Cybersecurity Tips: Passphrase vs Password
Passwords have been used for decades as a way to protect sensitive data, but they are no longer sufficient in today’s cyber threat landscape. Hackers use increasingly sophisticated techniques, making it easier for them to crack credentials and gain access to private information. When considering which one to use—passphrase vs. password—the former has many advantages.
Passphrases provide a more secure way to protect your accounts and data. In this blog post, we will discuss five ways in which passphrases are better than passwords, why passphrases were invented, and why cyber hygiene is critical for organizations.
If you’d first like to learn what all the elements of a solid cybersecurity strategy for your business are, download Impact’s eBook: What Makes a Good Cybersecurity Defense for a Modern SMB?
What Is a Passphrase?
“Password length, character for character, is more important than password complexity.” – National Institute of Standards and Technology (NIST)
A passphrase is a password composed of a sentence or combination of words. Passphrases are longer than the average password, making them harder to crack and increasing the overall security of a user’s account.
While passphrases should be something that the user can remember, you should not use common phrases—such as “AnAppleaDay.”
An example of a strong passphrase with four random words stitched together is “Purpl3ElephantPizzaIsDelicious!” This passphrase works because:
- It has a personal reference
- It is difficult to guess
- It uses symbols and numbers
- It is longer than 16 characters
Why Is It Important to Use Passphrases?
Are passphrases more secure than passwords? We are in the age where simple passwords no longer retain the security they once did, which is why passphrases have become so essential. Passwords can lead to account hijacking from a number of cyberattacks (see more on them below).
The benefit of passphrases is that they make it easier for a user to generate entropy and a lack of order—and thus more security—while still creating a memorable credential.
Generating entropy—or the measure of how unpredictable a password is—through randomized characters can be difficult, but this also makes it more difficult to launch a cyberattack against you.
91% of respondents understand the risks of using the same password across multiple accounts, but 59% do it anyway. Once a password has been hacked, this information can be used to penetrate other accounts with the same or similar passwords.
Sometimes users may encounter logging in issues such as Microsoft Outlook repeatedly asking for your password input. To solve this, watch the tech tips video running through a few options to fix this issue below.
Passphrases are more memorable and far more secure than a password, which typically seeks security through a mix of numbers, special characters, and upper and lowercase letters. As an example, passwords like “GenIusc0de123!” are in fact easier to crack while at the same time more difficult to remember for the user.
To create your own, consider using a site such as useapassphrase.com to help you generate a completely random passphrase.
Additionally, passphrases are more secure than passwords because they are more resilient to cyberattacks such as the following:
- Dictionary attacks
- Simple brute force attacks
- Credential stuffing
1. Dictionary Attacks
Dictionary attacks are a type of brute force attack—hacks in which malicious actors use trial and error to crack passwords.
When hackers deploy dictionary attacks, they make use of a database of words and symbols to guess passwords. Since passphrases are made up of multiple words and are more personalized, they are more difficult to crack through this method.
According to a NordPass study, people are still using weak and easily guessable passwords as a form of account protection.
In this study, researchers discovered the top five passwords used in 2022 were:
- password
- 123456
- 123456789
- guest
- qwerty
Except for “guest,” which would take a hacker about ten seconds to crack, the other four passwords in this list would take a bad actor less than one second to get past.
If you or your employees are using any of these commonly used passwords, changing them as soon as possible to a more cyber-secure passphrase will create a strong protection layer over your accounts.
Passphrases are so much more robust than passwords that the FBI recommends using unique passphrases for at least users’ health, financial, and email accounts.
2. Simple Brute Force Attacks
In this type of attack, malicious actors don’t use a database, but simply try to guess a user’s password by trying common ones such as the ones listed above, birthdays, company names, etc.
Cybercriminals can also perform this type of attack with the help of some basic reconnaissance work, such as looking at someone’s social media to find out their favorite places, animals, sports teams, or any interest they feel strongly about.
3. Credential Stuffing
40% of confirmed data breaches in 2022 resulted from the use of stolen credentials. – Data Breach Investigations Report, Verizon
If you use the same password or passphrase to safeguard multiple accounts, you are susceptible to a cyberattack known as credential stuffing.
In this attack, bad actors use login names and passwords they acquired from a successful breach and try them on other websites.
For example, if your password was exposed in a social media breach and you use the same one to protect your other accounts, a cybercriminal could use it to log in to sites such as your email server, bank account, ecommerce sites, etc.
Below see how weak passwords or repeatedly-used passwords cause cybersecurity issues for organizations:
Passphrase vs Password: Time to Hack
For methods such as brute force attacks or the use of stolen credentials, the length of the password is a greater determinant of its strength than its variety.
In other words, your password with an upper-case first letter and exclamation mark at the end is not nearly as secure as you think it is.
Over at Hive Systems, they’ve created a useful chart which demonstrates how powerful various types of passwords are, including long passwords with no special characters and short passwords with many special characters.
What Hive Systems found was exactly in line with what the recommendations for adopting passphrases would suggest.
For example, if you take a look at the graph, you will notice that a short password (seven words) that includes uppercase letters, lowercase letters, numbers, and special characters, can be broken in about six minutes.
Now compare this to a passphrase using only lowercase letters but that is 14 characters instead of seven—this would take approximately 51 years for a hacker to crack.
Six minutes for a password vs. 51 years for a passphrase!
Passphrases: Supported by Industry Standards
Passphrases are supported by industry standards such as the NIST Digital Identity Guidelines, which recommend the use of passphrases instead of passwords.
The guidelines state that “memorized secrets should be 64 characters or longer” and that “simple or common phrases, including idioms, are not recommended.” By following industry standards, organizations can ensure that their cybersecurity practices are up-to-date and effective.
Customer privacy laws such as HIPAA, CCPA, and CMMC also require organizations to protect their customers’ sensitive data such as personal information, patient data, or patent information from being exposed due to a data breach. Using a complex passphrase is an easy yet effective way to do so.
Takeaways
- Human error is a key factor in the increasing volume of cyberattacks we’ve seen in recent years.
- Cyberattacks rely on human error and weak credentials in order to exploit users.
- Password length, rather than character variety, is the primary component of a password’s strength, meaning passphrases are far more secure than passwords—even if they feature no special characters at all.
- Passphrases prevent data breaches due to brute force attacks and help organizations protect their customers’ private data.
Passwords are only one of the elements of a solid cybersecurity strategy. To learn more about creating a comprehensive security program for your organization, download Impact’s eBook: What Makes a Good Cybersecurity Defense for a Modern SMB?