Why use passphrases over passwords? | Passphrase best practice guide

A passphrase is a password; it’s simply one that’s made up of random whole words (usually, three, or four). So if a passphrase is just a password, why does it matter which one we enforce end users to create? There’s actually a bit more to it than semantics – there are genuine benefits for shifting your password policy towards passphrases. We’ll walk through why passphrases are stronger in terms of security, how to help your end users create effective phrases, and how to successfully strengthen your password policy.  

Passphrases vs passwords 

According to Verizon, 86% of initial attack access is gained through stolen credentials. One simple way to strengthen all of the passwords within your organization’s Active Directory is to make them longer. This makes passwords harder to guess and crack through brute force and hybrid dictionary attacks. As the table below shows, passwords with complexity requirements and a common hashing algorithm (MD5) become near-impossible to crack via brute-force techniques when over 15 characters in length.  

Time taken to crack MD5 hashed passwords – see full research here. 

The math tells us that the longer the password, the stronger the password. This is why we’d always recommend an end user’s password is longer than 15 characters. However, longer strings of random characters are also harder for end users to remember. This is where passphrases come in – they’re simply much easier for to remember once you get to 15-20+ characters. 

Which of the below would you back yourself to still remember in two-hours’ time: the 21-character passphrase or the 8-character password? It’s a simple concept to get across to any end user, regardless of their IT security skills.  



But isn’t the second password more secure because it’s got more complexity? Not necessarily. A key problem with passwords is organizations have focused too much on complexity when setting passwords policies, to the detriment of length.  

The complexity complication

Complexity was supposed to make passwords more unique but user behavior has actually led to the convergence rather than divergence of passwords – they’re getting more similar thanks to the same old patterns being used. Complex and random passwords are hard for people to remember. This means people have come up with ways to cope with complexity requirements, usually by defaulting to the same familiar patterns:

  • A common dictionary word or keyboard walks as the root phrase 
  • Capitalized first letter 
  • Number(s) and a special character at the end 
  • Common character substitutions (e.g. @ for a, or 0 for o)  

For example, using the above rules mean the word ‘complicated’ becomes ‘Complic@ted1!’. This would pass in many organizations as a good password that meets their default Active Directory password policy. Of course, attackers are familiar with these strategies and use this knowledge to optimize their brute-force and hybrid dictionary attacks. Traditional complexity requirements have essentially made passwords tricky for humans to remember, but very easy for computer software to guess. 

Another problem with making users create complex passwords is it increases the risk of password reuse. Bitwarden found 68% of internet users manage passwords for over 10 websites – and 84% of these people admit to password reuse. If people have memorized one complex password, the temptation will be there to reuse it instead of trying to manage and remember 10 unique complex passwords. Password reuse greatly increases the likelihood of a password becoming compromised. 

So, if password strength isn’t best achieved through complexity, what’s the alternative approach? You’ve guessed it – long, memorable passphrases.  

Creating a strong passphrase – best practice tips 

Swapping from passwords to passphrases might be a bit counterintuitive for your end users at first. Some initial education about how longer passwords are strongest can help to get things underway. The Canadian Centre for Cyber Security recommends a passphrase should be at least four words and 15 characters in length. Similarly, the UK National Cyber Security Centre recommends combining three random words.   

Random word generators can be helpful – most popular password managers have in-built random passphrase generators too. For added password entropy (a measure of how complex and unpredictable a password is) you could even encourage end users to deliberately misspell one of the words, as long it’s still easy to remember.  

Three passphrase best practice tips 

  1. Be unpredictable: Randomness is key with passphrases. For example, ‘Michael-Jordan-Basketball’ might be a 20+ character password, but it’s not random as the words are linked together. Likewise, you don’t want end users to choose words or phrases relevant to your organization – a tool like Specops Password Policy allows you to add custom dictionaries of blocked words to your Active Directory.  
  2. Never reuse: No matter how strong a work passphrase may be, it can still become compromised if end users reuse passphrases on personal devices via an unsecured network, application, or website. It’s a hard habit to stamp out completely, so your IT department can use a tool such as Specops Password Policy to continuously scan your Active Directory for passphrases known to already be compromised.  
  3. Enable MFA: Even after creating a strong passphrase, it’s always worth adding another layer of authentication. Multi-factor authentication isn’t infallible, but it adds another obstacle for hackers to overcome if they manage to compromise one of your end users’ passphrases. 

Roll out passphrases for a better user experience  

Rolling out a new password policy with Specops Password Policy is simple from an admin perspective. An admin can choose to only support traditional passwords, longer and more secure passphrases, or both. The admin can also choose how information is presented to the end user who is attempting to change their password. This lets the admin provide clear and concise information to help their end users understand exactly what they need to do. 

When rolling out a new policy, end user experience is important too. The Specops Authentication Client provides dynamic feedback, which gives users real-time insight into what they need to do to meet the new policy – such as a 15-character passphrase. Length-based ageing can also be included, which ‘rewards’ users with a longer time to reset when they choose a longer password.  

Specops Client
Specops dynamic feedback and length-based ageing – not included at standard Windows password reset screen 

Interested in swapping from passwords to passphrases with minimal hassle? Find out how Specops Password Policy could fit in with your organization – speak to an expert today 

picture of author marcus white

Written by

Marcus White

Marcus is a Specops cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.

Back to Blog

Related Articles