How is a passphrase better than a password?

3 minute read

Security at the expense of usability comes at the expense of security.1

This week, Facebook CEO Mark Zuckerberg had his Twitter and Pinterest accounts hacked. The conventional wisdom is that this stems from a 2012 LinkedIn breach where approximately 6.5 million passwords were stolen2.

Although in this case, a weak password wasn’t necessarily the cause of the incident, it illustrates that the current state of application security is extremely vulnerable.

There are promising advances being made by companies such as Yubikey. However, there is a really easy way to improve your own password security: Use a unique passphrase for each one of your accounts instead.

What is a passphrase?

A passphrase is a sequence of words, including punctuation or special characters as necessary. You could use this sentence as your passphrase. However, you’re better off crafting your own unique passphrases that you will remember easily.

How is a passphrase better?

Password Entropy3 is a measurement of how hard it is to guess your password. If your password consists of one common word, a symbol, and a number, you’re on the order of 14 bits of entropy. Let’s say you’re much smarter than that (which you are) and you’ve decided to use some common sub5titutonS, a special character, and a number… You’ve got yourself up to ~28 bits of entropy.

Your 28 bits of entropy will take 228 attempts to crack. That means 268,435,456 attempts, at most. Assuming 1000 tries per second, I’ll crack your password in a little more than 3 days.

This is where our human brains fail us, because we’re not very good exponential thinkers. What happens if we add some more words?

Simply selecting 4 common words, such as “correct horse battery staple” gets us to 44 bits of entropy, which will take approximately 557 years to crack.

A passphrase can be even longer than 4 common words: “the swallow flies from the barn at half past midnight”. We would now need to brute-force a combination of 10 common words, making this passphrase on the order of 110 bits of entropy. Given 1000 tries per second it will take 9.5 trillion x 4.3 billion years to crack.

That’s probably overkill.

The xkcd Passphrase Generator

Most of the geeks in the audience will recognize I’ve merely explained some of the math behind xkcd#9364.

I googled around for the best way to generate such a passphrase, and although there are several such generators around, my favorite is by OptionFactory. Use the xkcd correct horse battery staple password generator.

I use the OptionFactory tool to get inspiration and usually change tenses of words or make other adjustments to their recommendations in order to make the phrase more mnemonic.

Happy trails! And change your passwords.



1 AviD’s Rule of Usability

2 More on the 2012 LinkedIn Hack. If you are still using your LinkedIn password from 2012 on other sites, there is a serious chance that you could be exposed and should change your password… to a passphrase… with due haste.

3 Entropy as a measurement of password strength. If you really want to geek out you can dive much deeper into the [Information Theory of Entropy](

4 This excellent stack exchange post takes a deep dive into the math behind entropy, specifically related to xkcd#936