Blog
Recent
bg
Security Tips

Passphrase vs Password: Understanding the Differences

Shireen StephensonOctober 15, 2024
Passphrase vs Password: Understanding the Differences

The passphrase vs. password war shows no signs of waning. While passwords continue to be a hot topic as identity-based cyber-attacks rise, passphrases are increasingly getting their day in the sun. 

But years before Intel launched the first World Password Day in 2013, a quiet security consultant outsmarted a group of hackers with just one simple strategy. 

His name was Mark Burnett – and he advised a financial services company to set aside one day a year to practice good password hygiene after a series of high-profile breaches. On that day, the “boss bought lots of pizzas, and everyone sat down thinking of cool passwords all day long.” 

Wondering if you should even dedicate a day to changing your passwords? 

Below, we take the passphrases vs. passwords discussion a step further – by revealing which one offers optimum protection in various scenarios. 

What Is a Password?

Definition and purpose of passwords

Passwords are special code words used for authenticating users to a platform or system. 

They have been in vogue since the early 1960s. In 1961, Fernando Corbato helped develop MIT’s Compatible Time-Sharing System (CTSS). This early operating system allowed multiple users to simultaneously run different applications on one computer. 

Until then, a computer could only handle one user running a single program at a time. 

With the CTSS, Corbato and his colleagues effectively introduced the world to its first digital password system, instant messaging platform, and email service.  

And in the 1970s, the Multics operating system became the first to store passwords using a one-way hash function. This means each password was stored encrypted rather than in plaintext. 

Today, new passwordless authentication options bypass the pesky password and offer us greater control in protecting our online identities. 

Common password vulnerabilities

In 2024, poor access control is the #1 most common application security vulnerability. 

Password reuse comes a close second. According to a LastPass survey, 91% of end users understand the risk of password reuse – but 59% do it anyway for the sake of ease and convenience. 

Ultimately, poor credential management exposes your business to more social engineering, keylogging, and credential-based attacks. 

Tips for creating strong passwords

Not surprisingly, password creation isn’t #1 on your to-do list after a long week at work.  

If password fatigue is negatively impacting your productivity and mental health, you aren’t alone: 87% of your peers have a similar experience. 

Here are eight of our best tips for creating strong passwords that offer maximum protection for your accounts: 

  • Prioritize length before complexity.
  • Make passwords complex by using a mix of uppercase and lowercase letters, special symbols, and numbers.
  • Use a trusted password generator for effortless password creation.
  • Consider using a security-conscious password manager to store passwords securely.
  • Avoid the use of leet speak, as hackers can now use tools like Mentalist to generate custom wordlists with leet speak variations to feed into another tool called John the Ripper for password cracking.
  • Refrain from including personally identifiable information.
  • Enable phishing-resistant MFA or multi-factor authentication for added security.
  • Create a unique passphrase with special symbols and numbers that are easy for you to remember but resistant to brute force attacks.

What Is a Passphrase?

How passphrases differ from passwords

Is a passphrase the same as a password? 

passphrase is like a password – but differs in this way: Passphrases are longer and more complex. They can also be image-based, consist of random words, or follow a keyboard pattern. 

Image-based: YellowRosesAndLakesideFlowersHawaiiVacations20240825 

Random: Grasshopper!@MallardDucks$%PeanutButter#$RedPolkaDots 

Keyboard pattern (QWERTY): Quickly&^*WeExplored85%RiversTrees!@Yaks 

On the other hand, passwords generally consist of a random string of characters. Today, many platforms require them to be anywhere from 8 to 16 characters long. 

Passphrases and their advantages

What are the benefits of using a passphrase over a traditional password? 

Passphrases provide four key advantages: 

  • Memorability: Since they consist of coherent words, they are easier to remember than passwords.
  • Practical use: They are easier to type due to their intuitive flow, compared to passwords that consist of random characters.
  • Complexity: They can be paired with special characters, symbols, and numbers to strengthen their entropy value (a measure of how hard it is to guess your password). Password entropy is measured in bits.
  • Increased security: Passphrases are longer than passwords, making them more resistant against dictionary and brute force attacks.

Best practices for creating passphrases

To create a strong passphrase, you’ll want to implement these nine best practices: 

  • Avoid using quotes from popular song lyrics and movies.
  • Avoid using the names of famous actors, actresses, sports figures, or influential figures in politics, business, media, and the arts.
  • Aim for a good length of at least 20-30 characters.
  • Add unrelated words to increase the entropy value of your passphrase.
  • Avoid using personal identifiers like birthdays, graduation years, and anniversaries.
  • Incorporate special characters, symbols, and numbers.
  • Avoid common phrases that are easily guessable like “A Picture is Worth a Thousand Words” or “A Penny for Your Thoughts.”
  • Use the EFF (Electronic Frontier Foundation) method to create passphrases using dice rolls and wordlists.
  • Add a string of random characters and special symbols to any passphrases generated by an xkcd-style generator. This type of generator was popularized by an xkcd comic titled “Password Strength,” which maintains that a string of four random words like “correct horse battery staple” is easier to remember (than an unintelligible password) and provides enough entropy to be secure against credential-based attacks.

When to Use a Passphrase vs a Password

Situations where passphrases are recommended

What are the reasons a passphrase is recommended instead of a password? 

Passphrases are generally recommended under these circumstances: 

  • High-security or sensitive accounts: These accounts may contain banking, trade, legal, or proprietary information you must protect. 
  • For master passwords to access password vaults: You’ll need a secure password to access the rest of your credentials.
  • When memorability is of primary importance: During a crisis, designated parties should be able to request emergency access to your vault. A memorable passphrase greatly streamlines access, should you become incapacitated.
  • For use as a WPA3 password: A WPA password is a Wi-Fi password or network security key used to access a Wi-Fi network protected by the WPA3 security protocol. A strong WPA3 passphrase should contain anywhere from 8 to 63 characters.
  • To provide another layer of security in SSH authentication: SSH (Secure Shell) keys are often used for authentication and access to cloud-based resources. A passphrase provides another layer of security in SSH authentication. So, even if an attacker manages to hijack your private key, they’ll still need your passphrase to access your resources.

Situations where passwords may be sufficient

Traditional passwords may be sufficient in these cases: 

  • For lower-risk accounts, such as industry training resources, entertainment services, and public forums that don’t provide direct access to financial, intellectual, or business data
  • When character limits prevent longer passphrases, such as in older Windows NT versions (4.0 and earlier)
  • For legacy applications and ERP (enterprise resource planning) systems that don’t support long passphrases

More considerations for passwords and passphrases

NIST recommendations for 2024 Guidelines

The use of password managers

  • Strongly encouraged to help users avoid using weak passwords

Password length

  • 12-16 characters (longer passphrases are encouraged)
  • Length emphasized over complexity

The use of Unicode and ASCII characters 

  • emojis (there are 3,600+) and non-Latin/foreign language characters which increases password security
  • codes for more than 135,000 characters from the world's alphabets.
  • Extended ASCII consists of 256 unique 8-bit characters, which includes control characters, accented letters, and symbols.

The use of out-of-band authenticators  

  • LastPass Authenticator ensure messages in transit are protected from tampering.
  • SIM swapping attacks. So, even if attackers somehow manage to acquire your mobile phone number and personal data, they can’t access your accounts without your device in their possession.

  

You’ll also want to consider these best practices from the Center for Internet Security

  • Enforce checks on new password creation against an internal deny list of known bad, weak, or recently used passwords.
  • Enforce system lockouts after more than 15 minutes idle time.
  • Continuously monitor failed login attempts.
  • Enforce password changes in light of security incidents.

Industry Standards for Passwords and Passphrases

Support and recommendations from cybersecurity experts

Experts in organizations like NIST are recommending against frequent password changes (every 30 or 60 days). They maintain that mass resets should only be performed after a known cybersecurity breach. 

NIST also recommends against the use of password hints or security questions for account recovery. Instead, the organization supports the use of saved or issued recovery codes. 

If your organization uses Microsoft Entra ID, you can enable your employees to reset their own passwords with Entra’s self-service password reset feature.  

According to Forrester research, self-service password resets with Microsoft Entra ID (formerly Azure AD) can decrease your organization’s monthly reset requests by 75%. 

Integration of passphrases in password policies

Leading cybersecurity organizations like CISA, IDSA, and the Canadian Centre for Cyber Security recommend integrating passphrases into password policies. 

The Canadian Centre for Cyber Security specifically recommends password managers that support: 

  • MFA (multi-factor authentication)
  • Zero-knowledge encryption
  • Password strength monitoring
  • Notifications when passwords are found on the Dark Web or compromised in a breach
  • Strong master passwords or passphrases
  • Secure password generation

Compliance with industry regulations

Organizations in industries such as healthcare, ecommerce, finance, and critical infrastructure must comply with regulatory password and data protection policies: 

Industry

Regulations  

Guidance 

Healthcare 

ECommerce

Finance

Critical infrastructure

  1. NERC CIP
  2. COBIT
  3. NIST SP 800-53
  4. FISMA
  5. NIST Cybersecurity Framework

Protecting Against Phishing Attacks

How passphrases and passwords are vulnerable to phishing

Passphrases and passwords are essential for data security but can be compromised through phishing attacks. Even strong passphrases are vulnerable if users are tricked into entering them on clickjacking sites and in response to phishing emails. 

Best practices for safeguarding credentials

As mentioned, your organization most likely complies with specific industry standards to protect customer digital identities.  

For example: 

  • If you’re an ecommerce business, complying with GDPR requires stringent access controls to ensure the confidentiality and integrity of data. You’ll also be expected to use proper hashing and salting to protect customer data.
  • If you’re a critical infrastructure company, complying with NERC CIP means implementing account lockout mechanisms after a number of failed authentication attempts. 
  • If you’re a healthcare company, complying with HIPAA means implementing industry-recommended practices like MFA and the use of password managers with autofill, account lockout, and activity logging capabilities. 
  • If you’re a financial services company, complying with SOX means ensuring that data at rest and in transit is always protected and safe from tampering.

Recognizing and reporting phishing attempts

Phishing attempts often display certain characteristics: 

  • Spoofed or forged email sender addresses
  • The use of urgent or emotionally charged language
  • Inappropriate requests for personally identifiable information or protected health information
  • Poorly designed landing pages
  • Poor grammar and spelling

In 2024, attackers are using a sophisticated mix of email, vishing, and smishing to trick users into entering their login information on phishing sites.  

Your best protection against this? A password manager with autofill functionality and adaptive MFA options. With LastPass, the legitimacy of an URL is verified before your credentials are auto filled. This means your login info won’t be entered on phishing sites with slight discrepancies or misspellings in their URLs. 

Meanwhile, our FIDO2 MFA options offer you phishing-resistant, passwordless authentication, which provides peace of mind as you surf the Web.  

How LastPass Will Assist With Password Management

Encrypted password vault

At LastPass, we provide all users (even those on free plans) with military-grade encrypted vaults.  

Our vaults are built on top of zero knowledge architecture. This means all your data is encrypted locally on your device before it’s sent to our servers. Plus, you’re the only one who can decrypt your vault – LastPass employees have no access to your data. 

Assistance with password generation

Need help creating strong, unique passwords for each of your accounts? With LastPass, you can do it without breaking a sweat.  

Our secure password generator helps you avoid the pitfalls of credential management, such as reusing or creating easily guessable passwords.  

As a result, you can maintain high data security without the burden of juggling a massive list of complex passwords.  

Forced character requirement for passwords

At LastPass, we are compliant with major industry standards like ISO 27001, ISO 27701, SOC 2 Type II, SOC 3, BSI C5, GDPR, and HIPPA.  

In line with these standards, we’ve encouraged the use of passphrases and required all LastPass users to use a minimum of 12-characters for master passwords since April 2023. 

If you’d like to protect your business from emerging threats, there’s no better choice than LastPass. Sign up for a free, no-obligation trial today – and join millions of users around the world who rest easy, knowing that their data is safe and our continuous monitoring systems never sleep