Passphrase or password?

Posted by Ben Orchard on May 26, 2015 2:53:00 PM

Security is a trade-off between easy to use and secure.

In this blog we are going to take a look at a method of security that is often overlooked and yet can make a system a lot more secure.

The humble password.

For years we have all been taught to use a password that is a mix of letters and symbols. But should we rather be using a passphrase?

Which is better to use and why?

What's the difference between a password and a passphrase?

A password is usually one word. Often between 5 and 8 characters, perhaps a word, perhaps a jumble of some random characters like "!@#$%^&*". Often it is a mix of both, for example Pa55w07d.

A passphrase often has spaces in it and is always longer in total length than most words.

An important aspect of the phassphrase is that even though it is longer, it is often far eaiser to type out. All the more so on a smart phone or mobile device. But in this case are we trading ease of use for compromised security?

Which is better to use and why?

Correct Horse Battery Staple:

For many years I have been a fan of the xkcd comic strip.... In fact, it's the only comic strip I read.
(I subscribe to his RSS feed, so I get notified every time he publishes a new one.)

Among the handful of Randall's comics that have gone viral, I would place this one near the top since it sums up so elegantly the power of the passphrase.


I really can't do a better job of showing why longer is better than this comic.

To help you make up these longer passphrases, there is a website that has been inspired by the xkcd comic.You can visit it by following this correcthorsebatterystable link.

We can step it up another notch and throw some punctuation marks into the mix:
" I love! vocal Trance (yes)"

In this case, we could even include the quotes. Also note the use of the space after the first quote. Spaces simply make the passphrase longer. Keep in mind that they sound different when typing them on a PC keyboard, but feel more natural to add them when on a mobile deivce. It's also important to note that some systems do not accept the space as a valid character. (Hopefully these systems are getting updated as we speak--there really is no good reason not to allow a space in a password/passphrase).

If we want to step it up even more, throw in some spelling mistakes. Yes, really. If we misspell some words, then something like a pure dictionary attack is going to be delayed even longer, and thus we buy even more time to be alerted about the attempts to crack our account.

If you are interested in reading more about passwords, there are many good articles on the web.

For example, while this article was writtten way back in 2002, the 10 myths it mentions are still floating around today and still need to be busted today. Symantec, ten Windows password myths.

Conclusion - A longer passphrase is always better:

For those services that will allow long passphrases, there is no doubt that making your password long and strong is an important step to improving the security of that service.

There is a great website that shows clearly how longer is better; just head on over to howsecureismypassword.net and try some short and long strings. You will very quickly see the strength improve once you go longer than 12 characters. 

Yes, it will take longer to type the passphrase each time you need it, but remember, if it's easy, it's not secure. Also remember that it is easier to remember a funny longish sentence, so you will be more inclined to use the longer passphrase. Those extra 2-3 seconds to type it out make a massive difference to the time it takes to break it.

Next week we will take a look at techniques you can use to improve the security of a Wifi network.

Till then, Cheers Mate.

P.S. There is no question that if the service allows it, two-factor authentication is one of the strongest methods you can use to protect that service. We did not mention it at all in this blog because we are going to be talking about security on various devices in the coming blogs, and not all of those devices that I am currently testing/using allow for two-factor authentication--but all allow for long passphrases.


Topics: groov, Internet of Things, Tips, IoT, Networking

Written by Ben Orchard

    Subscribe to Email Updates

    Recent Posts

    Posts by Topic

    see all