<img src="https://secure.leadforensics.com/32105.png" style="display:none;">

Security Review: Are Passphrases Better Than Passwords?

A password is usually made up of a single string of characters – a combinations of special characters, letters, and numbers. A passphrase is typically longer than a password, with spaces between words.

There are daily news stories about cyber-attacks, the majority of which are linked to poor password practices. Cybernews research revealed the most common password in 2022 is the notoriously bad “123456” with 2nd and 3rd place being taken by the equally insecure “12345” and “password.

Whilst we live in a world where credential-based logins are still operationally essential, it is important that we are regularly reviewing the options available. Here we look at the strengths and limitations of both passphrases and passwords for enterprises.

Length vs Complexity

It has been shown that length has a bigger impact on password strength than complexity. A study by Hive Systems showed that an 8-character password with a mixture of letters, numbers, and special characters could be cracked within 8 hours. If you compare this to a 14 character passphrase with only lowercase letters, this increases the time to an average of 51 years to be cracked. This makes sense as, from a mathematical perspective, for each additional character that the entropy (i.e. range of characters used in a password) is increased, the number of permutations increases linearly however for each additional character in the length of a password, the number of possible permutations increases exponentially.

(It is also worth noting that those passwords featuring in the top most common passwords list can be hacked in a matter of seconds)

User Experience

Both passwords and passphrases can be made to be more secure. However, making a password high entropy makes it more difficult for a human to remember. Compare the passphrase “Orange Elastic Kitten” to the password “+3r8S#xA”; length is easier for us to remember in comparison to complexity. This is a benefit that not only helps from a security perspective, but also in reducing user friction from having to remember multiple complex passwords.

The Limitations of Passphrases

Although research shows that a passphrase is a stronger method of authentication, it is not a perfect solution. As attackers become more sophisticated in their approach to hacking, they will use other methods to attack passphrase protected applications such as using a dictionary attack that attempts possible word combinations or simply socially engineering or phishing the passphrase from the user.

Employees use an average of 36 different cloud services at work – while remembering one passphrase is easy to do, memorising dozens of them and their corresponding applications is not, so the problem of password reuse or insecure storage persists.

As such, the passphrase is a middle ground, hitting a sweet spot between security and usability. Its weaknesses are a consequence of the need to create credentials that humans can remember. In an ideal password-based system, passwords would be extremely long and comprised of entirely random characters, but the impracticality of this negates its security benefits. While creating weak passwords which are susceptible to brute force attacks is a security issue, the same is true of making them difficult to remember.

What is the Answer?

Single Sign On (SSO) solutions remove human barriers to strong passwords or passphrases. An SSO solution which features an Enterprise Password Manager can generate extremely long, unique, complex character strings which would take modern computers billions of years to brute force. These are then vaulted and entered into login forms whenever users access the application, removing the need for end users to create or memorise credentials. These passwords can also be hidden from the end users to prevent them from being phished.

As a result, many leading authorities on cybersecurity are recommending that technological solutions be adopted, with the password vs passphrase debate being of secondary importance to how credentials are created, stored, and used. For example, the UK government’s National Cyber Security Centre (NCSC) states: “The NCSC recommend the use of password managers for secure storage wherever appropriate. As well as providing secure storage, password managers can help users by generating and auto-filling passwords when required.”

By adopting an Enterprise Password Manager, organisations can profoundly improve their security posture by eliminating the need for users to manage passwords. At the same time, their users also experience less friction, allowing them to be more productive and reducing the business cost of password incidents. Whether passwords or passphrases, the organisation benefits from both security and efficiency.

Learn more about why organisations should remove passwords from users now.

Back to Blog

Related Articles

Hybrid working employees require a passwordless experience

Most businesses have had to adapt to some form of remote working over the past year. Whilst there have certainly been challenges with this transition – especially...

The Enterprise Risks of Personal Password Managers

With the average enterprise organisation using 288 different cloud applications, individual users simply have too many credentials to remember, and resort to poor...

The 3 Steps to Passwordless

More than 80% of all enterprise data breaches are made possible by weak or stolen passwords. The majority of employees who have already been scammed through...