The difference between a password and passphrase is simply a terminology change. A password is typically around 8 characters long and meets necessary complexity requirements. For example Panthers1! A passphrase, by contrast, is making your password into a sentence, including spaces and punctuation as necessary. An example of a passphrase is “I love the Carolina Panthers!” (You will have to forgive us, we are proud to be a Charlotte-based firm).
Getting a user to change their password from Panthers1! to a passphrase like “I love the Carolina Panthers!” requires more than simply changing your logon prompt to say “Enter Passphrase” instead of “Enter Password”. Just changing the terminology is likely not going to achieve much for your security. Most users will not even notice the change, and will still stick with “Panthers1!” because that is what they’re familiar with.
With that said, getting users to actually start using passphrases is a major undertaking. We would recommend encouraging the use of passphrases through security awareness training and increasing the minimum length requirements across your organization via policy changes. The typical password may be approximately 8 characters, but with passphrases you should be encouraging a minimum of 14 or more characters. Complexity can still be required/enforced because of spaces or other punctuation. Here is a good write-up on the real differences in a password vs a passphrase. Again, the main difference comes from the length used for the secret.
Math/Metrics Around Passphrase vs. Password
Here is an example chart that shows the different lengths of time it would take to conduct a pure brute force attack depending on the entropy, length, and attacker’s technological capability. These times represent the longest possible length of time it would take for an attacker to crack a password of a particular length with 100% certainty. By definition, it takes half the listed time to crack an average password.
The important thing for you to make note of is the line that shows: With an 8 character password, having all standard lower alpha, upper alpha, numeric, and symbol characters (94 bits of entropy) available to you, and an attacker with moderate capability by today’s standards (w/ multiple GPUs, Botnets available, VM farms, etc.) getting 1 billion hashes/sec attempted, he or she would absolutely crack the password within 1.7 months (51 days) (Note this is a a few years dated, with our password rig, we can get any 8 char password within 3 days), and on average it would take 25.5 days. When you increase that to a 14 character password, the number increases to 157 billion years. Taking into account that passwords are changed every 90 days, it reasonably follows that an attacker would absolutely be able to crack a password before it is changed with a given length of 8 characters.
All of that math/metrics is based around a pure brute force attack, and this is an attacker’s last ditch effort when they are performing offline cracking of passwords. With dictionary attacks, password mangling rules, mask attacks, and hybrid attacks, we can do this much more intelligently. When we perform AD password analysis for clients, we can consistently crack ~60% of passwords that consist of 8 characters or less, within a day or two. This is due to the fact it is human nature to make passwords based off of a dictionary word, name, location, or pattern. When you increase the minimum password length requirements, it helps to technically compensate for the human factor in password creation. If the change from passwords to passphrases are accomplished and enforced, this would be a major step forward in protecting your organization.
If you’re not sure about the benefits here or need help “selling” this kind of cultural change to management, let us know, as there are several different ways we can help, ranging from just discussing and providing some ways to communicate the benefits to performing tactical assessments like an external or internal penetration test that can highlight the differences.