Last week we looked at building strong passwords and the importance behind that. A lot of people now deploy PassPhrases instead and today we will look more closely at those. ‘PassPhrases versus passwords’ is the name, finding key differences between the two is the game – let’s play…

What is a PassPhrase?

Essentially it is a type of password which includes a series of words, such as “mobile lampshade hat headset”. Those are random items dotted around this writer’s flat but your own one could be anything. PassPhrases usually feature more characters than ‘standard’ passwords but they contain fewer components. So, whilst a password may have 8-12 different random characters in, PassPhrases may have 3-5 different words – thus making them easier to remember.

How many of you have forgotten a password or two in the last 6 months? How many have turned to password managers? There is an argument that these are most effective against would-be hackers, although even in our cross-browser / IoT-rife world, they are not always convenient. Those in favour of PassPhrases can then point to the fact that they combine human-memorability with the necessary complexity to foil hackers.

The key differences between PassPhrases and passwords

A key point to note before we dive into the differences is the information theory concept of entropy. This is based around randomness and more specifically, the degree to which randomness is adopted. A longer password will contain more ‘randomness’ than a shorter one and will therefore be more difficult to ‘crack’. A common belief is that a collection of phrases will always be more random than a single word. There are 94 possible options for a password character, meaning mathematically then that PassPhrases are more secure.


  • These are generally longer
  • They are easier to make ‘random’
  • They are often easier for the user to remember
  • A PassPhrase can be 20 characters or more, making them more cyber secure


  • Often based around meaningful words, these can then be more easily discovered
  • Similarly, some users adopt variations of these words, often names, with logical characters replacing letters (i.e. ‘4’ instead of ‘A’)
  • As a result, more characters are often then deployed which can be difficult to remember
  • A password is usually 8-12 characters in length and are easier to predict


In the ‘PassPhrases versus passwords’ debate, it is important to note that both can offer a good level of security. The key points to remember are to create something that is random yet memorable to you. If you favour passwords, our previous blog piece gives tips on producing strong ones. If PassPhrases are for you, here are some tips on implementing a robust one:

  • Choose multiple small words
  • Try to select unusual words
  • Make your phrase memorable
  • Add a range of characters and different cases
  • Humorous phrases typically prove difficult to forget
  • Once you have settled upon your phrase, practice typing it

CRIBB Cyber Security is part of theICEway ecosystem of companies. We are an official certification body backed by the UK government. Our data protection capabilities stretch far and wide and our penetration testing and vulnerability scanning services are proving particularly popular. Whatever your level of IT security, you can never be too cyber aware. Make 2022 the year you prioritise reinforcing your cybersecurity. As a renowned UK cyber security company, CRIBB is always glad to help so do reach out today.