Passphrase vs. password: How are they different, and which is better?

What is a password?

A password is an alphanumeric combination of letters, special characters, and numbers that verify a user accessing an account. Passwords are commonly used to secure devices, networks, and various online platforms, from personal email to online banking.

Passwords are typically shorter than passphrases, usually around 8 to 10 characters long. However, password security experts recommend a minimum password length of 12 characters to ensure the password is not easy to crack.

Experts also recommend making passwords more complex by including a random mix of upper and lowercase letters, numbers, and special characters.

Here are a few examples of passwords:

• P@ssw0rd!
• Tr0ub4dor3
• S3cur1tyR0cks!
• JungleB3@t$
• @pplepi32025!

What is a passphrase?

The main strength of passphrases is that they use unrelated words to create a unique phrase. Here are a few examples of passphrases:

• Correct Horse Battery Staple
• Sunshine Rainbows Butterflies
• Jazz Music Coffee Lover
• Purple Monkey Dishwasher Carrot
• Guitar Pizza Football Tacos

Combining several random words makes passphrases more memorable than a long string of unrelated characters. They don’t have to be grammatically correct, so you can be as creative as you like.

However, it’s important to avoid common phrases. For example, the following passphrases could be relatively easy for hackers to guess:

• Iloverockandroll
• helloworldhowareyou
• happy birthday to me
• Imwalkingonsunshine
• thisisareallylongphrase

Passphrases can secure various accounts, from email and online banking to social media profiles. They provide an effective and secure authentication method, particularly if used with additional factors like two-factor authentication (2FA) or biometric verification.

What are the main differences between passphrases and passwords?

Both passwords and passphrases are designed to allow you to access your accounts while preventing unauthorized parties from doing so. However, they have several key differences, such as:

• Length. Passwords tend to be shorter than passphrases. Though security experts recommend a minimum password length of 12 characters, many passwords are around 8 to 10 characters long. However, these passwords are not strong enough to keep your account safe — the shorter the password, the easier it is for a cybercriminal to guess.
• Structure. A password could be a word, a couple of words, or a string of unrelated characters. A passphrase is typically several words strung together, with spaces between words. Passwords don’t typically have spaces, though many platforms allow using the space character to make passwords more secure.
• Complexity. Because passphrases are longer, they are considered more complex than passwords. You can create a short but complicated password using different character, letter, and number combinations. However, a passphrase will still be more complex than a password in most cases due to its length. Longer passphrases are much harder to guess.

Why passwords might not be the best option

When we first started using passwords, it was common to use personal passcodes (e.g., a favorite flower, childhood nickname, birth date, or pet’s name).

However, hackers found ways to guess these passwords based on the user’s name, social media profiles, and other online information.

Then came impersonal passwords, such as using a plain, random dictionary word. However, using a dictionary word meant hackers could guess it with the help of dictionary-cracking programs. Known as dictionary attacks, these cyberattacks try all known words and names to crack your password. If your password is a plain dictionary word, breaking into your account becomes much easier.

To protect ourselves from these or similar password attacks, we started composing passwords of numbers, letters, and special characters. While such combinations add an element of difficulty, humans are also relatively predictable. The special characters that replace letters are now common, for example:

• @ (substitute for "a")
• 1 (substitute for "i" or "l")
• ! (substitute for "i" or "l")
• 3 (substitute for "e")
• $ (substitute for "s")
• 0 (substitute for "o")
• 5 (substitute for "s")

To overcome this predictability, we’ve made passwords longer and more complex.

While a complex password can still be a secure solution for keeping out hackers, complex passwords are harder to remember. As a result, users have to reset passwords more often — or look for secure ways to save and autofill them.

Reasons to use passphrases over passwords

Now that you know why passwords may not be the most optimal solution, let’s look at why passphrases provide a better alternative.

Passphrases are easier to remember

Generally, passphrases are easier to remember than passwords. If a password uses several special characters as well as various upper and lowercase letters and is long enough, it’s probably difficult to remember. On the other hand, passphrases (like “Correct Horse Battery Staple”) are easier to memorize.

Passphrases are harder to crack

Hackers use various methods to crack passwords, including technologically advanced password-cracking tools. Because passphrases are longer and more complex, they’re typically harder to crack.

Apps allow longer passphrases

Most major applications and operating systems allow up to 127 characters for passwords. This character limit means you can create passphrases of five or more-word passphrases, making it much more difficult for cybercriminals to guess.

Passphrases satisfy complex rules

You can easily change a passphrase to satisfy complexity rules. For example, instead of combining five unrelated words, you can add one special character, start each word with an uppercase letter, or add one number at the end — and your passphrase will meet the requirements.

How to create a strong and memorable passphrase

Creating a strong, unique passphrase is an effective way to keep your accounts safe. Here are some tips to follow:

• Use unrelated words. When creating a passphrase, avoid using words that relate to each other (types of berries, for example). Guessing related words is easier for a cybercriminal, while unrelated words provide a challenge.
• Avoid popular sayings. Nursery rhymes, song lyrics, and quotes could be the first things hackers try using the brute force method. To make a passphrase strong, use unrelated (and nonsensical, made-up) words.
• Use uncommon words. Common words will always be easier for hackers to guess. Use a random string of unrelated, unusual words to strengthen your passphrase.
• Use upper- and lowercase letters. While using only lowercase letters won’t necessarily make the passphrase crackable, why not add a layer of security by mixing lowercase and uppercase letters? If, by some chance, a hacker manages to crack your passphrase, they’ll need to overcome another challenge — guessing which letters are uppercase and which lowercase.
• Make your passphrase at least 15 characters long. Security experts have always recommended long passwords. While a password should have at least 12 characters, a passphrase needs a minimum of 15 to offer the extra security benefits.
• Consider using five words. The more words you use in your passphrase, the more challenging it will be to guess them. If you’re already memorizing a phrase of four words, use five to make it even more secure. You could even create a proper sentence, as long as it isn’t common or expected.
• Use a different phrase for each account. One of the main password rules is using different passwords for each account. The same applies to passphrases. Repeating a passphrase means cracking one passphrase puts not one but several of your accounts at risk. Use different phrases for each account to protect your sensitive data.

Is storing passwords and passphrases in a web browser safe?

No, storing passwords and passphrases in your web browser isn’t as safe as you think.

Many users are tempted to keep their passwords in a web browser. After all, it’s easy and convenient, with browsers frequently asking if you want to save and autofill passwords so you can log in easily next time. But keeping your passwords in a web browser poses some serious risks.

• Device security. If someone logs in to your computer or laptop, they may be able to open the web browser and export all the password data you’ve stored. Some malware was specifically designed to do this.
• Browser vulnerabilities. Browsers may have security vulnerabilities that could expose your passwords. Of course, browser developers are likely doing what they can to patch up security flaws, but new vulnerabilities emerge on a regular basis.
• Third-party extensions. Browser extensions may add additional risks if they access your stored passwords. If an extension is compromised and has access to your passwords, your credentials could be at risk.
• Syncing across devices. While syncing across devices is convenient, it also means that if one of your devices is compromised, none of your passwords are safe.

Instead of relying on your web browser to store your passwords and passphrases, use a password manager. Password managers are designed to help you effectively manage your passwords, credit card details, and other sensitive information while keeping it all secure. A trusted, specially designed password manager will protect your login credentials and other sensitive data in ways that a web browser cannot.

For example, NordPass password manager is a highly secure, simple, and powerful tool for storing passwords and sensitive information. It keeps everything in an encrypted vault only you can access (from anywhere and on any device).

NordPass comes with several handy features, such as a password generator that creates strong, hard-to-crack passwords for you. NordPass also has Password Health, a feature that allows you to check if your password is secure.