Menu Search
Jump to the content X X

Today, too many websites are still inaccessible. In our new book Inclusive Design Patterns, we explore how to craft flexible front-end design patterns and make future-proof and accessible interfaces without extra effort. Hardcover, 312 pages. Get the book now →

Why Passphrases Are More User-Friendly Than Passwords

A user’s account on a website is like a house. The password is the key, and logging in is like walking through the front door. When a user can’t remember their password, it’s like losing their keys. When a user’s account is hacked, it’s like their house is getting broken into.

Nearly half of Americans1 (47%) have had their account hacked in the last year alone. Are web designers and developers taking enough measures to prevent these problems? Or do we need to rethink passwords?

The See-Saw Of Password Security And Usability Link

Compromising Security Link

On most websites, you need to create an account to do more than browse. Users will create many passwords in their lifetime. But remembering them all is no easy task. They could use the same password for every account, but that makes them more vulnerable to attack if one gets compromised. They could use passwords that are easy to remember, but an easy password is an easy target for brute-force hacking.

When users create a password with usability in mind, they often end up compromising security
When users create a password with usability in mind, they often end up compromising security.

They could jot down or store all of their passwords in case they forget, but if someone gets ahold of that paper or file, then all of their accounts will be compromised. As well, it’s easy to misplace papers and files and inconvenient to pull them out every time you want to log in somewhere.

No matter what they do, when users create a password with usability in mind, they often end up compromising security.

Compromising Usability Link

To keep their accounts secure, users could create passwords that meet the maximum requirements of a “strong” password. Such a password would include:

  • numbers,
  • lowercase letters,
  • capital letters,
  • punctuation symbols,
  • and a certain number of characters.

And it should not include:

  • a dictionary word,
  • a common password,
  • or words found in your name, username or company name.
When a user finally comes up with a password, it’s often so random that it’s almost impossible to remember.
When a user finally comes up with a password, it’s often so random that it’s almost impossible to remember.

Coming up with a password that meets these requirements would take most users a long time. You risk losing registrations if they take longer than expected. When a user finally comes up with a password, it’s often so random that it’s almost impossible to remember. This increases the chance that the user will forget and be unable to log in. Also frustrating is when a user is locked out of their account after trying too many passwords.

Typing passwords isn’t easy either, much less remembering them. Users are prone to error when they have to hold the Shift key to type capital letters or symbols. A password that’s secure but not usable won’t do users any good.

Are Password Managers The Solution? Link

Some users prefer to use password managers2 to balance security and usability. Password managers are apps that store all of your passwords in a database with one master password. Instead of memorizing a different password for each account, all you have to do is memorize the master password.

A Solution For Users, Not For Websites Link

If you forget your master password, you’re out of luck. Most password managers don’t have a reset and recovery process like websites. If you forget your password on a particular website, you can always reset it. This gives websites control over their users’ security.

Password managers cost money. Developers can’t require all users to buy a password manager before using their website. That would be impractical and would cause many users to drop off. Websites should not put the responsibility of security on third-party applications, but rather should provide a solution that balances security and usability.

Many Don’t Trust Or Understand Password Managers Link

While some users trust password managers, many don’t. A research study3 (PDF) found that many are “uncomfortable with using the software and do not trust it because they do not understand it.”

Users don’t feel comfortable “relinquishing control to a computer program.” Even though they know that password security is a problem, they feel that “they are best equipped to care for their own passwords.”

Designers and developers cannot expect password managers to be a solution. It is their responsibility to provide users with secure and usable access to their account.

Passphrases: A Change For The Better Link

Balancing security and usability is a must, but passwords today don’t cut it. Websites need to change for the better and need to upgrade from passwords to passphrases4.

Passwords and passphrases serve the same purpose. But passwords are generally short, hard to remember and easier to crack. Passphrases are easier to remember and to type, and they’re considered more secure due to their length and because you don’t need to write them down.

Why Passphrases Are More Secure Link

Longer Requirement Stops Brute-Force Attacks Link

Most passwords have a minimum requirement of 8 characters. But most passphrases have a minimum requirement of 16 characters. This greater length provides more security because it takes far longer to crack.

Increasing character length increases the total number of possible correct passwords. The longer a password is, the longer a brute-force program will take to guess the right one. Let’s put this to the test by comparing a complex password with a simple passphrase using a sophisticated password checker5.

The complex password will not have any dictionary words and will contain numbers, capital letters and symbols, making it as strong as can be. The simple passphrase will contain dictionary words and only lowercase letters, making it as weak as can be.

The complex password will not have any dictionary words and will contain numbers, capital letters and symbols, making it as strong as can be.6
The complex password will not have any dictionary words and will contain numbers, capital letters and symbols, making it as strong as can be.(View large version7)

When comparing the two, we can see that the simple weak passphrase is impossible to brute-force hack. But the strong, complex password would take less than two years to hack. You would expect the password to take longer than that because of its high character complexity. That goes to show that character length is what protects users from brute-force attacks, not character complexity.

Multiple Words Stop Dictionary Attacks Link

Brute force isn’t the only way to hack a password. Hackers can also use dictionary attacks. But a passphrase will protect users against dictionary attacks more than a password. Although using a password that contains only dictionary words is not recommended, it is still common and can get hacked easily. But if users were to use only dictionary words in a passphrase, they would stay safe from this type of attack.

Passphrase will protect users against dictionary attacks more than a password.8
Passphrase will protect users against dictionary attacks more than a password. (View large version9)

Most dictionary passwords contain one or two words. A dictionary attack is more likely to succeed here because of the limited number of words in the dictionary. Even an uncommon dictionary word wouldn’t stop a dictionary attack. A dictionary passphrase would contain at least five words. The virtually infinite number of word combinations makes it impossible for a dictionary attack to succeed.

Multiple Parts of Speech Make It Harder to Guess Link

Passwords that are easy to guess often contain a single piece of personal information: the user’s name, birthdate or pet, their favorite color, food or place, etc. All of these nouns easily meet the character-length requirement for a password.

The longer character-length requirement of a passphrase prevents users from using personal information. A single noun isn’t enough to meet the requirement. This forces users to add other parts of speech to their passphrase, making it harder to guess.

Why Passphrases Are More Usable Link

Phrases Are Easier to Remember Than Random Characters Link

It’s easier to recall a phrase than random characters. Phrases are meaningful and relatable. This is why users are able to remember a passphrase more than a password. When users create a password, they have to meet the form’s password policy. Many forms do not allow dictionary words to keep users safe from dictionary attacks. Users have no choice but to add randomness to their password.

But a random non-dictionary word is the hardest for users to remember. Many will opt to use a word and add random characters within it. But that’s still hard to remember because the random characters could go in many places.

Using phrases

Adding complexity to a passphrase is easier because you can add elements between words. This makes the randomness easier to remember because there are fewer places between words. A passphrase doesn’t need the high level of randomness of passwords. A little complexity goes a long way because of the security that a passphrase brings. Some people use the first letter of each word in a sentence as their password. This is much more memorable but still not as secure as a passphrase.

The difference in character length has a huge impact on security.10
The difference in character length has a huge impact on security. (View large version11)

For example, the sentence “I lived in Germany for two years” could be turned into “iliGf2yrs.” Even with a capital letter, a number and random letters, it’s still vulnerable to brute-force hacking. The same sentence spelled out as the passphrase “ilivedinGermanyfor2yrs” would be unhackable. The difference in character length has a huge impact on security.

Words Are Allowed Link

Finding a password that doesn’t include a dictionary word is the toughest password requirement for users to meet. Carnegie Mellon’s research data show that “creating a password is significantly more difficult under stricter password policies, particularly those involving dictionary checks.”

Using words

Coming up with a random non-dictionary word is hard to do and hard to remember. Passphrases don’t need strict dictionary checks. Words are allowed as long as they meet the passphrase’s length requirement. The compromise of usability for security in password policies is too wide a gap to ignore. Passphrase policies balance both, minimizing registration abandonment or user frustration.

Passphrase Policies Are Less Strict In Registration Forms Link

Users often get stuck on registration pages when they can’t create a password that meets the website’s policy. This happens because password policies have too many requirements, creating frustration in users and leading them to abandon forms.

Password Policy Passphrase Policy
  • has at least 8 characters
  • includes capital and lowercase letters
  • includes one or more digits
  • includes one or more symbols (@, #, $, etc.)
  • prohibits words found in dictionary
  • prohibits user’s personal information
  • has at least 16 characters
  • includes a capital letter or number

Passphrase policies don’t need to be as strict to give users security. The only requirement a passphrase needs is to be 16 character or longer. Carnegie Mellon’s findings12 (PDF) back this up. The researchers found that “a 16-character minimum with no additional requirements provides the most entropy while proving more usable on many measures than the strongest alternative.” This helps users to create accounts more easily while maintaining security.

Password policies vary between websites. This forces users to create a different password to meet each website’s requirements. Users end up with a long list of different passwords to manage. Passphrase policies wouldn’t vary between websites, though. All that is needed for maximum security is a length of 16 or more characters and a capital letter or number.

Longer Character Length Means More Typos Link

The only drawback to passphrases is that more characters means more typing for users, which can cause more typos, triggering form errors.

If you enforce passphrases, don’t lock out users after multiple attempts. Users have probably mistyped their passphrase. Instead, give them a CAPTCHA to solve after a high number of attempts. This way, you’ll prevent hacks while still allowing users to access their account.

What Websites Should Do Link

Replace “Word” With “Phrase” Link

The first step is to take the “word” out of password. The term “password” gives users the impression that the website expects them to use a word. But a word isn’t secure under any circumstances.

Change the user’s understanding by using the term “passphrase” instead. This tells them that you expect a phrase, not a word. By making this expectation clearer, users will know that a phrase is more secure than a word.

Revise the Policy Link

The next step is to replace your password policy with a passphrase policy. This includes increasing the length requirement to at least 16 characters. It also includes requiring at least one capital letter or number. You could suggest adding more than one capital letter or number for extra security, but that’s not necessary.

Make the Policy Clear Link

Most users are accustomed to seeing password policies. Let them know that a passphrase policy is different by displaying the requirements upon registration. Pop up a tooltip over the passphrase text field.

Passphrase validation

Don’t make users have to count 16 characters when creating a passphrase. Do it for them by designing a tooltip to validate their input. When the user meets the requirement, a green checkmark should appear next to the field.

Final Thoughts Link

The state of passwords today causes more headache than happiness. Passphrases are a better alternative because they are more secure and usable. A few websites out there enforce passphrases. More should follow suit in order to decrease account breaches and user frustration. No user should feel like they’ve lost their keys or had their house broken into.

Passphrase login

The good news is that switching to passphrases doesn’t require a technical overhaul. It’s as simple as introducing the concept to users and requiring a higher character length. The toughest part is understanding and accepting that the solution to the world’s password problems is so simple.

(cc, ml, al)

Footnotes Link

  1. 1 http://money.cnn.com/2014/05/28/technology/security/hack-data-breach/
  2. 2 https://en.wikipedia.org/wiki/Password_manager
  3. 3 http://people.scs.carleton.ca/~paulv/papers/usenix06.pdf
  4. 4 https://en.wikipedia.org/wiki/Passphrase
  5. 5 http://password-checker.online-domain-tools.com/
  6. 6 https://www.smashingmagazine.com/wp-content/uploads/2015/08/03-brute-force-attack-opt.png
  7. 7 https://www.smashingmagazine.com/wp-content/uploads/2015/08/03-brute-force-attack-opt.png
  8. 8 https://www.smashingmagazine.com/wp-content/uploads/2015/08/04-dictionary-attack-opt.png
  9. 9 https://www.smashingmagazine.com/wp-content/uploads/2015/08/04-dictionary-attack-opt.png
  10. 10 https://www.smashingmagazine.com/wp-content/uploads/2015/08/06-character-length-opt.png
  11. 11 https://www.smashingmagazine.com/wp-content/uploads/2015/08/06-character-length-opt.png
  12. 12 http://cups.cs.cmu.edu/rshay/pubs/passwords_and_people2011.pdf

↑ Back to top Tweet itShare on Facebook

Advertisement

Founder of UX Movement, an online magazine for learning user experience design. Creator of Wireframe Patterns, a pro wireframing toolkit & Flow Patterns, a toolkit for making visual site/user flows

  1. 1

    Absolutely mindblowing numbers! As a budding webdeveloper still learning, this is amazing information to possess and I will be sure to put it to good use.

    Thank you for taking the time to write such an easy to understand, yet comprehensive overview of how we can deal with such an important issue!

    9
  2. 2

    XKCD had it right all along. https://xkcd.com/936/

    15
  3. 3

    https://www.smashingmagazine.com/2015/12/passphrases-more-user-friendly-passwords/#a-solution-for-users-not-for-websites

    There are free solutions for users:

    – I’m using Pastor: https://mehlau.net/pastor/ (Mac only)
    – have been using KeePass: http://keepass.info/

    Those are two very nice free options for password-managers. =)

    1
  4. 4

    In the short term, if you don’t use a password manager, this does appear to be a better solution, however, you still have to remember (hopefully) a unique pass phrase for each site.

    The internet should be focusing on removing the need for passwords altogether. The adoption of utilizing items people carry with them at all times should be adopted in my opinion, for instance, a combo of a fingerprint scanner and an authenticator on your phone. Nobody would have to remember anything as they just carry the pieces on their person at all times.

    0
    • 5

      Did not proofread that. Haha…well you get the idea of what I was saying.

      0
    • 6

      A good solution would be an electronic device sewn into your arm on which you could store passwords. :-)

      -12
  5. 7

    Great article quality like this is what keeps me glued to smashingmagazine! Awesome job!

    4
  6. 8

    Royce Williams

    December 15, 2015 8:06 pm

    As we promote passphrases, we need to make it clear that not all phrases are created equal.

    Phrases that match the rhythm of human language, and phrases that are even only somewhat based on anything that has already appeared anywhere — lyrics, song titles, movie quotes, phrases that appear on Wikipedia, etc. — are subject to guessing. The password cracking community is hot on this trail, and really pushing the envelope in this area. “Myd0ghasfle@s!” is certainly better than “abcdefgh” or “Summer2015!”, but it is not sufficiently resistant to state-of-the art attacks. These attacks can quickly combine phrase lists with transformational rules, and really tap into the psychology of how people select naive passphrases.

    Put another way … we need to make sure that users do not walk away thinking that “itsmypartyandillcryifiwantto” is a good passphrase. One problem is the word “passphrase”. The layperson expects something called a “passphrase” to be a real, grammatically correct phrase, but that’s exactly what we don’t want them to use. Such phrases are inherently easier to guess. Only randomly-selected words provide resistance to both brute force and rules-based attacks.

    The best balance of “memorizability” and strength is to use “Diceware”-style passphrases, just as that XKCD suggested (but perhaps with some adjustments to the size of the word pool and number of words). The words need to be truly randomly selected, and drawn from a relatively large pool of words that are nevertheless familiar enough to be easily remembered. An open-source, client-side, JavaScript implementation is available here, and some great statistics about the strength of the resulting passwords are shown there.

    The sheer numbers behind Diceware-style passphrases are significant. When implemented correctly, even if I tell you which dictionary I’ve drawn from, and how many words that I used, brute-force cracking is still infeasible for any modern (and even many retired/outdated) password hashing methods.

    One implementation hitch is that many sites either A) still apply naive complexity requirements to very long passwords, or B) don’t allow passwords longer than a certain length.

    To make Diceware-style passphrases compatible with naive complexity rules, users can add their own additional rule. Such a rule can make randomly generated passphrases compliant with such complexity rules. For example, I can always capitalize the first word, and appending “1!” at the end (“Correct horse battery staple1!”) Even if I tell someone what my personal additional rule is, brute-force cracking is still infeasible.

    If a website has an artificially low length cap (such as 15 or 20 characters), rather than trying to cram a shorter passphrase in, I recommend falling back to a randomly generated password that maxes out the allowed length, and storing it in a password manager.

    The best things that web developers can do to support good passphrases is to relax complexity requirements once a sufficient length is met, and to support a high maximum password length (such as 128 characters).

    14
    • 9

      I’m not told and the login form, which pass requirements I had to consider when choosing that “letmein” in the first place. Making it more difficult for the user, in so far that I as power user may have 30 phrases or more to remember and connect to certain logins. Why? Don’t put all the burden to the user. Just make sure that a whopping number of 456,976 possibilites of user choice (4 lowercase letters: 26 * 26 * 26 * 26) could not be checked in less that a second.

      Even banks still rely to a 4 digit pin for today’s cash transfers. Lock out a third try.

      -2
      • 10

        Hi Otto,
        using a 4 digit pin and a short delay after failed logins, really would be enough to secure access.

        But today security also means preventing damage when the database gets leaked. Storing encrypted 4 digit pins is as safe as storing plain text passwords, therefore one gets instant access to those accounts and could instantly cause a huge loss to the company before anyone could disable the accounts.

        Banks don’t rely to a 4 digit pin, they rely on a 4 digit pin PLUS a physical card (which contains a secret key).

        5
  7. 11

    What would be required to drop the number/capital requirement entirely and just have a length requirement?

    0
    • 12

      Length requirement only is not recommended. It’s necessary to have the capital/number requirement in case users enter a common phrase found in literature, songs and movies.

      A common phrase with a capital or number greatly increases entropy and keeps users secure. A common phrase by itself can be cracked with a large enough phrase database.

      To prevent users from entering common phrases in the first place, you should tell them not to get their phrase from literature, songs and movies. But on the off-chance that they ignore this, the capital/number requirement will keep them secure.

      3
    • 13

      Generating a passphrase for the user is one approach, and would radically decrease the chance of it being a common phrase or even syntactically correct. Generating a few passphrases to choose from would increase the likelihood of one of them being used.

      1
  8. 14

    While I definitely see the benefit for desktop web apps, how would this play out on mobile devices? It’s already painful enough to type regular passwords, the passphrase length could be a barrier of adoption to the lazy and easily frustrated among us.

    1
  9. 17

    The safety of each pass (word or phrase) is only given in so far, as long as e.g. keyloggers are not used. This is a more and more upcoming threat to web security, and one must always keep that in mind when postulating that entering a sequence of characters on a screen (or substituting that by some arbitrary choice of of eye/fingerprint/blood scanner) may result in a higher security. Also auto-fill-in mechanisms may negatively influence the authorization process. Even house keys have plenty of variations, yet still thieves can get in.

    A fingerprint is not safe anymore, after touching a door knob or any glass in a bar. Same goes for passphrases. Even 2FA (two-factor authentication) may not ultimately solve the problem, however as long as enough people use a pass of the 10,000 most used passes, it may not be worth the hassle for abusers to make it any more sophisticated – and that’s the point, and in so far passphrases are still better than using something that can be cracked as easy as a half-opened door.

    0
    • 18

      If one is able to install a key logger or any other software without your knowledge, you’ve lost. No security mechanism will help you. Game Over.

      1
      • 19

        Completely right. As wellas making logins less memorable or longer every year will help us just for the next few years. We must establish other ways for logins and other ways of login storing. Databases with millions of account infos just don’t cut it anymore.

        0
  10. 20

    It’s also interesting that brute-force attacks are still a serious concern today. Isn’t that something the service provider should absolutely be able to control and prohibit? I mean comeon, make a invisibile delay of a few hundred milliseconds to each request, and that’s it. Eventually up that to a few seconds after a dozen tries, or lock the user/IP trying it more than 30 times.

    Ok, given the database is stolen completely, one may avoid those delays, but I again, just make sure as a service provider you encrypt it in a safe way and not store everything in the same table with the same key. Would have single key for each web site? Why have a single key for thousands of users then. That’s so Enigma era. And even those keys changed often for a reason.

    1
    • 21

      Encrypting a password “in a safe way” doesn’t help against bruteforce attacks, because they don’t try to decrypt the password hash, but encrypt a list of passwords until they get the matching hash.

      0
  11. 22
    • 23

      Very interesting… basically saying a phrase with less than 5 words is as useless as a 4-letter password in the real world! Thanks for pointing that out.

      0
  12. 24

    That’s not entirely accurate. Most brute-force programs have the ability to filter characters. There are a total of 96 typable characters on the keyboard, vs 26 lowercase English characters. Also, if your passphrase is solely comprised of dictionary words, then certain patterns are statistically more likely to occur (for example, there’s a greater chance of the letter e than other characters, also combinations like “th”, “ough” or “ou” are more likely to appear than just those letters individually.

    All in all, I’m not entirely convinced that a minimal passphrase has more bits of entropy than a minimal password. But in my head the future of authentication is public-private key cryptography (like SQRL or FIDO), at least when users begin to realize that passwords aren’t a very good solution for the general public.

    0
  13. 25

    i prefer use this solution :

    take a phrase easy to remember :
    ” I meet mysel at my bithday it was in 1973 ” gives me : Immambiwi1973 as my base password.
    Then i use this base for the differents website i use :
    FaImmambiwi1973ok
    TwImmambiwi1973er
    AmImmambiwi1973on

    I type each time my password so i do remember the phrase

    It’s shorter than type a long long phrase with risks of typos.

    ps : sorry for my english, i am a froggy french

    1
    • 26

      i use this method since 10 years with no problem at all. No password manager. No browser cookies to remember me.

      0
  14. 27

    I’ve developed few Web application that use no password users love it. My approach was, every time user want to access the restricted area, they just need to enter their email and a secure hash is generated and sent to their email, while a salt+key is stored in the session and in the database. Once user click on the link sent to their email, the apps process the request and match it. Some user might feel it is troublesome to check for email each time they want to access it, but others find it useful in reducing the use of password, at least one of it.

    My solution might not elegant, so any suggestions or feedback is welcome.

    1
  15. 28

    i wonder if forcing the user to have a phrase “with at least 16 chars” is better than “your password must have at least x chars and contain a number and lower/uppercase whatever…”.

    Let the user decide if he wants to have a short “secure” password or a long phrase
    and just calculate the complexity of the password as indicator of “weak” or “strong”

    there are already some good ideas on github also considering phraseblacklists to avoid “1234…”

    0
  16. 29

    One detail I feel people forget is that any decent database will support a password with any UTF8 character, including spaces. Some sites don’t for some weird reason or another *cough*paypal*cough*, but literally typing a sentence makes it very user friendly.

    Granted, it probably makes it less secure against a dictionary attack, especially if you’re using perfect grammar/spelling.

    Regardless, I’d imagine “For the love of God and all that is holy, let me in!” is a better choice than “X9$#w+6}d]K_^p” in the long run.

    Besides, as others have pointed out, there are plenty of other avenues for a hacker to take without needing to guess the password.

    2
  17. 30

    I personally implement timeouts for incorrect guesses (e.g. One failed attempt: wait 5 seconds before accepting another attempt, Two failed attempts: wait 15 seconds before accepting another attempt, Three failed attempts: wait 45 seconds before accepting another attempt). You could also combine that with a CAPTCHA after x number of failed attempts, or lockout the account and email the user a link to unlock it.

    If you really want to be ultra secure you could do like my bank does and when a login is attempted from an unknown computer have the user enter some key that you either email or SMS to the address on file.

    There are a ton of ways to prevent brute-force attacks that don’t really cause that much of a headache for the end user until they start getting the password wrong.

    Brute-force attacks really shouldn’t be an issue if you spend a little bit of time on the login mechanism that you’re creating.

    1
    • 31

      Brute-force on the web is yet only feasible for very, very simple passwords. However having access to a database millions and billions of tries per second can be established without any hassle. The more sites making real-world passes available to the hackers, the more complicated it will be to have a uncommen, hopefully unique combination of characters of any length as a password.

      Have a look into the link given by Jason Yip above, that could be an eye-opener for you.

      0
    • 32

      Am I the only one that thinks that CAPCHA is not user friendly?

      0
  18. 33

    I use a password manager with a memorable passphrase for my master password. I enjoy having to only memorize one strong passphrase, having a different password at every website, and having a log of all the websites I’ve made accounts with.

    The next time Buy-n-Large/LinkedIn/Adobe/Sony/etc. gets hacked and my password on their site is disclosed will not be such a big deal–I will only have to change it on their website.

    There are many good, free, and open source password managers that have been mentioned in other’s comments, but at the moment I use LastPass (free on the desktop) and the $11 a year to get it on my mobile devices is totally worth it.

    0
  19. 34

    Vitaliy Verbenko

    December 16, 2015 5:10 pm

    This is interesting stuff. I wouldn’t know about it.. Obviously very important if you want to keep your user base engaged and minimize any possible attacks on their accounts. Once you realize that every user is a source of constant revenue (that you must fight tooth and nail for) then you begin looking at UX from a different way. Here’s an interesting article on the matter: http://helprace.com/blog/how-to-turn-a-passionate-customer-into-revenue

    0
  20. 35

    Thanks for sharing this article! I think I may move towards using pass phrases myself.

    0

↑ Back to top