318 W Adams, Chicago, Il 60606




  • September 19, 2023
  • James Velco
  • 0

Passphrase or Password, What's Better?

In need of a passphrase.

The convenience of technology comes with some useability tradeoffs, namely having to use passwords for everything! Passwords have become ubiquitous with using tech these days, then add two factor authentication and you have a recipe for frustration. To help manage all these passwords, you can use a password manager to track all your passwords associated to a certain website. Or you can use a passphrase.


A password is a string of characters that can include a combination of letters (upper and lower case), numbers, and special characters. Passwords are widely used in various applications, from accessing your email account to logging into your bank account online. A strong password is crucial to protect your data and personal information.

With so many passwords, you may be tempted to reuse a simple password like, “password123”.  Doing that goes against everything we are told about good password hygiene (never reuse the same password, use complex passwords with upper/lower case letter, use numbers and symbols, and for Pete’s sake, make sure it’s at least 7 characters!).


Passphrases are a sequence of words or text that is longer than a typical password. It can include spaces and is often a sentence or a phrase that is easy to remember but hard for others to guess. Passphrases would be similar to this: “The quick brown fox jumps over the lazy dog”. Passphrases are considered to be more secure than passwords because their length makes them harder to crack.

Let’s dig in and compare the two to see what works best for you:


   – Password:

Generally, passwords are shorter and can include a mix of letters, numbers, and special characters. However, increased cyber attacks has led to the recommendation of creating more complex passwords, which, as we all know, can be hard to remember.

   – Passphrase:

Passphrases are typically longer and can be easier to remember since many times they are a memorable sentence or phrase. However they don’t make sense. For example, I used a passphrase generator to get this: Routine1-Reword-Duckling.  Not that memorable, but secure.


   – Password:

Shorter passwords are easier to crack using brute force attacks (where an attacker tries all possible combinations of characters until they find the combination that matches your password). Therefore, security experts recommend creating a password with at least 12-16 characters. Doing this increases the number of possible combinations and makes it harder to crack.

   – Passphrase:

Due to their length, passphrases are inherently more secure against brute force attacks. Even a passphrase with common words is hard to crack due to the sheer number of possible combinations of words.


   – Password:

Passwords can be hard to remember, especially if they are complex and if a user has multiple passwords for different accounts. This often leads us to write down our passwords or use the same password for multiple accounts, which, as we all know, is a security risk.

   – Passphrase:

Since passphrases are typically a sentence or a phrase that is meaningful to the user, it makes it easier to remember. This helps to reduce the need to write passwords down or reuse them for multiple accounts.

While both passwords and passphrases have their pros and cons, passphrases are generally considered to be more secure due to their length and resistance to brute force attacks.

Knowing this, it is essential to choose a method that is suitable for the application and the user. For example, a passphrase may be more appropriate for securing sensitive information, while a password may be sufficient for less critical applications. Ultimately, the key to securing your data is to choose a strong, unique authentication method, this could be passwords or passphrases. Regardless, they need to be changed regularly.

What are the Guidelines for Creating a Secure Password or Passphrase?

The following guidelines will enhance your security posture when creating passwords or passphrases:

– Avoid Common Words or Phrases

   – Password: Never use easily guessable words such as “password123” or “admin”. Avoid using easily accessible personal information, like birthdays or anniversaries.

   – Passphrase: Avoid common sayings or phrases. Instead, opt for a unique combination of words that only you would understand or a phase that only you’d recognize.

– Incorporate a Mix of Characters

   – Password: Use a combination of uppercase and lowercase letters, numbers, and special characters to enhance password strength. The longer the better.

   – Passphrase: Although the length already adds to its security, consider incorporating numbers or special characters embedded in words for added complexity.

– Regularly Update Your Passwords/Passphrases

Both passwords and passphrases should be updated regularly, especially if there’s any indication of a security breach or if you’ve shared access with someone. Some password manager apps will let you know if the password has been found on the dark web.

– Avoid Using the Same Password/Passphrase Across Multiple Platforms

   By reusing passwords or passphrases across multiple sites, it increases the risk of unauthorized access to your accounts. Consider this: if one of your accounts is compromised, all of your other accounts with the same password or passphrase have been as well.

– Adopt Two-Factor Authentication (2FA) Globally

Whenever its possible, enable 2FA for an additional layer of security. By now, most of us know the process of using a code sent to us in a text or email, as an additional authentication. Since this is a built-in feature, we have implemented 2FA on many of our client’s O365 email systems. 

Don’t confuse a 2FA passphrase with a WPA2 password. A WPA2 passphrase is used to secure your home Wi-Fi network. 

– Use Password Managers

It’s extremely hard to remember and manage every single password needed to run our lives. Password managers can store and encrypt your passwords, offering you both convenience and enhanced security. There are a good number of password managers (PMs) that offer free versions. Most of PMs integrate into web browsers and offer a mobile version as well. We have used a number of PMs and we like Bitwarden. We used to standardize on LastPass, however, due to so many cyberattacks on their infrastructure, we no longer use LP because it seems that they have become a constant target for cybercriminals.   

– Test Your Password or Passphrase

There are reputable online tools and services that allow you to check the strength of your chosen password or passphrase. These can provide insights into its resilience against potential cyberattacks. Many password manager companies like Bitwarden, and NordPass offer these tools.

– Passkey?

In May of 2023, Google introduced Passkey authentication.  Google says “Passkeys are an easier and more secure alternative to passwords. They let you sign-in with just your fingerprint, face scan, or screen lock.” That means no passwords or passphrases, just touch and go.  

Passkeys can be used on the same device or from a different device. So, say you want to login to a website. You have an iPhone and you have a passkey stored on that iPhone. Just by unlocking the phone with Face ID it will log you into the website. Here’s where it gets magical. Say you need to login to that website using the Chrome browser on your computer.  You can now scan a QR code that will connect your phone to the computer, allowing it to use the passkey on the phone!

So passkeys are easy and convenient. Are they secure? 

Here’s what Apple says:

“…the operating system creates a unique cryptographic key pair to associate with an account for the app or website. These keys are generated by the device, securely and uniquely, for every account.

One of these keys is public, and is stored on the server. This public key is not a secret. The other key is private, and is what is needed to actually sign in. The server never learns what the private key is. On Apple devices with Touch ID or Face ID available, they can be used to authorize use of the passkey, which then authenticates the user to the app or website. No shared secret is transmitted, and the server does not need to protect the public key.”

Passkeys are quite secure and they work effortlessly. If you have a Google email account, you can enable passkey authentication and try it for yourself:

If you have a fingerprint reader on your laptop it makes the login process as easy as lifting a finger.

– Keep Up To Date

 As cybersecurity threats evolve, so do best practices for countering those threats. Create a process or hire a team to regularly educate you and your team on the latest security recommendations. Treat the recommendations like requirements and be proactive in adapting and implementing them. We monitor dark web activity for our clients and inform them if any PII is found on the dark web that matches with our client’s information. In addition, we also provide on demand “phishing” email testing, where we mimic a phishing attack on our client.  This is useful to determine who in your organization may need more training, when they interact with the test phishing email.

At the end of the day, secure authentication methods cannot be overstated. Applying these guidelines not only protects your personal and financial data but also contributes to a broader culture of cybersecurity awareness and responsibility. This is vital as more parts of our lives go digital. Remember, the strength of your password or passphrase is the cornerstone in your first line of defe

If you are in need of assistance with password management, reach out to us at  We can help put together a password management strategy for your business.