Support Get in Touch
Managed Services
Managed Services
Managed Services
Enterprise-level processes, technology and strategy for small and medium businesses. Outsourced services, all supported by members of the Impact team.
See Our Approach
20 Years in the Making
Learn more about Impact Networking, our team and history.
Learn More About Impact
Resources Support Inquiries Get in Touch

Cybersecurity Tips: Passphrase vs Password

What are the benefits of using a passphrase versus a password?

Over the course of the last few years, particularly in 2020 and 2021, we’ve had to become accustomed to the increased risk of cyberattacks as cybercriminals look to exploit fears and a lack of business security adopted by modern organizations.

We saw this shift with the dramatic uptick in cyberattacks that took place in 2020, with estimates indicating that more data records had been breached in the first six months of 2020 alone than any other year on record.

Between February 2020 and May 2020, phishing emails spiked by over 600% as criminals sought to capitalize on the fear and uncertainty generated by the COVID-19 pandemic.

This is a trend that appears to have kept up in 2021 and through 2022, with 2021 the recording the highest-ever numbers of zero-day exploit attacks.

The result of this renewed focus on cybersecurity has had companies investing more than ever in protecting their data and assets.

Impact subscribe to blog banner

Human Error and Cybersecurity

Human error is a crucial element of the majority of successful cyberattack attempts.

Cybercriminals play a law of averages game—facilitating countless attacks on the assumption that sooner or later, they’ll attack someone without the knowhow to defend themselves and without the software to protect their device properly.

52% of businesses admit that employees are their biggest weakness in IT security, with their lack of security awareness knowledge putting business IT security at risk.

Of course, that doesn’t make them solely responsible; it’s incumbent on decision makers and executives to make sure that every measure has been taken to ensure the best chance for success.

In other words, businesses should not set their own workers up for failure with poor credential policies.

Weak Credentials Are a Prime Suspect

Where does passphrase vs password come into all of this? Well, it’s actually quite simple—the biggest threat to data security is not hackers, as we’ve noted, but users themselves.

37% of credential theft breaches use stolen or weak credentials.

So, with all this mind, it’s clear that not only is human error a big problem for organizations to solve, but also that weak credentials (passwords) are one of the biggest factors in determining whether a cyberattack will be repelled or not.

Password security stats in business | passphrase vs password

What Is a Passphrase? 

What is a passphrase? A passphrase is a password composed of a sentence or combination of words.

Passphrases generally tend to be longer and more complex than the average password, which increases overall security.

While passphrases should be something that the user can remember, it is highly discouraged to use a common phrase. An example of a passphrase could be four random words, such as, “engineerworksharrisstudying” (engineer, works, harris, studying).

While it may seem counterintuitive to use a series of random words for a credential, phrases like these are more memorable and far more secure than a password, which typically seeks security through a mix of numbers, special characters, and upper and lowercase letters.

Passwords like this—for example, “GenIusc0de123!”—are in fact easier to crack while at the same time more difficult to remember for the user.

Sites such as can help to generate a completely random passphrase.

Why Is It Important to Use Passphrases?

Are passphrases more secure than passwords? We are in the age where simple passwords no longer retain the security they once did, which is why passphrases have become so essential.

The benefit of passphrases is that they make it easier for a user to generate entropy and a lack of order—and thus more security—while still creating a memorable credential.

Generating entropy through randomized characters can be difficult, but this also makes it more difficult to launch a cyberattack against you.

91% of respondents understand the risks of using the same password across multiple accounts, but 59% do it anyway.

Once a password has been hacked, this information can be used to penetrate other accounts with the same or similar passwords.

Passphrase vs Password: Time to Hack

The biggest factor in the consideration of passphrase vs password is simply the amount of time it takes to crack a password.

Hackers employ a form of cyberattack called a “brute-force” attack, whereby an automated program repeats password combinations over and over again until the password is cracked.

Over 80% of breaches caused by hacking involve brute force or the use of lost or stolen credentials.

For methods of hacking like these, the length of the password is a greater determinant of its strength than its variety.

In other words, your password with an upper-case first letter and exclamation mark at the end is not nearly as secure as you think it is.

Over at Hive Systems, they’ve created a useful chart which demonstrates how powerful various types of passwords are, including long passwords with no special characters and short passwords with many special characters.

What Hive Systems found was exactly in line with what the recommendations for adopting passphrases would suggest.

For example, if you take a look at the graph, you will notice that a short password (seven words) that includes uppercase letters, lowercase letters, numbers, and special characters, can be broken in about six minutes.

Now compare this to a passphrase using only lowercase letters but that is 14 characters instead of seven—this would take approximately 51 years for a hacker to crack.

6 mins for a password vs 51 years for a passphrase!

FBI Recommendation

If this wasn’t enough to make you sit up and take notice of your business’ credential policy, then maybe a recommendation from the FBI might be the clincher.

In a video from their Protected Voices initiative, which seeks to provide cybersecurity recommendations to political campaigns across various functions, passphrases were strongly advised to be implemented as official policy in an effort to improve their security and protect sensitive data.

It’s common to require that passwords include uppercase letters, lowercase letters, numbers, and special characters. However, recent guidance from the National Institute of Standards and Technology, or NIST, advises that password length is much more beneficial than complexity. – FBI, Protected Voices: Passphrases and Multifactor Authentication


  • Human error is a key factor in the increasing volume of cyberattacks we’ve seen in recent years
  • Cyberattacks rely on human error and weak credentials in order to exploit users.
  • Password length, rather than character variety, is the primary component of a password’s strength, meaning passphrases are far more secure than passwords—even if they feature no special characters at all.

Subscribe to our blog to receive monthly insights into business technology and stay up to date with marketing, cybersecurity, and other tech news and trends.