A passphrase consists of a larger number of characters compared to a password. Due to longer and harder to guess character strings, greater security can be achieved by using passphrases. A passphrase can be used for encryption, signatures or for access protection of IT systems.
What is a passphrase?
A passphrase is a character string that is longer than a password and can consist of a variety of words and phrases. It can be used to sign messages, encrypt data or protect access to IT systems. Passphrases can have 100 characters or more. It is also possible to use spaces.
Because of the long character strings, passphrases that have been created following certain guidelines are more difficult to guess than passwords that often have only six to ten characters. The length of the passphrase means that more time is needed to enter it. However, it may be easier to remember because it consists of a more or less meaningful string of certain words, terms or numbers. With the help of certain rules, passphrases can be used to generate passwords that are easy to remember and yet secure. Many current operating systems such as Windows, Linux or MacOS support passphrases in various application areas.
Comparison between passphrase and password
The most important difference between password and passphrase is the length. A password usually has only six to ten characters, while a passphrase can be up to several hundred characters long. Compared to a password, it is much more secure against brute force attacks, as a much higher number of attempts is required.
If passphrases are chosen according to certain criteria, dictionary attacks are virtually impossible. Compared to a password, passphrases can contain spaces. However, the systems protected with the phrases must support the input of spaces. If this is not the case, the spaces must be eliminated from the phrase.
Just like a password, the passphrase does not have to consist of meaningful terms. It can be any string of numbers, letters, special characters, and spaces.
Security aspects of a passphrase
An attacker must expend a great deal of effort to determine well-chosen passphrases. If the effort exceeds the resources available to the attacker to determine it in an acceptable amount of time, it can be considered sufficiently secure. When creating a passphrase, the following basic rules should be followed:
- Use passphrases that are as long as possible
- Do not choose well-known phrases or quotes from books or songs
- Choose passphrases that are difficult to guess
- Change words and terms by individual rules (e.g. replace certain letters by numbers or special characters)
- Do not use the same passphrases for different systems at the same time
Derive a secure password from a passphrase
If a system only supports passwords of a certain length, passphrases can be used to generate secure yet easy-to-remember passwords. For example, a passphrase can be “My car has 2 doors, 1 engine and 4 wheels”. If you now select the first letter and the numbers, you get the following password with a length of eleven characters: “MAh2T,1Mu4R”.
This can be further secured with the help of certain rules. For example, the letter “M” can be replaced with the string “X-“. The password derived from the passphrase is then: “X-Ah2T,1X-u4R”.