passwords—random and long ones—are difficult to remember. And if you have to create a unique one for every online account you have, they become impossible to remember. You’ll end up discouraged and tempted to keep using the same short password or variations of one. This is why it’s wise to use a password manager, such as ExpressVPN Keys, which comes included with every ExpressVPN subscription.
A passphrase is another solution to the problem of hard-to-remember passwords (although you should still store them in a password manager). Their length makes them harder to crack, but the fact that they are real words make them easier to remember.
That said, there are degrees of security when it comes to passphrases. Using a common phrase is much less secure than using a random phrase, a phrase that is only meaningful to you, or a phrase that is altered using symbols and numbers.
Cons of using a passphrase
The risks of using a passphrase comes with choosing a phrase that is common. Such a passphrase would be vulnerable to dictionary attacks, in which an attacker attempts to gain unauthorized access to an account or system by systematically trying a list of commonly used words or phrases as passwords.
This is why a strong passphrase is one that is only meaningful to you.
Privacy should be a choice. Choose ExpressVPN.
30-day money-back guarantee
Comments
The problem with this article is that it’s as if we had only one thing to have a pass/phrase/word for. If you have a few hundred such websites (&c) and a hundred+ passphrases, how are you going to remember which meaningful phrase goes with what? There’s no escape — it’s best to have a really good password manager that works across browsers. Before I switched from PC to Mac several years ago I used LastPass but changed to Apple’s keychain when I got Macs — and it works, of course, across desktop, iPhone, iPad. And some sites (not sure now but used to be the case with BT Internet) don’t allow gaps — although you can close the gap with hyphens. You can make e.g. a 20-digit password and split it into 3 groups of 6 plus added ‘-‘s so it looks like an Apple keychain password.
Some password managers support passphrase genenation – good idea to implement this into Keys.
Is ExpressVPN considering providing support for FIDO/U2F or FIDO2 log-in capability on accounts?