Passphrases vs. Passwords
Analogous with the term password, a passphrase is a sequence of words – as opposed to a sequence of characters – used to gain access to and to protect private resources on cryptographic programs and systems. The use of passphrases has gained recently mainstream popularity in part due to a publication of comic strip on the topic of passphrase strength in popular internet comic XKCD.
Generally, passphrases are considered to have additional security over passwords due to being composed of more characters, and thus longer in length, therefore essentially possessing a higher degree entropy than shorter passwords.
Easy to remember
In reality, as a passphrase consists of a set of whole “words” rather than a set of characters, the true “length” of most passphrases, in terms of the number of possible symbols (in this case words), tends to in fact be shorter than that of most posswords.
Hard to guess
However, owing to the large pool of possible symbols which a passphrase may possess, passphrase entropy is exponentially higher than that of passwords.
Passphrases are built from word lists consisting of of thousands of words the thousands while passwords are generally built from a much smaller subset of the ASCII Printable Characters set. This results in passwords possessing much fewer possible combinations as a function of its length, than passwords.
Assuming the utilized character pool is known to to potential hacker, the following table illustrates the entropy breakdown between varying weak to strong passwords and a simple 5-word passphrase:
| Complexity | Entropy Calculation |
|---|---|
4 characters consisting of:
|
|
8 characters consisting of:
|
|
8 characters consisting of:
|
|
8 characters consisting of:
|
|
8 characters consisting of:
|
|
5 random words taken from:
|
|