What Is a Passphrase? Examples, Types, and Best Practices

Posted on

Passwords and passphrases get used interchangeably, but they describe different approaches to the same problem: proving to a system that you are who you say you are. Understanding the difference, and what current guidance actually recommends, is worth knowing before you set your next password.

What is a passphrase?

A passphrase is a sequence of random words used as a login credential instead of a single complex word with letters, numbers, and symbols. The idea is straightforward: length is more important than complexity when it comes to how hard something is to guess or crack.

A password like P@ssw0rd! is short, looks complex, and is genuinely weak because millions of people use predictable substitution patterns exactly like it. A passphrase like carpet lemon thursday is longer, looks simpler, and is significantly stronger because its length makes it exponentially harder to crack by brute force.

What makes a good passphrase?

The UK’s National Cyber Security Centre (NCSC) recommends the three random words approach: pick three words that have no connection to each other or to you personally, and use them together as your passphrase.

A good passphrase is:

  • Random. The words should have no connection to each other, to your name, your pets, your birthday, or anything else guessable. “carpet lemon thursday” is good. “fluffy-birthday-2024” is not, because two of those words are predictable.
  • Long. Three average-length words gives you somewhere between 15 and 25 characters, which is far longer than most passwords. Length is what provides the security.
  • Unique. Like any password, a passphrase should be used for one account only. Reusing the same passphrase across multiple accounts means a single breach exposes all of them.

What about complexity rules?

The old advice — mix uppercase and lowercase, add numbers and symbols, change it every 90 days — has been substantially revised by NCSC and other security bodies. Here’s why.

Forcing complexity leads people to make predictable choices: capital letter at the start, number at the end, one symbol in the middle. These patterns are well-known to attackers and to the tools they use. A short complex password following these rules is often weaker in practice than a longer, simpler passphrase.

Current NCSC guidance specifically discourages mandatory complexity rules and encourages the three random words approach instead. If a system forces you to add a number or symbol to your passphrase, add one, but the length of the passphrase is still what’s doing the security work.

Types of passphrases

Random word passphrases are the recommended standard. Three or more genuinely unconnected words, no personal references, no obvious patterns. “umbrella fence october” is a good example.

Sentence passphrases use a short phrase or sentence rather than individual words. “the cat sat slowly” is longer than most passwords and easier to remember than a string of symbols. These work well but are slightly weaker than fully random word combinations since sentence structure follows predictable patterns.

System-generated passphrases are created by a password manager rather than chosen by a person. These are the strongest option since they remove human choice from the equation entirely — human beings are reliably bad at picking things at random.

A passphrase alone is not enough

This is the most important point, and it’s one the old advice usually missed entirely.

Even a strong, genuinely random passphrase only protects you up to the point where someone obtains it — whether through a data breach, a phishing attack, or a leak from another site where you reused it. Once the passphrase is compromised, the account is compromised.

Multi-factor authentication (MFA) closes that gap. With MFA enforced, a stolen passphrase isn’t enough to access the account — the attacker still needs the second verification step. This is why we enforce MFA across every account for every client, with no exceptions, regardless of how strong the password or passphrase is.

A strong passphrase plus MFA is significantly more secure than either alone. A strong passphrase without MFA is still a single point of failure.

For more on how we enforce MFA and why it matters more than password complexity, see our MFA vs 2FA page.

One monthly fee. One number to call.

Getting the basics right — strong credentials, MFA enforced everywhere, properly managed across your whole business — is exactly what we do.

Book your free site survey   or call +44 (0) 207 403 4031

FAQ

Common questions

What is a passphrase?

A passphrase is a sequence of random words used as a login credential. Unlike a traditional password, which relies on complexity (symbols, numbers, mixed case), a passphrase relies on length. Longer credentials are significantly harder to crack by brute force, which is why three random words together are stronger than a short, complex password.

Can you give me an example of a good passphrase?

A good passphrase uses three or more genuinely random, unconnected words: “carpet lemon thursday” or “umbrella fence october” are examples of the right approach. The words should have no connection to each other, to you personally, or to anything predictable. Avoid phrases like “fluffy-birthday-2024” where the words are guessable based on personal information.

What is the difference between a password and a passphrase?

A password is typically a single word or short string with added complexity (symbols, numbers, capital letters). A passphrase is a sequence of multiple words, which achieves greater security through length rather than complexity. Current guidance from the UK’s National Cyber Security Centre recommends the passphrase approach specifically because short complex passwords tend to follow predictable patterns that attackers know to try.

What is a security phrase?

A security phrase is another term for a passphrase — a multi-word credential used to authenticate access to an account or system. The underlying principle is the same: length provides more security than complexity for a given credential.

Which of the following is an example of a good passphrase?

A good passphrase consists of three or more random, unconnected words with no personal significance: “carpet lemon thursday” is a good example. A poor passphrase example would be “Fluffy2024!” (short, predictable, personal) or “correct horse battery staple” (famous example, widely known). The key qualities are genuine randomness, length, and uniqueness to one account.

Do I still need to add numbers and symbols to a passphrase?

No, not for security purposes. The NCSC specifically advises against mandatory complexity rules because they tend to produce predictable patterns. If a system forces you to include a number or symbol, add one to comply, but the length of the passphrase is what provides the security, not the added symbol.

Is a passphrase enough on its own to secure an account?

No. A passphrase, however strong, is a single point of failure. If it is obtained through a data breach, phishing attack, or reuse on another site, the account is compromised. Multi-factor authentication (MFA) closes this gap by requiring a second verification step even if the passphrase is known. We enforce MFA across every account for every client for exactly this reason.

What is the NCSC’s recommended approach to passphrases?

The UK National Cyber Security Centre recommends the “three random words” approach: choose three words that have no connection to each other or to you personally, and use them together as your passphrase. This approach produces credentials that are long enough to resist brute-force attacks while being memorable enough that people don’t need to write them down or reuse them across accounts.