Fact-checked by Grok 2 weeks ago

Passphrase

A passphrase is a sequence of words, phrases, or other text elements used to authenticate a user's or access to a computer system, program, or data, functioning as a memorized secret in processes. Unlike traditional passwords, which are often short strings of mixed characters, passphrases derive their strength primarily from length, typically comprising multiple words to create a longer that is easier for humans to remember while resisting brute-force attacks. They are employed in various contexts, including single-factor at low assurance levels and as components of for higher requirements. The modern concept of the passphrase was introduced by Sigmund N. Porter in 1982, who proposed it as an extension to conventional passwords to improve both and by leveraging longer, meaningful sequences hashed into keys. Porter's approach emphasized that passphrases could expand the effective keyspace—up to 64 bits or more—while remaining memorable due to their linguistic structure, addressing the limitations of short, complex passwords that users often forget or write down insecurely. This innovation gained traction in cryptographic applications, such as (PGP) software, where passphrases protect private keys, and has since become a standard recommendation in cybersecurity guidelines. Passphrases offer significant security advantages over shorter passwords, primarily through increased from length, making them more resistant to attacks, offline cracking, and . Authoritative sources like the National Institute of Standards and Technology (NIST) recommend minimum lengths of 8 characters for multi-factor scenarios and 15 for single-factor use, with support for up to 64 characters to encourage robust passphrases without composition rules that complicate memorization. Similarly, the Canadian Centre for Cyber Security advocates passphrases as preferable to random-character passwords, noting their ease of recall when based on personal or random word combinations, while the U.S. (CISA) and (FBI) stress using passphrases exceeding 15 characters to enhance protection against automated guessing. Best practices include avoiding common phrases, incorporating numbers or symbols if permitted, and checking against blocklists of compromised credentials to mitigate risks.

Fundamentals

Definition

A passphrase is a memorized secret consisting of a sequence of words or other text used by a claimant to authenticate their identity. Unlike shorter credentials, it is designed to be longer for improved security while remaining easier to remember through natural language patterns. Key characteristics of a passphrase include its typical length of 20 or more characters, often achieved by combining multiple words separated by spaces, though it may also incorporate symbols or random strings. Its primary uses are in access control for computing systems and as input for cryptographic key derivation processes. For instance, a simple passphrase might be structured as "correct horse battery staple," illustrating a space-delimited sequence of common words. In distinction from traditional passwords, which are usually compact strings of mixed characters without inherent meaning, passphrases leverage familiar words to enhance user recall without sacrificing overall strength. This approach prioritizes length over complexity for purposes.

History

The modern concept of a passphrase, defined as a sequence of words or other text used for authentication, originated with N. Porter's 1982 proposal to extend traditional passwords by employing memorable phrases of multiple words, aiming to security and in computer systems. Porter's work, published in Computers & Security, emphasized that such extensions could reduce user errors while maintaining resistance to guessing attacks, laying the groundwork for longer, phrase-based authenticators. In the late 1980s and early 1990s, passphrases gained traction through their integration into practical systems. The one-time password system, developed by Bellcore researcher Neil M. Haller and colleagues, adopted passphrases as seeds to generate disposable authentication tokens, with initial implementations appearing for operating systems around 1989 and formalized in RFC 1760 in 1995. Concurrently, the release of (PGP) in 1991 by introduced passphrases to protect private keys in , marking an early cryptographic standard where users derived symmetric keys from memorable phrases to secure asymmetric keypairs. These developments facilitated passphrase use in remote access and protocols during the 1990s. Key milestones further advanced passphrase methodologies. In 1995, Arnold G. Reinhold introduced , a technique for generating passphrases by randomly selecting words from a 7,776-word list using dice rolls, providing approximately 12.9 bits of per word to create secure yet recallable sequences. The National Institute of Standards and Technology (NIST) later evolved its guidelines, with the initial Special Publication 800-63B in 2017 recommending memorized secrets of at least eight characters (up to 64) over complex short passwords, prioritizing length for resistance to brute-force attacks; this was revised in 2020 and further updated in SP 800-63-4 (2025), which requires a minimum of 15 characters for single-factor authentication while permitting up to 64 characters. Post-2000, passphrases rose in popularity amid escalating password cracking threats from advancing computational power and widespread data breaches, as evidenced by significant growth in reported incidents from 136 in 2005 to 662 annually by 2010, prompting broader adoption in security recommendations to counter dictionary and offline attacks.

Security Aspects

Entropy and Strength

The security of a passphrase is fundamentally determined by its entropy, a measure from information theory that quantifies the uncertainty or randomness in the string, expressed in bits; higher entropy corresponds to greater resistance against brute-force and guessing attacks. For passphrases constructed as sequences of L independent words selected uniformly from a dictionary of size N, the total entropy H is calculated as H = L \times \log_2(N), assuming no dependencies between words. This formula provides an upper bound on strength when words are chosen randomly, as in methods like Diceware, where a standard wordlist of 7776 entries yields approximately 12.9 bits per word. In contrast, passphrases exhibit much lower due to linguistic predictability. Claude Shannon's seminal analysis of printed English estimated the per-character at approximately 1 bit, with refined bounds placing it between 0.6 and 1.3 bits per character when accounting for contextual dependencies over several letters. User-chosen passphrases, often resembling sentences or common phrases, thus inherit this low density, making even long strings vulnerable unless randomness is introduced. Estimating for such user-chosen passphrases remains challenging, as noted by the National Institute of Standards and Technology (NIST). Current NIST guidelines in SP 800-63B recommend minimum lengths of 15 characters for single-factor memorized secrets used in cryptographic authentication at Assurance Level 2 (AAL2) and 8 characters when part of , with support for up to 64 characters or more and no required rules to simplify while ensuring strength through length and rejection of common passwords via blocklists. Common phrases remain susceptible to dictionary attacks, where attackers exploit frequency lists of popular word combinations to reduce the effective search space dramatically—potentially cracking a predictable 4-word passphrase in far fewer trials than its nominal suggests. Mitigation relies on introducing , such as selecting uncommon words or using automated generators from large, diverse word pools, to approach the H = L \times \log_2(N). Key factors influencing passphrase strength include word length (longer words increase per-word via larger character pools), uniqueness (avoiding overused words to evade targeted attacks), and the absence of patterns (such as sequential or thematic sequences that reduce effective ). These elements collectively ensure that the passphrase's translates to practical security, prioritizing uniform selection over memorable but predictable structures.

Comparison to Passwords

Passphrases typically consist of 20-30 or more characters formed by concatenating multiple words or phrases, in contrast to traditional passwords, which are often limited to 6-10 characters comprising a mix of letters, numbers, and symbols. This extended length provides passphrases with significantly greater resistance to brute-force attacks, as the search space expands exponentially with each additional character, making exhaustive cracking computationally infeasible within practical timeframes. In terms of memorability, passphrases leverage human linguistic patterns by using sequences of meaningful words, such as "correct horse battery staple," which are far easier for users to recall over time compared to the random, non-semantic strings required for strong passwords like "K9p#mX2$vQ." This approach reduces and the need for frequent resets, thereby improving overall user compliance with security policies. However, passphrases are not inherently secure if poorly chosen; predictable selections, such as famous movie quotes or common idioms like "may the force be with you," can be as vulnerable to dictionary-based attacks as weak passwords, underscoring the importance of avoiding obvious or easily guessable content. In cryptographic applications, passphrases are often employed in key derivation functions like to generate robust encryption keys from user input, benefiting from their to enhance against offline attacks, whereas shorter passwords may rely on direct hashing methods that are more susceptible if the hash is compromised.

Creation and Management

Selection Best Practices

Selecting a strong passphrase involves prioritizing , , and to common guessing techniques to enhance while maintaining . Experts recommend aiming for a minimum of characters for single-factor , as longer passphrases significantly increase to brute-force and attacks by expanding the possible . per account is essential; reusing passphrases across multiple services amplifies risks if one is compromised, potentially leading to widespread unauthorized access. Additionally, avoid basing passphrases on famous quotes, song lyrics, or publicly known phrases, as these are easily guessable through targeted attacks exploiting cultural knowledge. To ensure memorability without sacrificing strength, users can draw on personal associations, such as transforming a private or inside into a sequence of words, while modifying common phrases by substituting or reordering elements to obscure predictability. Incorporating numbers or symbols sparingly—such as replacing a letter in a word—can add variety if needed, but over-reliance on them often reduces recall without proportionally boosting . These strategies leverage human patterns, like or , to create passphrases that are intuitive yet non-obvious to outsiders. Common pitfalls in passphrase selection include using standalone dictionary words, which are vulnerable to dictionary attacks that systematically test likely terms from language corpora. Sequential patterns, such as "1234" or alphabetical runs like "abcd," provide negligible and are among the first targets in automated cracking attempts. Drawing from personal information shared on , like pet names or birthdates, further exposes passphrases to social exploits where attackers piece together details from public profiles. Standards such as NIST Special Publication 800-63B emphasize length over arbitrary composition rules, advising against requirements for uppercase letters, numbers, or symbols that complicate memorization without clear benefits. Instead, verifiers should support passphrases up to at least 64 characters, including spaces, and screen new selections against lists of compromised or common passwords to prevent weak choices. This approach shifts focus from forced complexity to user-friendly, length-based security that discourages predictable selections. Effective management of passphrases includes using reputable password managers to generate, store, and autofill unique passphrases for each account, reducing the burden of memorization while enhancing security. NIST advises against routine periodic changes unless a is suspected, as frequent updates often lead to weaker choices.

Generation Methods

One prominent manual method for generating passphrases is the technique, developed by Arnold Reinhold in 1995. This approach involves using five rolls of a standard six-sided die to produce a five-digit number ranging from 11111 to 66666, which corresponds to one of 7,776 unique words in a predefined list. By repeating this process for multiple words—typically six—a passphrase is formed, such as "zany quantum lure goblin rift," providing approximately 77.4 bits of . The method emphasizes physical dice rolls to ensure true randomness, avoiding computer-based pseudorandom generators that may be predictable. Another technique relies on acronyms derived from memorable sentences or phrases to create passphrases. Users select a personal or meaningful sentence, then form the passphrase by taking the first letter of each word and optionally substituting numbers or symbols for added complexity. For instance, the sentence "My dog is five years old" could yield "MdI5yo!" where "five" is abbreviated numerically. This method leverages human memory for sentences while producing a string resistant to common attacks, though care must be taken to avoid publicly known examples that could reduce uniqueness. Random word combinations represent a broader algorithmic approach to passphrase generation, popularized by the 2011 comic illustrating the phrase "correct horse battery staple" as a secure yet memorable option. This involves selecting unrelated words from a large via a secure random number generator, often four or more words to balance length and recall. The comic's example highlighted how such multi-word sequences outperform short, complex passwords in per character, influencing subsequent tools and recommendations. Open-source tools facilitate algorithmic generation of passphrases through software interfaces. The provides a Diceware-inspired online generator using their 7,776-word list, allowing users to simulate dice rolls digitally while maintaining entropy standards. Similarly, Bitwarden's open-source includes a passphrase option that combines random words from curated lists, integrated within its extensions and apps for seamless creation and storage. These tools prioritize cryptographic randomness, often sourced from system pools, to produce unique passphrases without manual effort.

Implementation and Support

Operating Systems

Microsoft Windows has supported passphrases for user authentication since the Windows NT era, with the NTLM hashing mechanism allowing for Unicode strings up to 128 characters internally, though the logon interface traditionally limited input to 127 characters. Passphrases longer than 14 characters mitigate vulnerabilities associated with the legacy LAN Manager (LM) hash, as Windows does not compute or store an LM hash for such lengths, rendering it unusable for authentication and reducing exposure to attacks that exploit LM's weaknesses, such as case insensitivity and truncation to 14 characters. In Windows 10 and 11, credential providers have been enhanced to accommodate longer passphrase inputs, supporting up to 255 characters in modern configurations, particularly for features like Local Administrator Password Solution (LAPS) which explicitly enable passphrase generation and storage. To enforce extended lengths beyond the default 14-character policy limit, administrators can enable the "RelaxMinimumPasswordLengthLimits" registry setting under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa, allowing minimum lengths up to 255 characters via Group Policy or direct registry modification. Unix-like operating systems, including modern distributions, , and macOS, provide robust native support for passphrases through the Pluggable Authentication Modules () framework, permitting lengths up to 255 characters in shadow password files (or equivalent in macOS Open Directory) and processes. This represents a significant from early Unix systems, which were constrained to an 8-character limit due to the original DES-based crypt algorithm that truncated longer inputs. In contemporary implementations, such as those using pam_unix, the effective maximum is governed by PAM_MAX_RESP_SIZE (512 bytes), but practical limits align with 255 characters to ensure compatibility across modules like pam_pwquality for quality checks. and macOS similarly support extended passphrases via , with modules like pam_passwdqc defaulting to a 40-character maximum for policy enforcement but allowing up to 128 characters or more in underlying storage without inherent restrictions. Configuration for passphrase lengths in systems is typically managed through files like /etc/login.defs in , where PASS_MIN_LEN sets the minimum (default 5), while maximum lengths are controlled via modules such as pam_pwquality in /etc/pam.d configurations or /etc/security/pwquality.conf, enabling administrators to specify minlen and maxlen values without needing legacy workarounds. For instance, setting "minlen = 14" in pwquality.conf enforces longer passphrases system-wide during password changes. In , similar adjustments occur in /etc/pam.d/system or login.conf, where local policies can relax or extend defaults to support modern security practices. In macOS, passphrase policies are managed via Open Directory and can be configured through Directory Utility or command-line tools like pwpolicy to enforce minimum lengths up to 255 characters. Despite these advancements, limitations persist in mixed environments involving systems, where long passphrases may cause issues; for example, older Windows components or Unix variants relying on or crypt can fail authentication or truncate inputs, necessitating fallback to shorter lengths or protocol upgrades to avoid failures.

Cryptographic Applications

Passphrases play a central role in cryptographic key derivation, where they serve as input to specialized functions that transform human-readable strings into cryptographically secure keys. The algorithm, standardized in RFC 2898, uses the passphrase along with a salt to iteratively apply a pseudorandom function, such as HMAC-SHA256, producing a fixed-length key resistant to brute-force attacks through computational cost. This method is widely adopted for deriving symmetric keys in protocols requiring passphrase-based . Similarly, , selected as the winner of the 2015 for its resistance to side-channel and parallel hardware attacks, derives keys from passphrases by emphasizing memory usage alongside time and space costs, making it suitable for securing sensitive data in modern systems. In open-source cryptographic standards like OpenPGP, as defined in RFC 4880, passphrases are used to generate symmetric keys that encrypt private keys or message data, ensuring that even if the encrypted file is compromised, the passphrase protects access without relying on separate key files. Encrypted email services such as employ passphrase-derived keys to secure end-to-end communications, where the passphrase authenticates and encrypts user messages in transit and at rest. Password managers integrate passphrases as master secrets to unlock and derive encryption keys for stored credentials. In , the master passphrase, combined with salting, uses or to generate an encryption key that protects the entire , with recommendations for sufficient entropy, such as from a multi-word passphrase, to withstand offline attacks. Likewise, requires a master password (functioning as a passphrase) alongside a unique secret key to derive AES-256 encryption keys, emphasizing passphrase length and randomness for security. Within (MFA) frameworks, passphrases fulfill the "something you know" factor, providing the initial layer before secondary verifiers like tokens or are checked, as outlined in NIST SP 800-63B guidelines for . This integration enhances overall system by leveraging passphrase-derived challenges in protocols like TOTP. In applications, passphrases manifest as mnemonic phrases for and key generation. adheres to BIP-39 standards, using 12- to 24-word passphrases derived from to generate hierarchical deterministic keys via with HMAC-SHA512, allowing users to recover from the memorized phrase alone. For , services like AWS support passphrases as console login credentials, enforcing minimum lengths of 8 characters but recommending longer phrases to meet thresholds for key derivation in management. As of 2025, post-quantum cryptographic advancements underscore the enduring role of passphrases in hybrid schemes, where their entropy must suffice against reducing symmetric key search space by a factor, necessitating at least 256 bits for AES-256 equivalence without altering derivation functions like Argon2. Enhanced support in mobile ecosystems includes 18's integration of passphrase-biometric hybrids, where a numeric or alphanumeric passphrase backs up for fallback authentication and key derivation in Secure Enclave operations. 15 similarly bolsters passphrase use in credential storage, combining it with biometric prompts for app-level encryption via Keystore, ensuring seamless recovery in privacy-focused updates.

References

  1. [1]
    NIST Special Publication 800-63B
    A password (sometimes referred to as a passphrase or, if numeric, a personal identification number [PIN]) is a secret value intended to be chosen and either ...
  2. [2]
    A password extension for improved human factors - ScienceDirect.com
    Scripps Ranch in San Diego, California, where he is currently leader of ...
  3. [3]
    Diceware Passphrase Home - TheWorld.com
    Dec 9, 2024 · Their greater length makes passphrases more secure. Modern passphrases were invented by Sigmund N. Porter in 1981. Picking a good passphrase ...
  4. [4]
    Best practices for passphrases and passwords (ITSAP.30.032)
    Feb 19, 2024 · We recommend that you use passphrases, as they are longer and easier to remember than a password made up of random, mixed characters. A ...Missing: authoritative sources
  5. [5]
    Choosing and Protecting Passwords - CISA
    Nov 18, 2019 · According to NIST guidance, you should consider using the longest password or passphrase permissible (8—64 characters) when you can. For example ...Missing: authoritative | Show results with:authoritative
  6. [6]
    FBI Tech Tuesday: Strong Passphrases and Account Protection
    May 4, 2021 · Instead of using short complex passwords, use passphrases that combine multiple words and are longer than 15 characters. For example ...Missing: authoritative | Show results with:authoritative
  7. [7]
    Passphrase - Glossary | CSRC
    A passphrase is a memorized secret of words or text used to authenticate identity, similar to a password but generally longer for added security.
  8. [8]
    [PDF] Exploring the usability of system-assigned passphrases - CMU/CUPS
    Jul 11, 2012 · A passphrase is a password composed of a sequence of words, typically longer than ordinary passwords, and a space-delimited set of natural ...
  9. [9]
    GatorLink password - Information Technology - University of Florida
    To make your passphrase extremely secure, use at least 6 words · Do not worry about the character count of your passphrase, what matters is word count & ...
  10. [10]
    [PDF] NIST SP 800-132, Recommendation for Password-Based Key ...
    This Recommendation specifies techniques for the derivation of master keys from passwords or passphrases to protect stored electronic data or data protection ...
  11. [11]
    Password Strength - XKCD
    [[The passphrase "correct horse battery staple" is shown in the centre of the panel.]] Four random common words {{Each word has 11 bits of entropy.}} ~44 ...
  12. [12]
    What is the difference between a password and a passphrase?
    Sep 12, 2024 · Passwords are generally short, hard to remember, and easier to crack. Passphrases are easier to remember and type. They are considered more secure.Missing: definition | Show results with:definition
  13. [13]
    A Password Extension for Improved Human Factors
    One way to hash the pass-phrase is to encrypt it using DES block-chaining and a standard key. The last block of the encrypted chain is the hashed result. This ...
  14. [14]
    https://www.rfc-editor.org/info/rfc1760
  15. [15]
    Diceware Passphrase FAQ - TheWorld.com
    The entropy offered by Diceware is 12.9 bits per word (log2(7776)), so you can compute the entropy of a Diceware password given its word length, for example, a ...How long should my... · Any suggestions on how to... · Is the Diceware word list...
  16. [16]
    Refining the Estimated Entropy of English by Shannon Game ...
    Shannon (1950) estimated the entropy of written English to be between 0.6 and 1.3 bits per character (bpc), based on the ability of human subjects to guess ...
  17. [17]
    [PDF] Electronic Authentication Guideline
    Aug 15, 2017 · We can calculate the entropy estimate of. “IamtheCapitanofthePina4” by observing that the string has 23 characters and would satisfy a ...
  18. [18]
    NIST Special Publication 800-63B
    NIST Special Publication 800-63B. Digital Identity Guidelines. Authentication and Lifecycle Management. Paul A. Grassi James L. Fenton Elaine M. Newton4.2.2 · 4.3.2
  19. [19]
    Deep Dive: EFF's New Wordlists for Random Passphrases
    Jul 19, 2016 · The most popular is Arnold Reinhold's Diceware list, first published in 1995. This list contains 7,776 words, equal to the number of ...
  20. [20]
    [PDF] Digital Identity Guidelines: Authentication and Lifecycle Management
    Jul 24, 2025 · NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal systems, but such ...
  21. [21]
    Cyber tips: Passwords and passphrases | CFC
    Generally, passphrases are easier to remember and are much more difficult to crack due to the amount of computing time required. How do I select a strong ...Why The Need For Good... · How Are Passwords Exploited? · How Do I Select A Strong...
  22. [22]
    EFF Dice-Generated Passphrases - Electronic Frontier Foundation
    You can also use Arnold G. Reinhold's Diceware word list, the original and still very popular list for using dice to create passphrases. What Next? Learn about ...
  23. [23]
    Strong Password Generator - Bitwarden
    Easy and secure password generator that's completely free and safe to use. Generate strong passwords and passphrases for every online account with the ...
  24. [24]
    Passwords technical overview | Microsoft Learn
    Jul 29, 2021 · Windows represents passwords in 256-character UNICODE strings, but the logon dialog box is limited to 127 characters. Therefore, the longest ...
  25. [25]
    Prevent Windows from storing a LAN Manager (LM) hash of the ...
    Jan 15, 2025 · The simplest way is to use a password that's at least 15 characters long. In this case, Windows stores an LM hash value that can't be used to ...
  26. [26]
    Configure Policy Settings for Windows LAPS - Microsoft Learn
    Jul 1, 2025 · Windows local account names have a maximum length of 20 characters ... Windows LAPS features, for example, passphrase support. If you ...Missing: NT | Show results with:NT
  27. [27]
    How to Enforce Long Passwords Over 14 Characters in Windows
    Dec 6, 2023 · The default minimum password length in Windows is 8 characters, which is not enough to withstand brute force attacks that try every possible ...
  28. [28]
    Password length best practices - Specops Software
    Jul 24, 2025 · The maximum password length here can be go all the way up to 255 characters (though again, watch out for limitations on password fields. For ...
  29. [29]
    Are passwords on modern Unix/Linux systems still limited to 8 ...
    Feb 1, 2010 · It is always safe to use passwords longer than 8 characters, its just that if your password is stackoverflow it may also accept stackoverload.<|separator|>
  30. [30]
    pam_unix(8) - Linux manual page - man7.org
    The maximum length of a password supported by the pam_unix module via the helper binary is PAM_MAX_RESP_SIZE - currently 512 bytes. The rest of the password ...Missing: passphrase | Show results with:passphrase
  31. [31]
    https://stackoverflow.com/questions/2179649/are-passwords-on-modern-unix-linux-systems-still-limited-to-8-characters
  32. [32]
    Configure the minimum password length on Linux systems
    The first area where you can set a password length is in /etc/login.defs. The related setting is PASS_MINLEN and already tells us it is about the minimum ...Missing: extended passphrase
  33. [33]
    Minimum Password Length auditing and enforcement on certain ...
    Aug 18, 2020 · Enforcement of minimum password lengths of 15-characters or more are supported in Windows Server, version 2004, and in later versions of Windows.Group Policy · Windows Event Log Messages · Event Id 16979 Enforcement<|separator|>
  34. [34]
    Understanding the Security Risks of NTLM - Silverfort
    Aug 15, 2024 · Legacy systems and applications were designed to work with NTLM. Rewriting or upgrading these systems can be costly and complex.Malicious Access: Lateral... · Ntlm Threat Exposure... · Combating Ntlm Attacks...Missing: passphrases mixed