Several years ago, the science comic blogger Randall Munroe, otherwise known as XKCD, posted a comic comparing passwords and passphrases. The illustration attempts to demonstrate mathematically, using information theory, that passwords tend to be weaker than passphrases while also being more difficult to remember. Because of this, people use simpler passwords, write them down, or reuse them, thus weakening password security further.

Munroe concludes, “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”

Many people think a password is meant to protect them from someone targeting them specifically. That’s usually not how people get hacked though.

When you create an online account, the company stores your password in encrypted form on its servers. If hackers get their hands on that password database, then it’s only a matter of running password-guessing programs against the list to see if they match. There are computers that can guess hundreds of billions of passwords per second, though companies typically use encryption methods that slow down the process of guessing.

What is a passphrase?

While everybody knows what is a password, fewer people know about passphrases. A passphrase is a kind of password that uses a series of words, separated by spaces or not (it doesn’t really matter). “correcthorsebatterystaple” is the passphrase in the comic. Although passphrases often contain more characters than passwords do, passphrases contain fewer “components” (four words instead of, say, 12 random characters). This makes passphrases easier to remember, typically by using a mnemonic device.

A passphrase is more secure… sometimes

After the XKCD comic came out, there was a wave of discussion online about whether the advice was correct. Much of the debate centered around the amount of entropy each of his examples contained. Entropy is a concept in information theory which basically refers to the amount of randomness contained in a password. Generally, the more randomness is contained in a password, the harder it is to crack the password. This is why longer passwords are favored, because they presumably contain more “randomness.”

XKCD assumes the attacker knows the user has generated a passphrase by choosing four of the most common (top 2,048 in this example) dictionary words at random. Even so, the passphrase contains more entropy than the password. There are only 94 possible options for each password character, meaning, less uncertainty. So, mathematically speaking, a passphrase could be more secure.

But not always. By lengthening the password or adding words to the passphrase, you can increase the entropy. For example, a 20-character password consisting of random lower-case letters is much stronger than a four-word passphrase composed of common words. Such a password cannot be dictionary attacked, so it must be brute-forced, which would take modern computers billions of years to do.

AviD’s Rule of Usability

But XKCD’s argument is not primarily about mathematics. It’s about how to create the most secure systems possible in light of human imperfections.

For decades, the advice from information security experts was to change your passwords frequently and use numbers, capitals, and special characters. But we humans are bad at creating randomness, and we’re bad at remembering things. So inevitably people used simple words, names, birthdates, and sayings, swapping out letters with similar-looking special characters. Hackers can crack these kinds of passwords in a matter of seconds.

In an effort to make secure systems, the prevailing password advice actually made the systems less secure. Or, as the user AviD now-famously put it on Stack Exchange, responding to the XKCD comic: “Security at the expense of usability comes at the expense of security.” In other words, if your “secure system” isn’t easy to use, people won’t use it, negating the security benefit. (This is actually the founding principle of ProtonMail.)

Our recommendation on the password vs. passphrase debate

Both passwords and passphrases can be secure, and if you are using a password manager, the security and usability differences between passwords and passphrases will not be significant. However, if you are setting a password that you must remember by heart, for usability reasons, we recommend using passphrases.

When you use passphrases, also keep the following in mind:

Four words should be sufficient. Five words is better.

Don’t choose from the most common words, and don’t choose quotes or sayings. The words should be as random as possible.

Use a unique passphrase for every account you own. That way, if one passphrase is ever exposed, the other accounts remain secure.

This article is part of our series on password security. You can also check out our previous article about how long a password should be.

Best Regards,

The ProtonMail Team

Sign up and get a free secure email account from ProtonMail.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.