In today’s world, where digital activity has proliferated into every aspect of our lives, the challenges of maintaining online security have never been more pressing. The growing number of platforms necessitates an increasing number of passwords. In today’s technology-driven world, it seems that every system, device, and account requires its own set of unique password-creation rules. Some require an 8-digit, some for a 12-digit password. Others require a mix of lowercase and uppercase letters, numbers, and symbols while some exempt e.g., symbols. Amidst the backdrop of an expanding digital landscape, users are often encumbered with the task of managing a plethora of passwords. These alphanumeric combinations guard everything from our professional correspondences to personal interactions.
When it comes to password security, there is often a debate between using complex and long passwords versus simple ones. While some argue that complex passwords with a combination of uppercase letters, lowercase letters, numbers, and special characters provide better security, others believe that many different long and difficult to remember passwords are not the answer. The challenge with using longer and more complex passwords is that users often struggle to remember these lengthy sequences of random numbers and characters. For research-oriented evaluation please see here.
Consequently, there is a potential risk that users write down passwords or use shorter ones. Alternatively, users often fall into the habit of consistently using the same password across multiple systems. Even worse, many individuals tend to adopt predictable patterns like using consecutive numbers (e.g., 123) or adjacent keyboard keys (e.g., qwerty). People also often use important dates such as birthdays or wedding anniversaries, or the names of family members or pets. However, relying on such easily guessed sequences can compromise the security of personal information and accounts as well as expose them to various security vulnerabilities. Especially with the advancements in computing power, brute-force and dictionary attacks rely on these common users’ habits. The combination of powerful new machines and the predictability of certain character combinations chosen by users has made these attacks incredibly effective. It is essential for individuals and organizations to be aware of this growing threat and take necessary measures to protect their systems and sensitive information.
Additionally, it is important to use a password only once in order not to endanger all accounts in case a password is hacked or compromised. In a separate blog series, we have summarized how hackers proceed in the respective attacks and how one can protect against them.
But the difficult question arises: Is there a way to simplify and streamline this increasingly complex digital maze? How should a user remember dozens to hundreds of different passwords?
Does the answer lie in the conceptualization and implementation of a singular, unparalleled, strong password or rather in long and memorable passphrases or even a combination of both?
The Password Manager as First Alternative
The instrument that facilitates the one strong password solution is the venerable password manager.
A password manager is generally a tool that allows to store all user’s usernames and passwords in one secure vault protected by one master password. The advantage is that the user only needs to remember one very strong password. This allows to focus the security efforts on the creation and retention of one potent password rather than hundreds. To make user life even easier, a password manager can generally be used as browser extension for desktop use and as mobile app alternative with biometrics authentication on mobile devices.
On the other hand, it is true that if someone were to gain access to a user’s password vault, they would have access to all the user’s accounts. Nevertheless, security professionals still strongly recommend using a password manager. The advantages of utilizing such a tool far outweigh the potential risks. With a password manager, a user can generate and securely store complex passwords for each of their accounts, significantly reducing the likelihood of being hacked if used correctly. Additionally, password managers often provide additional layers of security such as two-factor authentication and encrypted data storage.
However, one should refrain from saving passwords in the browser. It may seem convenient, but unfortunately browsers store passwords in a less secure way in a predictable location. A directory whose path is visible to almost every attacker. The passwords themselves are encrypted, but the key for decrypting the passwords is stored nearby and is relatively easy for hackers to access. That’s why it’s better to use a much more secure method, such as a password manager.
To find out more about password manager tools, see here.
Are Passphrases more secure than Passwords?
Strong and secure passwords are generally complex and difficult to remember. A clever approach to managing and remembering passwords is to use passphrases as an alternative to traditional password managers. Passphrases can equally be long with high security strength but are easier to remember for users. If selected correctly, passphrases also can provide sufficient security strength against common hacking techniques. These phrases can be constructed by combining multiple words or using random combinations of unrelated words. As with passwords, it’s important to avoid using words that are closely related or too personal, as this can potentially create vulnerabilities. Choosing such words and combining them into passphrases could make it easier for dictionary-based password tools to guess the correct sequence, even with a larger number of possible combinations.
To increase the complexity and hence the security of a passphrase, users have the option to enhance their passphrases by strategically incorporating spaces, punctuation marks, and even intentional misspellings allowing to keep user-friendliness. This clever approach allows for an added layer of sophistication while still ensuring that the login process remains intuitive and straightforward. At least if the use of additional characters is not overdone. It is important that a passphrase is secure, but it should also be intuitive to enter. When creating a passphrase, mobile devices should also be considered. When using mobile devices, it may otherwise be necessary to switch the keyboard between letters and special characters frequently. Too frequent switching makes the login process less intuitive.
Context-Based Passphrases
An interesting method to remember a passphrase is to consider using context-based passphrases as a more innovative approach. This method involves using clues from the account you are trying to access to generate unique and memorable passphrases. By doing so, you can enhance both security and convenience without the need for additional tools or software.
Here is an example to illustrate how convenient and secure a passphrase as a password can be generated and remembered for e.g., Amazon account:
A passphrase is generated consisting of the number of words of the account name with a certain minimum length criterion (e.g., Amazon, 6 words). This technique can be combined with several other ones, e.g.
- Add certain numbers or symbols in between the words
- Add periods at certain positions of the phrase
- Reverse the word order
This technique adds an extra layer of security while still being easy to remember.
By consistently using the system, you’ll effortlessly recall which passphrase is associated with each account. It’s a straightforward process that becomes second nature with regular practice.
Even if a hacker manages to obtain one set of credentials, it would be highly challenging for them to guess which system you used. With numerous potential combinations to consider (assuming you have chosen a complex enough system), the chances of such unauthorized access are significantly reduced.
Does it make sense to combine Passphrases together with a Password Manager?
Many individuals and organizations rely on password managers to store and effectively manage their passwords. However, there is a growing discussion the wisdom of combining a passphrase with a password manager. So, does it? The answer is yes! By using a secure passphrase as the master password for the password manager and then managing all user credentials with said password manager, online security can even further be enhanced. This is mainly because the user is freed from either choosing a weak password they can remember or writing it down. A good passphrase can enable the user to remember his master password using a mnemonic bridge and provides an extra layer of protection against dictionary attacks or brute force attacks since they are longer and more complex than traditional used passwords.
However, if a well-protected password manager is used, it makes no difference whether secure passwords or passphrases are used.
In conclusion, combining passphrases together with a password manager is an effective strategy to strengthen online security. It provides convenience using a centralized storage system while ensuring that all passwords are strong and unique. By using these two methods, a user can better protect themselves from potential cyber threats in today’s digital landscape.
Note: This article was first published in October 2023 and last updated and corrected in May 2025.