a companion discussion area for blog.codinghorror.com

Passwords vs. Pass Phrases


Use speling erors 0r unconv3ntional spell1ng f4r add3d complexyti. Or! some unusal? pun-ct. Uation?


Why on earth does it need to be a grammatically correct phrase?

I find the phrase: ‘Mary had a little lamb’ just as easy to remember as the less grammatically correct and more unusual ‘passramble’: ‘lamb a little mary had’!

This diffuses any natural language attack vectors in exchange for the slight inconvenience of having a less readable passphrase.

Although I am no expert in natural language processing, i’ve learned that the problem of reducing a search space to grammatically correct phrases is no easy (even complete) task so it’s not an immediate worry anyway.

Interested parties in passphrases might want to inspect this site which has some good comparisons of the various attack costs on passwords:





very good


I agree with usage of passphrase over password, it seems more safe and it is hacker free. Easy to remember


I think the real reason that people don’t use pass phrases is those damned password/phrase masking “bullets” that make you type blind.

If I’m only typing a word, or a word plus a digit/symbol, I can deal with the bullet obfuscation. But when you start to go onto multiple words or sentences it’s just too much.

Hell, I can barely type a few sentences correctly when I can see the words (how many times do you go back and correct errors without thinking about it?), take away that ability and the chance of errors - real or perceived - goes up.

If you really want people to use pass phrases, get rid of the stupid password-masking bullets, as Jakob Nielsen said here in “Stop Password Masking” http://www.useit.com/alertbox/passwords.html


One thing you seem to forget is that people are also inherently LAZY. Typing a 25-character pass-phrase does not appeal to most common users. This also makes for some calls to tech support when there is 1 typo made in the pass-phrase.


Couldn’t disagree more. A pass-phrase introduces no real new bits of entropy. “The quick brown fox” is a 4 letter/item password with one of the “letters” being very common “the”. This does nothing to increase security in a world where crackers have billions of passwords to analyse for these types of patterns. Simply think of each word as a single ASCII character, a single item from a dictionary, with a few morphs to include common special character substitutions it’s easy to brute force pass-phrases. They are nothing more than passwords with long “characters”.

p.s. Your discourse signup system fails to send confirmation emails.


I have been learning how to develop websites using the Yii framework and spent the last four days reading everything I can on passwords how to store them (securely) in a database. The concept of pass phrases has grabbed my attention. As an addition to the topic:
for ones personal use
1- Create you own personal rules for mis$pel!ing words.
2- Don’t use the space bar. camelCaseWorksForMe (and misspell)
As a developer
1- I like the idea of explaining to users the importance of secure passwords and the concept of using pass phrases, offering some examples, and doing so right in the login form (perhaps with a link to an essay by you with links to other pages on the subject)
2- offer a checkbox to get rid of password bullets (reminding the user to make sure no one is looking over their shoulder).
3- employ a password strength meter.
and finally- I will be reassuring users that I will be storing their password securely, especially so if the password (ahem…pass phrase) is 12 character or longer.


I know this is old but why not prepend your favorite password to your passphrase?

It could be like:

ST4230 + im still angry spock died

Then dictionary attacks wouldn’t work and neither would bruteforcing.

Rainbow tables might do it but it would take a pretty large one to have “ST4230imstillangryspockdied”.


It depends on how the attack vector would be, a passphrase the same length as a password would have lower entropy assuming you know it’s just a phrase. However, if you don’t know that it is “just a phrase” then you’d still need to scan through the whole set.

In addition passphrases should ideally be longer than a typical password.

The main issue I have with pass phrases is legacy system support in enterprise systems and how they require you to abide by their password rules in order for it to sync up up with their mainframe accounts.


XKCD makes this exact point. Four randomly chosen common English words actually have much higher entropy than a single word with common substitutions, and are easier for most people to remember. Of course, if the password is an actual phrase or a quote, then the entropy is much lower and there are still possible attack vectors. Unfortunately, many modern security systems won’t let you do this, as they will not allow passwords that contain dictionary words.