A password is typically composed of ten or fewer letters, numbers, and symbols. It could be a single word like “yourname”, a word that is obfuscated with other characters like “Dr@ke123”, or a string of random characters such as “B@3!&O$$”. Those examples go from least secure to most secure in terms of password choice, but EVERY password fewer than ten characters can be cracked within three weeks using modern computer technology.

A passphrase, however, is longer than a password and can contain spaces between words. An example would be “The road to success is always under construction!” A passphrase doesn’t have to be a proper grammatically correct sentence, but passphrases often have spaces between words and are always significantly longer than the average password.

So why would you use a passphrase instead of a password?

1. Passphrases are easier to remember. You are more likely to remember a phrase you create than a short but complicated password.
2. Passphrases satisfy complexity rules easily. The combination of upper- and lower-case letters as well as punctuation in passphrases usually meet systems’ password complexity requirements.
3. Passphrases are much more difficult to crack.Most highly efficient password cracking tools break down around ten characters. These tools cannot guess, brute-force, or pre-compute passphrases, especially if they are more than 15 characters.

Are passphrases always better?

Not necessarily. A long password – 14 characters or more – comprised of random uppercase and lowercase letters, numbers and symbols is just as difficult to crack as any passphrase, but it’s much harder to remember. If you are using a password manager, which will allow you to securely store and easily retrieve passwords, the security and usability differences between passwords and passphrases will not be significant. However, if you are setting passwords that you must remember and enter by heart, then passphrases will always be better choices.

Recommendations for creating and using passphrases:

1. Ensure your passphrase is a minimum of 15 characters.
2. Include at least four words, though five is even better.
3. Use punctuation in the passphrase. Including a number further increases the complexity and is required by some systems.
4. Don’t create passphrases from common quotes, sayings, or songs. It should be meaningful to you, but not easy to guess.
5. Use a unique passphrase for every account you own. That way, if one passphrase is compromised, your other accounts will remain secure.

Regardless of how complex a password or passphrase is, hackers will still attempt to trick you into divulging login credentials, often via email.

Because of this ongoing threat, ITS simulates phishing and will assign training to those most susceptible as part of our larger cybersecurity strategy. If you believe you’ve been targeted by phishing, see Reporting a Phishing Message (How-to) for next steps.

— Christopher Mielke, ITS