passphrase instead of password

[Dillonhebist]

i was making research on Google about security and privacy when I came across something that get me wondering and decided to make more research and I find out some reasons why I think such word was made and i decided to share it here. this is what I came across on Google "Why some organizations recommend passphrases instead of passwords"
       Passphrase contain random words which are common and makes up a phrase or sentence which makes it easier for humans to remember but difficult for computers to generate, estimate, guess or crack. passphrase are not repeated, reused across other account.
Example of Passphrase: "boost common elevator calm hack cotton certain evil canyon" and so on, this will take centuries to be hack or crack with model computers.
                                while
         Password are words that are chosen, memorized or created by the user that  contain character length( the number of words),  special characters ( such as @,#,$,&,*), Uppercase and lowercase (the use of capital and small letters), Numbers.
Example of password: Britanialevard@876. therefore a strong password is recognised with the number of possible combination of letters, specific characters thereby increasing the time the computer will use in hacking or cracking the password.

Why some organizations recommend passphrases instead of passwords.
                   passphrase.                            
__Passphrase are generated by the system
__they are not reused
__passphrase is longer and more complex
__Passphrase is more Cyber secure than the most complex password
___passphrase are easy to remember by human but  difficult for computer to crack
                          password
__Password are created by the user
__password are mostly reused
__password is a short character set of mixed digits
___password are also easy to remember because they are been reuse but easier for come to crack or hack.
 
https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret NIST recommends that organizations should be considering implementing exposed passwords screening  https://www.enzoic.com/what-is-exposed-password-screening/  as part of their password policies to ensure that their users are not reusing passwords or passphrases that are compromised. This layered approach of password security is the best way to keep passwords safe, strong and unique.

stay safe.

[1715578277]

1715578277

[1715578277]

1715578277

[1715578277]

1715578277

[NeuroticFish]

One can use a password manager to avoid reusing passwords. The password manager I use (Bitwarden) can generate randomly passwords, as long and complicated as I want.
Passwords are still great because many websites don't allow enough characters in the password box for a proper passphrase.

Passphrases are great*. Their greatness comes from the sheer size, since even if you use only letters, there will be much more characters to be cracked, enough to not matter if other symbols are missing.

Just imagine the password: "I really care about this account and I want it to be safe". Long, huh?

But there's a problem too: if one knows you use only words from a certain language, your passphrase can be brute forced with dictionary attack.

So the (*) part was a trick. Passphrases are not so great alone. You need symbols to fight the dictionary attacks. Also passphrases with English written in l33t won't help. You'll need a variation, something, anything.
And then my lovely long passphrase can become "I!really@care#about$this%account^and&I*want(it)to_be+safe" (I've replaced space with the symbols from top row on the keyboard).
But.. this just became a longer password now, isn't it? Although a bit easier to remember...

[odolvlobo]

The distinction between the words "passphrase" and "password" is largely irrelevant. The reason for preferring a "passphrase" is that "password" implies that the use of a single word or an otherwise short sequence of characters is acceptable, when it is not.

So, I wouldn't get to hung up on the definitions of "passphrase" and "password". I would focus more on what increases their search space -- the length of the string, the size of the pool of possible characters, and the maximization of entropy, which is what you are describing.


A good rule of thumb is that a passphrase that is easy to memorize is also easy to guess.

[witcher_sense]

The biggest problem with passwords is that you have to rely on some external tools like password managers to generate strong enough passwords because, as we all know, our brains are extremely terrible at coming up with good randomness. In other words, it is a tough job to generate passwords manually, which often results in weak security, hacks, and easily-guessed passwords. Consequently, password managers are a must when it comes to password generation. On the other hand, there are passphrases there that can easily and randomly be generated completely manually, without needing to rely on external software or internet connection. How can you create a set of random words that no one else can guess? Here is a small guide on how to create strong passphrases with dice rolls: https://diceware.dmuth.org/. But it is not necessary to use the open-source software that comes with this guide. Instead, you can download and print up the wordlist: https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases and generate a passphrase of any length you want with just a set of multi-colored dice. The passphrases like that are relatively easy to back up or memorize but almost impossible to brute-force or guess.

[dkbit98]

Passphrase are generated by the system

This is not true, I can generate my own passphrases and use them for password managers or it can even be used for hardware wallets.
People often mix passphrases with passwords, but both of them can be used in exact same way.

they are not reused

They can be reused same like passwords, but this is worst thing you can do.
Some people even use single password for all websites and email accounts, this is disaster waiting to happen sooner or later.

passphrase is longer and more complex

Pasphrase is longer but it's not more complicated to remember than randomly generated password, that is almost impossible task.
Using simple to remember short password can be cracked in few minutes, and it's unsafe for use.

[Despairo]

Both are secure and mostly hard to crack, it's only depends on how you created it and how you keep it secure. A password with 13 special characters "@7*%67&$%!$>]" need 2 thousand years to crack it or almost impossible to crack similar like passphrase. A strong passphrase contains 24 words, I don't believe you said you can remember 24 words, many people mostly forgot his passwords even it's just a weak passwords.

https://www.passwordmonster.com/

[bitmover]

Passphrase are generated by the system

This is not true, I can generate my own passphrases and use them for password managers or it can even be used for hardware wallets.
People often mix passphrases with passwords, but both of them can be used in exact same way.

they are not reused

They can be reused same like passwords, but this is worst thing you can do.
Some people even use single password for all websites and email accounts, this is disaster waiting to happen sooner or later.

passphrase is longer and more complex

Pasphrase is longer but it's not more complicated to remember than randomly generated password, that is almost impossible task.
Using simple to remember short password can be cracked in few minutes, and it's unsafe for use.

Passphrase doesn't need to be long. It can be simple, just like two or three extra Words to your seed phrase.

Personally,  I have some passwords which are much longer than any passphrase I have ever used.

Let's remember that the password is usually the on only and last barrier against an attacker.
passphrase on the other hand are an additional security layer, which generates a whole new wallet

there is a nice guide from trezor here, suggesting some ideas for passphrases
https://blog.trezor.io/is-your-passphrase-strong-enough-d687f44c63af

Option 1: A random sequence of words
Option 2: A random-character passphrase
Option 3: A valid English sentence

[capedbaldy]

Aspects of protection for passwords and passphrase serve to increase security access to applications or accounts with the login method, the use of passwords is usually recommended the use of characters that are truly unique and difficult to guess, so I do not use passphrase for passwords that are difficult to remember and need to be stored in a secret file or write a manual on paper.

source : techtarget.com

The use of passwords and passphrase has advantages and disadvantages, if the password is easy to remember while the passphrase is not, both have different levels of security protection but for tight security, passphrase are the right choice.

[ABCbits]

But there's a problem too: if one knows you use only words from a certain language, your passphrase can be brute forced with dictionary attack.

Knowing the language alone usually isn't enough to brute force within reasonable time/resource, unless you only use very few words, the attacker have unlimited try or/and protected by weak hash algorithm. For example, average adult English speaker have a vocabulary of 20K-35K words[1]. Assuming they use 4 as their passphrase, you'll need to make 20000^4 (1.6x10^17) attempt.

[1] https://englishlive.ef.com/blog/language-lab/many-words-english-language/.

[Welsh]

One can use a password manager to avoid reusing passwords. The password manager I use (Bitwarden) can generate randomly passwords, as long and complicated as I want.

While password managers are great, and I use them myself. It's worth noting that it's extremely important to secure that password manager with a complex password or passphrase. Since, effectively the only thing that's stopping an attacker is that one credential. Although, I would probably recommend having a physical key as well, since that would mean they would require physical access to the password manager, which would effectively reduce its attack surface.

The use of passwords and passphrase has advantages and disadvantages, if the password is easy to remember while the passphrase is not, both have different levels of security protection but for tight security, passphrase are the right choice.

Arguably, passphrases could be easier to remember depending on how you generate them. Although, the same goes with how easy they might be to crack. For example, lets just go through a hypothetical situation where an attack has gained physical access to your computer, which is in your room. They sit there thinking about what the password or passphrase could be, so they take a look around your room, they see that you love Lord Of The Rings (LOTR), and your room is plastered with posters from the movie. So, they make the sound judgement of because you like LOTR's that's probably in the password/passphrase. However, that might not be enough, so they continue looking around your room, you've got a football shirt on your wall with the number 6 on it, which might indicate your favourite number. Therefore, the attacker now makes the assumption that either that number is in the password itself or you might have used that number to generate the password. Therefore, they put two, and two together, and take a look at the LOTR book you have sitting on your desk. They go to page 6, and page 6 has nothing, but "One ring will rule them all". Bingo, the attacker has now effectively guessed the password using external influences.

This might be a little far fetched, but I'm trying to give an hypothetical on how attackers could piece information together. The passphrase could actually not be more secure. It's only more secure from brute forcing by default only without any other information being taken into consideration. Plus, in this hypothetical I gave the example of the attacker having physical access, but they don't need that. All they need to be able to do is look at your username, or your habits online which they can do remotely.

So, I wouldn't go as far as using a blanket statement like passphrases are better. It entirely depends on how you generate them. A password which has been randomly generated by a password manager at a certain point becomes uncrackable using bruteforce, and with a dictionary attack. So, really you can't get any better than that. It only becomes an issue of remembering that. Passphrases brings back convenience, although what you could potentially do to prevent your habits from sneaking into the generation is, getting the password manager to generate the password for you, then substitute the letters into words. You should still probably be looking at a random word generator them though, since you could use words which your familiar with which again, potentially could compromise it if an attacker uses your stylometry against you. Although, I must admit we are starting to get a bit into fantasy land now.

[tranthidung]

Don't reuse password
Use strong password

• Password softwares
  
  • Keepass: https://keepass.info/
  • Keepass Android: https://play.google.com/store/apps/details?hl=en&id=com.android.keepass
  • Bitwarden: https://bitwarden.com/
• [GUIDE] How to Create a Strong/Secure Password

Let's see how difficult a password can be brute-forced. Remember that when you set up a password for your wallet, it serves as a protection and barrier for accessing your wallet private key. So in case you lose your private key somewhere else, that password does not protect your coin. Because a person who get your private key can import your wallet and steal your coin, even does not know a password for the wallet on your device.

[Husires]

Determining the difficulty or complexity of passwords is related to the data that you want to hide away from hacking.

Your data can be hacked without the need to know the password because it is stored in central servers, and whoever has access to those servers will be able to recover the password easily.

The password problem is:

• You cannot generate multiple random and unique passwords without the need for third party applications.
  
• You need to copy and paste the passwords which makes the hacker focus on targeting the clipboard.
  
• Remembering passwords is more difficult and therefore you will need third-party applications.
  

Other than the above, a 10-character password is generally sufficient, especially if the server is preventing a brute attack and two-factor authentication is used.

[Welsh]

Determining the difficulty or complexity of passwords is related to the data that you want to hide away from hacking.

Your data can be hacked without the need to know the password because it is stored in central servers, and whoever has access to those servers will be able to recover the password easily.

This is only partly true, most serious places should be storing that password via a hash, rather than plain text. So, even if the place you store your password has been compromised, as long as they've used a secure way of storing it, i.e a suitable hash. Then, as long as your password is long enough, it pretty much means your hash will be strong enough not to guess. So, yeah as long as your using a secure password, aren't reusing passwords as pointed out above, and the place where you're using these passwords are hashed, and not stored in plain text. You should be okay.

Obviously, there's other risks like malicious attackers gaining access to your unique session, and therefore could potentially bypass the password.