a companion discussion area for blog.codinghorror.com

Passwords vs. Pass Phrases


Microsoft security guru Robert Hensing hit a home run his first time at bat with his very first blog post. In it, he advocates that passwords, as we traditionally think of them, should not be used:

This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2005/07/passwords-vs-pass-phrases.html


I remember reading an article about passphrases a few months ago, I’ve got it printed out round here somewhere thumbs through a pile of papers

We were considering using pass phrases for the new website we are currently developing.
But in the end, we decided to stick with passwords. Why?

Mainly because that’s what users are used to and we’re trying not to introduce anything to confuse people.

What we have done is made a security meter, that shows users show secure the password they are entering is.
Along with tips on how to create a secure password that is easier to remember.


Mainly because that’s what users are used to and we’re trying not to introduce anything to confuse people.

It’s not new. As long as passwords of sufficient length are allowed, users can opt to use passphrases. What is a passphrase but a longer password that probably reads as a sentence?

The problem, as you point out, is that most people have deeply held misconceptions about what passwords “should be”…


Just make it code:

for i = 1 to 100 do print “This is MY password!”

or even better run together


If you can get {} in it, a nice complex C++ for loop would do nicely. I HIGHLY doubt anything would crack that anytime soon :slight_smile:


From Bill Brown’s blog:

[UPDATE (2/17/05): After the second time calling our help desk today to reset my network password, I think I’m going to end this crazy experiment. My password was “I could make your life a living hell!” from Ace Ventura: Pet Detective. It was definitely easy to remember but easy to mistype. The worst part of using passphrases is that if you lose your place, punch two keys at the same time, or lose confidence in your space bar application, you must start over from scratch. And if you make a mistake twice, the most important thing in your life suddenly becomes getting the password right on that third attempt.

True, the length does take some getting used to. But how about a somewhat shorter phrase? Something like “Open sesame!!” perhaps?

I surpose it depends on your audience, but in my experience even something a little different or alien can confuse users.

Perhaps, but I think reminding users that password doesn’t LITERALLY have to mean password could help them. In the end, it’s less “I forgot my password” requests and it’s likely to be more secure to boot.

How about instead of just a bland “password” entry box, we present some sample passwords and passphrases as suggestions next to the entry box? Just gentle reminders that password does not mean a single word.


At 12 characters, your password is barely at the lower end of most passphrase recommendations. The passphrases you cited (“My oldest son’s name is Chris and he is 10 years old”, “My address is 1234 Main Street”, etc.) are all much longer and just as fraught with danger as was my passphrase.

I’ve heard of people recommending that you only take the first letter of each word in the phrase, but that seems just as problematic as typing the whole thing. Typing a full sentence is relatively easy. Mentally left-ing the first letter of every word is easy to screw up.

I suggest that you use whatever works for you. The call to action should be: let me enter as long a password as I’m willing to use.


The call to action should be: let me enter as long a password as I’m willing to use.

The real call to action is to remind users that passWORD doesn’t literally mean a WORD. And to that end, I think samples are helpful.


At our website, the majority of the users are ‘Joe public’ who use their computer as a tool, with seemingly limited knowledge of things we more advanced users take for granted.

Since I was hired as the senior programmer here I’ve been steadly scaling back the complexity of how the public facing website systems look and work.

Even something as simple as sending new users an account activation e-mail, before their new account was activated caused many problems.
Initally 30% of all account were never activated. Because people didn’t read the e-mail? Didn’t understand it? Or something else…

My point is, yes, making a system accept pass phrases is fine. It somebody wishes to use one, so be it.
But a lot of my work interface wise geared towards keeping things as simple as possible and not introducing anything that could confuse users.

I surpose it depends on your audience, but in my experience even something a little different or alien can confuse users.

P.S. Jeff, I’ve been enjoying your blog for a few months now. Most enjoyable and informative, keep it up!


I’ve tried pass phrases and discovered that I don’t like them:


In the end, I reverted back to my old system:


For new passwords, I’ve taken to using the old system and then pressing the backspace/delete key. The second word then becomes a not-word and I think makes the whole password uncrackable.


Yes, simple examples are explainations are good user interface design.

I noticed Jeff that you’ve also read ‘The design of everyday things’

After reading this I made a checklist that is stuck to every designers desk here, with six bullet points that every web based or desktop application we make must meet.

  • Make thing visible (Give feedback, show visible results of actions)
  • Don’t be arbitrary (Use obvious command names and actions)
  • Be consistent
  • Make operation intelligible
  • Be polite (Work with the user, not against)
  • Don’t make operations dangerous (Don’t allow a single wrong action to destroy work)


To that end, Peter, IBM made some great posters on usability a few years back that I have hanging up around my cubicle:



Thanks Bill, I’ve compiled four of those into one A4 sized poster.



I use and love pass-phrases. I find them easier to remember than single words. They also have an added bonus - as soon as you sit down and log in you’re typing away like mad entering your pass phrase…you sound really really busy. This is a good message to convey to others. 5000^4 = 625000000000000, and there are (as yet) no pre-computed list of hashes for all 4-word phrases.


I think this whole discussion misses the point. Would you rather be wearing brown or blue when standing on deck waiting for the ship to sink? I would rather not have to remember a $#^%$ password!


then it can be attacked at the word level with greater speed than a password such as xY6^ui*9uiyrt can be attacked at the letter level

I’m not sure this is true.

The ASCII character set is about, what… maybe 100 characters?

In a sentence, how many words can follow a given word? Imagine a pass-phrase like:

“I have a (blank) hat.”

How many words can go in the blank? Certainly far more than 100!

And remember there is no feedback for partial matches on password failure. You have to match the entire phrase to know if you’ve succeeded or not.



You say I am not taking into consideration punctuation and numbers however Robert doesn’t include numbers and only includes appropriate punctuation in his examples. My point still stands that if a passphrase is a legal sentence using appropriate punctuation, then it can be attacked at the word level with greater speed than a password such as xY6^ui*9uiyrt can be attacked at the letter level.



You are correct that a passphrase such as I have a (blank) hat is very easy to remember, however my point was that a password of equivalent length is harder to break. Of course, this implies that you know it is a passphrase, which of course you would not know. Here are the numbers. Let’s choose the word red for your blank.

As a passphrase, we can safely say that for each word there are about 2000 words that a person would commonly use. In fact, it is less than that because of grammar rules, but we’ll discount that for now.

I have a red hat == 2000^5 == 32000000000000000 combinations.

Now look at a password of equivalent length where each character can be letter, number, or punctuation. That would make about 40 choices per character. So
I have a red hat == 16^40 == 1.4615016373309029182036848327163e+48 combinations.

If someone uses grammatically correct sentences for pass phrases, then a brute force attack on the pass phrase will succeed sooner than a brute force attack on the password. However, I’m quite certain I’ll forget the password much sooner than either one is broken! :slight_smile:


Small correction in my math. The second example should be 40^16 == 42949672960000000000000000.

Dang logic checker failed to catch that before posting :wink:


say that for each word there are about 2000 words that a person would commonly use

I think this is an extremely low estimate, but OK.

  • What about capitalization eg “I have a Black hat”? That means the number of possibilities just doubled for each word.

  • What about punctuation eg “I have a Black hat!” or “I have a tall, black hat” That’s a few possible characters that may or may not be present. With the comma alone we’ve doubled the number of attempts for each word. And the end of the sentence has to be tried with a period, question mark, exclamation point at least.

Without even breaking a sweat, I’ve increased the REAL number of comparisons you’d have to attempt to (6000 ^ 5) * 3 or


I guess the hypothetical attack tool you are talking about would have a complete command of English (and perhaps other languages/words/grammatical errors that might slip in)? I don’t know how it would know what capitalization and punctuation rules make sense to try, or even which words statistically follow other words. I am not sure this attack tool you’re describing A) even exists or B) is possible to create. It’s certainly several orders of magnitude more difficult than a simple “check the next ASCII character in sequence”.

Furthermore, it’s trivial to add words. I could easily change this passphrase to “I have a tall, Black Stovepipe hat!” or enforce a “must be at least n words” rule.

(6000 ^ 7) * 3


This compares quite favorably to your 16 character password nobody can remember “xY6^ui*9uiyrt”




Er… heh. You’re not the only one making math errors!

2000 * 2 (initial caps) * 2 (trailing comma) = 8000, not 6000. Duh. So those numbers I quoted are actually low.