Why use passphrases over passwords? | Passphrase best practice guide

A passphrase is a password; it’s simply one that’s made up of random whole words (usually, three, or four). So if a passphrase is just a password, why does it matter which one we enforce end users to create? There’s actually a bit more to it than semantics – there are genuine benefits for shifting your password policy towards passphrases. We’ll walk through why passphrases are stronger in terms of security, how to help your end users create effective phrases, and how to successfully strengthen your password policy.  

Should you use passphrases or passwords?

According to Verizon, 86% of initial attack access is gained through stolen credentials. One simple way to strengthen all of the passwords within your organization’s Active Directory is to make them longer. This makes passwords harder to guess and crack through brute force and hybrid dictionary attacks. As the table below shows, passwords with complexity requirements and a common hashing algorithm (MD5) become near-impossible to crack via brute-force techniques when over 15 characters in length.  

The math tells us that the longer the password, the stronger the password. This is why we’d always recommend an end user’s password is longer than 15 characters. However, longer strings of random characters are also harder for end users to remember. This is where passphrases come in – they’re simply much easier for to remember once you get to 15-20+ characters. 

Which of the below would you back yourself to still remember in two-hours’ time: the 21-character passphrase or the 8-character password? It’s a simple concept to get across to any end user, regardless of their IT security skills.  

Fridge-Elephant-Phone 

84”fhg#l 

But isn’t the second password more secure because it’s got more complexity? Not necessarily. A key problem with passwords is organizations have focused too much on complexity when setting passwords policies, to the detriment of length.  

The complexity complication

Complexity was supposed to make passwords more unique but user behavior has actually led to the convergence rather than divergence of passwords – they’re getting more similar thanks to the same old patterns being used. Complex and random passwords are hard for people to remember. This means people have come up with ways to cope with complexity requirements, usually by defaulting to the same familiar patterns:

• A common dictionary word or keyboard walks as the root phrase 
• Capitalized first letter 
• Number(s) and a special character at the end 
• Common character substitutions (e.g. @ for a, or 0 for o)  

For example, using the above rules mean the word ‘complicated’ becomes ‘Complic@ted1!’. This would pass in many organizations as a good password that meets their default Active Directory password policy. Of course, attackers are familiar with these strategies and use this knowledge to optimize their brute-force and hybrid dictionary attacks. Traditional complexity requirements have essentially made passwords tricky for humans to remember, but very easy for computer software to guess. 

Another problem with making users create complex passwords is it increases the risk of password reuse. Bitwarden found 68% of internet users manage passwords for over 10 websites – and 84% of these people admit to password reuse. If people have memorized one complex password, the temptation will be there to reuse it instead of trying to manage and remember 10 unique complex passwords. Password reuse greatly increases the likelihood of a password becoming compromised. 

So, if password strength isn’t best achieved through complexity, what’s the alternative approach? You’ve guessed it – long, memorable passphrases.  

Creating a strong passphrase – best practice tips 

Swapping from passwords to passphrases might be a bit counterintuitive for your end users at first. Some initial education about how longer passwords are strongest can help to get things underway. The Canadian Centre for Cyber Security recommends a passphrase should be at least four words and 15 characters in length. Similarly, the UK National Cyber Security Centre recommends combining three random words.   

Random word generators can be helpful – most popular password managers have in-built random passphrase generators too. For added password entropy (a measure of how complex and unpredictable a password is) you could even encourage end users to deliberately misspell one of the words, as long it’s still easy to remember.  

Three passphrase best practice tips 

1. Be unpredictable: Randomness is key with passphrases. For example, ‘Michael-Jordan-Basketball’ might be a 20+ character password, but it’s not random as the words are linked together. Likewise, you don’t want end users to choose words or phrases relevant to your organization – a tool like Specops Password Policy allows you to add custom dictionaries of blocked words to your Active Directory.  
2. Never reuse: No matter how strong a work passphrase may be, it can still become compromised if end users reuse passphrases on personal devices via an unsecured network, application, or website. It’s a hard habit to stamp out completely, so your IT department can use a tool such as Specops Password Policy to continuously scan your Active Directory for passphrases known to already be compromised.  
3. Enable MFA: Even after creating a strong passphrase, it’s always worth adding another layer of authentication. Multi-factor authentication isn’t infallible, but it adds another obstacle for hackers to overcome if they manage to compromise one of your end users’ passphrases. 

Passwords vs passphrases comparison table

Passwords and passphrases are ultimately there to do the same thing – stop unauthorized account access. But they have slightly different ways of achieving this goal.

Criteria	Passwords	Passphrases
Definition	A string of characters used to verify a user’s identity.	A sequence of words or a phrase used to verify a user’s identity.
Length	Typically 8-15 characters.	Can be much longer, often 20+ characters.
Complexity	Often includes a mix of uppercase and lowercase letters, numbers, and symbols.	Usually consists of common words, with length being the key over complexity.
User experience	Can be difficult to remember, especially if truly random and complex.	Easier to remember because they are often phrases or sentences.
Security	Can be strong if complex, but vulnerable to brute-force attacks if they follow predictable patterns.	Generally more secure due to length and the use of unpredictable random multiple words.
Best practices	Use a mix of characters, avoid common words, and change frequently.	Use a long phrase, avoid linked words, and consider using a password manager.
Adoption	Widely used in various systems and applications.	Growing in popularity due to increased security and ease of use.
Compliance	Easy to meet complexity requirements, but doesn’t necessarily equal security.	Long passwords are the most secure, but some complexity may need to be added too in order to meet regulatory standards.
Example	f*yo6vDdN	Correct h0rse battery stap!e

Roll out passphrases for better security and user experience  

Rolling out a new password policy with Specops Password Policy is simple from an admin perspective. An admin can choose to only support traditional passwords, longer and more secure passphrases, or both. The admin can also choose how information is presented to the end user who is attempting to change their password. This lets the admin provide clear and concise information to help their end users understand exactly what they need to do. 

When rolling out a new policy, end user experience is important too. The Specops Authentication Client provides dynamic feedback, which gives users real-time insight into what they need to do to meet the new policy – such as a 15-character passphrase. Length-based ageing can also be included, which ‘rewards’ users with a longer time to reset when they choose a longer password.  

Interested in swapping from passwords to passphrases with minimal hassle? Find out how Specops Password Policy could fit in with your organization – speak to an expert today.