The Security Benefits of using Passphrases instead of Passwords
Aug 01, 2024
What is more secure? A password with high complexity requirements or a passphrase?
This may beg the question: "What IS a passphrase?" Simply put, a passphrase is a group of seemingly random words that only make sense to you.
This can be something like: a list of items in your kitchen, your favorite song line, or common words that you put together into a story in your head.
One such example from XKCD comics is "correct horse battery staple".
The National Institute of Standards and Technology (NIST) has for the last few years advocated for using passphrases. NIST included this recommendation directly in the NIST Special Publication 800-63: Digital Identity Guidelines FAQ
Further, NIST - Digital Identity Guidelines, SP 800-63B Section 5.1.1.2 paragraph 9, “recommends against the use of composition rules (e.g., requiring lower-case, upper-case, digits, and/or special characters) for memorized secrets. These rules provide less benefit than might be expected…”
Beyond NIST, the FBI (United States Governmental Agency) also endorses the use of passphrases in articles like: https://www.fbi.gov/contact-us/field-offices/elpaso/news/fbi-tech-tuesday-strong-passphrases-and-account-protection.
The major benefits to passphrases are that they are stronger and harder for bad actors to crack and they are easier to remember.
They are stronger mainly because passphrases are longer; however passwords also tend to be made to meet the bare minimum in complexity requirements and change very little if users are forced to modify them.
This also feeds into why passphrases are easier to remember. Passphrases are something you personally made up so you intrinsically have a mental pattern you've connected to it which is altogether easier to remember.
The above allows the passphrase to be easily memorized and something you never have to write down. This increases their level of security even further as you don't need to be concerned about
TL;DR: Overly complex passwords with shorter length requirements and no personal connection to a user are often much harder to remember than longer passphrases that they generate based on their own experiences and knowledge.
Beyond Passphrases and Passwords themselves, strengthened security is further possible through the following:
Requiring passwords to be changed without reason leads to lower security because users will often change 1 character to fit the new requirements.
Using unique passwords across multiple different sites and accounts. Even with great security, companies can be the victims of data leakage which can include such personal information as your passwords.
To check if your password has been leaked, you can check through haveibeenpwned.com
