Rise of the passphrase

Right off the top, let’s all agree that passwords aren’t the worst things in our lives right now. Life in the ’20s is fraught with perils we just didn’t see coming. But, as I tend to say, “this isn’t that kind of blog.” This is a blog about technology and the way it affects our lives. And in that contexts, passwords stink.

The long history of passwords

“Password” itself is a compound word. That means it’s a word made up of other words. In days long ago, security was simple. If you knew the right word to get into a place, you could “pass” through the gate. Otherwise you were stopped.

Passwords have a somewhat racist history that we can’t completely deny. One of the earliest stories about passwords comes from the book of Judges, where anyone wishing to pass was asked to say “Shibboleth,” a word meaning grain. Locals could say it right, while foreigners couldn’t. Thousands of years later, soldiers in the Second World War would use the word “Lollapallooza” to distinguish between Chinese allies and Japanese foes. This use of passwords may have been necessary, but it does leave the whole thing tinged with a little bit of an uncomfortable flavor in these more considerate times.

I would venture to say that practically no one had a password in 1980. Oh, maybe if you were in charge of a nuclear power plant or the billing department of a major department store. But logins (another compound word) and passwords for regular folks are a largely modern development. And, not a terribly desirable one.

The need for security in an online world has created a need for us to prove our identities several times a day. We use password managers, we try to memories long strings of numbers, and we just sometimes give up. There’s not one of us who hasn’t, at one time, used the password “123456” because, in the words of a coworker, “enough already with this.”

The obvious problem with passwords

The most obvious problem with passwords is that our own little brains aren’t really capable of remembering 50 unique passwords, each with a consonant and a number and a punctuation mark. So, in a best case scenario we use some sort of password manager, which stores all our passwords and lets us get on with our lives. But of course that means all your passwords are stored in one place and how do you secure that place? That’s right! With another password!

The other thing to say about passwords is that they are hard to replace. In the last twenty years there have been a lot of attempts to replace passwords, each with their own challenges. Biometrics are great — whether fingerprint reading or retina scans or face scans — but they aren’t perfect. They’re also not available on every device.  Two-factor authentication, which is where they send you a code after you try to log in, sounds good. And then you realize that they’re sending the code to the same phone you’re trying to use to log in. How could that be secure? Answer: it isn’t.

And now we have the passphrase

A “password” is a jumble of letters and numbers, not terribly long. Now some of the more progressive sites are asking for “passphrases.” A passphrase is a string of words, separated by spaces. This trend started with some wireless routers and it’s beginning to get common everywhere.

A typical passphrase, one that actually works, is a phrase that makes a lot of sense to you but isn’t really easy to guess. A phrase from your favorite song isn’t a good passphrase. But, if you take that phrase and twist it around in a memorable way, it might be.

For example, think of the first line of the seminal rock song, Bohemian Rhapsody. “Is this the real life?” This meets the criterion for a passphrase, but it’s common enough that it could be easily guessed by a computer. Don’t believe me? Type “is this the” into your browser’s search bar. There’s a pretty good chance that it will suggest “is this the real life” as an option. But it won’t suggest “is this the peel life” and that makes it a good passphrase. You could remember it and it might make you chuckle.

Are passphrases really safer?

That’s the question of course. The answer is just what you would expect: it depends. If you pick smart passphrases, they should be. Conventional wisdom says that passwords and passphrases are more effective if they are longer and more unpredictable. So, using a long passphrase might work better than a long password. It could be a string of words that you remember, as opposed to a string of characters that you don’t.

So in that way, it might be easier to actually use a good passphrase than it is to use a good password, and that makes is better. But if you use a passphrase that’s super common, it’s just as likely to bite you as a bad password will.

About the Author

Stuart Sweet
Stuart Sweet is the editor-in-chief of The Solid Signal Blog and a "master plumber" at Signal Group, LLC. He is the author of over 10,000 articles and longform tutorials including many posted here. Reach him by clicking on "Contact the Editor" at the bottom of this page.