Passphrases Better Than Passwords Says FBI

The US Federal Bureau of Investigation (FBI) recommends using use passphrases instead of passwords. Find out what passphrases are and why they are becoming more popular to use.

People should use passphrases instead of passwords to secure online accounts, according to the US Federal Bureau of Investigation. The FBI is one of a growing number of organizations making this recommendation, joining the likes of the SANS Institute, the Commonwealth of Massachusetts, and the US National Institute of Standards and Technology.

Here’s a look at what passphrases are and why their use is becoming more popular.


What Passphrases Are

Which would you rather use in your login credentials: “gF3a$b2T7%@Yj9k&Vx68H” or “avocado robot dancing castle”? If you picked the latter, you are not alone. To remember it, you just need to envision an avocado-colored robot dancing in a castle. For most people, picturing an image or scene is easier than trying to memorize a long, complex password that consists of random numbers, symbols, and mixed-case letters.

The string “avocado robot dancing castle” is an example of a passphrase. Passphrases are long yet memorable phrases. When creating a passphrase, you only need to follow several simple rules:

  • Make it long. The FBI recommends at least 15 characters. This might sound like a lot, but when you are stringing together words, it is easy to reach this threshold.
  • Create passphrases that are easy for you to remember but not effortless for cybercriminals to glean. For instance, you should not create a passphrase consisting of the titles of your favorite movies or the names of your family members. Hackers might be able to find out this information from social media sites. Instead, you should combine several seemingly unrelated words. To help remember them, experts recommend picturing an image or scene.
  • Make it unique. Each account needs a unique password. That way, if one of your passphrases is compromised in a data breach, cybercriminals won’t be able to use it to access your other online accounts.

You do not have to adhere to any other composition rules. This means you can forgo the use of symbols, numbers, or capital letters if desired. You can even use spaces, assuming the password input tool allows them. Spaces make passphrases easier to enter.


Easier to Remember Does Not Mean Easier to Crack

Just because passphrases are easier to remember does not mean they are less secure than complex passwords. Longer character strings are cryptographically harder to crack than shorter ones, even if the shorter strings include symbols, numbers, and mixed-cased letters, according to experts. Consider, for example, how much time hackers would need to spend to crack the following passphrases and passwords using a brute-force password-cracking tool on an average computer. It would take:

  • More than 10,000 centuries to crack the full passphrase “avocado robot dancing castle” (or “avocado-robots-dancing-castle” if a password input tool doesn’t allow spaces). Even though this passphrase has 28 characters, it is easy to picture and thus remember.
  • 3650 centuries to crack the shorter passphrase “avocado robot dancing”. Despite having fewer characters (21), this passphrase is still hard to crack.
  • More than 10,000 centuries to hack “gF3a$b2T7%@Yj9k&Vx68H”. Unless you have a photographic memory, you probably won’t want to use this password. Although the length (21 characters) makes the password extremely secure, it would be very difficult-to memorize.
  • 337 centuries to hack “gF3a$b2T7%@Yj9”. With 14 characters, this password is still secure but also still hard to memorize.
  • 2 days to crack “gF3a$b2”. Having only 7 characters makes this password a lot easier to remember — and much easier to hack.
  • 2 minutes to hack “!@#$%^&*”. This password might look complex, but cybercriminals know that people often use keyboard patterns as passwords.
  • 1 second to crack “f00tb@ll”. This password attempts (but fails) to fool hackers with letter substitution.

The bottom line is that length matters — and with passphrases, you can create long strings that are easy to remember.


Use Two-Step Verification as Well

Following NIST’s lead, the FBI recommends people follow several other security practices, including using two-factor authentication (aka two-step verification) when possible. With this type of authentication, you must provide two credentials to log in, such as a one-time security code and a passphrase or password. Having to provide two credentials adds an extra layer of security that can prevent unauthorized access to your online account.

The FBI also recommends using a password manager if you have numerous credentials you need to remember. Password managers typically encrypt and store account credentials in a repository. When you want to access one of your accounts using the stored login credentials, you enter a master passphrase (or password) and select the account. This means you only need to remember one passphrase instead of many to log in to your accounts.


Passphrases Are Good for Businesses, Too

Passphrases aren’t just for individuals to use. Companies can benefit from using them as well.

You might consider encouraging employees to use passphrases when logging into business accounts. Before doing so, though, you need to provide training on how to create passphrases as well as adapt your company’s policies and systems for passphrase use. For example, you need to configure a minimum password length of at least 15 characters. We can help you make the necessary configurations and other changes needed for your business to use passphrases.

FBI flickr photo by jossuppy shared under a Creative Commons (BY) license