Passphrase

A passphrase is a sequence of words or other text used to control access to a computer system, program or data. A passphrase is similar to a password in usage, but is generally longer for added security. Passphrases are often used to control both access to, and operation of, cryptographic programs and systems. Passphrases are particularly applicable to systems that use the passphrase as an encryption key.

Compared to passwords

Passphrases differ from passwords. A password is usually short — six to ten characters. Such passwords may be adequate for various applications (if frequently changed, if chosen using an appropriate policy, if not found in dictionaries, if sufficiently random, and/or if the system prevents online guessing, etc.) such as:

• Logging onto computer systems
• Negotiating keys in an interactive setting (e.g. using password-authenticated key agreement)
• Enabling a smart-card or PIN for an ATM card (e.g. where the password data (hopefully) cannot be extracted)
  

But passwords are typically not safe to use as keys for standalone security systems (e.g., encryption systems) that expose data to enable offline password guessing by an attacker. Passphrases are generally stronger, and a clearly better choice in these cases. First, they usually are (and always should be) much longer — 20 to 30 characters or more is typical, making some kinds of brute force attacks entirely impractical. Second, if well chosen, they will not be found in any 'phrase or quote dictionary', so such dictionary attacks will be almost impossible. Third, they can be so structured as to be more easily memorable than passwords without being written down, reducing that risk as well. Most applications will allow for spaces which is recommended because the use of spaces will increase the brain’s ability to remember the passphrase. They can be, thus, considerably more 'secure'.

Passphrase selection

Typical advice about choosing a passphrase includes suggestions that it should be:

• Long enough to be hard to guess (eg, automatically by a search program, as from a list of famous phrases). * Not a famous quotation from literature, holy books, et cetera
• Hard to guess by intuition -- even by someone who knows the user well
• Easy to remember and type accurately
• For better security, any easily memorable encoding at your own level can be applied.