Password vs Passphrase? What is better? KeePass

I saw that Librem 5 is going to use the KeePass database. And I have never really used a password manager before. I installed KeePassXC onto my PC to start using one. As I was creating my first “Entry” it shows a ‘Password’ and ‘Passphrase’ as a generative option. Which one of these is best for strongest security?

Currently, maybe I shouldn’t say this but, I use passphrases because I remember my passwords that way better, oc. Now that I have a password manager, what option is better now?

My password is always, and shall always be above ~50 characters.

Password ; K8YTfa5EbHmXWWq2jL3Jm6RvLisTMTXUmxBHCyWHZ9kReCzt2L

Passphrase ; heaving vertebrae doctrine gradually mom unheated superbowl

Password has more Character Types: (/*_-…) and (ExtendedASCII = ÷¥»ÄþÕ) Does this improve security if allowed?

Using passphrases you only have 27 different characters opposed to 62+x chars. Of course the entropy is much higher when avoiding passphrases. If the attacker knows you are using passphrases he could also use wordbook attacks which drastically lowers your entropy.


  1. 50 chars, char pool of 80: 80^50 =

142 724 769 270 595 988 105 828 596 944 949 513 638 274 662 400 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 password combinations

  1. 50 chars total passphrase (lower keys + space): 27^50 =

369 988 485 035 126 972 924 700 782 451 696 644 186 473 100 389 722 973 815 184 405 301 748 249 password combinations

  1. Attackers knows you are using passphrases consisting of 6 english words: 171476^6 =

25 422 605 913 456 636 373 066 491 006 976 password combinations


So when using a password manager, I would prefer method 1: Using normal passwords with all characters allowed. Keep in mind that this is only a short overview of the password entropy. If an attackers is able to get access to a badly secured user database even the strongest password does not help you. :grin:


Well, that makes sense. Huge thanks @epinez
Now I can continue to change every account password! :stuck_out_tongue:

To add onto the information above:

Passphrases are great if you need to memorize something, otherwise regular passwords with the most characters is generally best.

If you can remember regular passwords, most modern free software password cracking tools uses by ethical as well as black hackers use wordlists as well as common-letter-initiatives to crack passwords.
For instance, vowels are very common, if you can tell something is repeating maybe it is a vowel?

This helps lower the amount of possibilities and/or time needed to crack a password.
Truly random passwords in theory do not have this issue (except maybe when encrypting phrases).

To complete:

@Torrone What is this? Is this suggesting that passphrases is harder to guess than passwords?

Not exactly.
In your case, you use a software to generate and backup your password. So password is the most secured solution.

But if you have to remember your password without a dedicated software, it’s better to have a long and easy to remember passphrase than an handmade short memorable (and weak) password.

1 Like

If you’re storing the passwords in the password manager, then strong, random passwords make sense.

If you’re choosing a password to secure the password manager itself, then you might be able to remember a stronger password if it is in the form of a passphrase, but it does have to be correctly chosen, otherwise it could be very weak indeed.

Don’t forget to make a backup of your encrypted password database if it contains passwords that you haven’t remembered and don’t want to lose!

A password made out of randomly-chosen characters is stronger (has more entropy) than a password having the same number of characters but made out of English words. If you don’t have to remember the password, there’s not much point in using a passphrase. If you do use a passphrase, then either it will be a longer password than necessary or it will be weaker than it could be.

But humans tend to find words easier to remember than individual characters. Suppose you remember the longest sequence of randomly-selected characters that you can manage to remember, and call it Password A. Then you remember the longest sequence of randomly-selected English words that you can manage to remember, and call it Password B. Password B will probably be so much longer than Password A that it has higher entropy and is therefore a stronger password.

However, this only works if the words don’t form some predictable phrase or a phrase that has been published somewhere. They need to be chosen by a method that does not produce predictable results. Completely random word selection would satisfy that requirement (provided it didn’t produce a predictable phrase by random chance). Human-generated “randomness” probably follows predictable patterns, though in practice you might get away with it. Who knows?

A good tool for exploring the strength of different kinds of passwords is zxcvbn (explained here).

1 Like

To best understand what XKCD is to look at the math behind how many possible passwords there are in a given system. If we limit the number of of possible characters to lower case letters and numbers only worth only 8 possible positions (repeating is okay) then we have 26 letters + 10 numbers per position. So that’s 36 * 36 * 36… * 36 or 8^36 or 3.2 * 10^32. However, in the cartoon’s case (the character is not using a password manager and is forced to remember the password) the password is all lower case (let’s just use lower case) there are 26 positions with 26 possible letters in each position or 26^26 which is 6.16 * 10^36. That’s a lot more possibilities and takes a computer much longer to brute force it’s self into.
So for the sake of the cartoon a longer password with less possible characters could potentially be a harder password to crack but easier for a person to remember.

It’s not just about the number of characters in the password. It’s about how the characters are chosen. Raising the number of different characters to choose from to the power of the number of character positions only works if the characters are chosen at random. You can’t just say it’s a longer password, therefore it’s a stronger password. That only works when you are comparing passwords that have been generated using the same strategy.

If the characters are chosen using a predictable method, like both of the methods used for the two passwords in the comic, then the strength comes from the number of possible passwords that could be generated using that method, rather than the number of characters in the password. (Based on the assumption that someone trying to crack the password knows that some people use the method you used.)

The comic helpfully labels the individual parts of the password where a choice has been made, and marks how many bits of entropy are embodied in that choice. The first password has a lot of individual choices, but because there weren’t many possible outcomes for each choice, they don’t multiply up to many possible passwords. The second password has just four choices, but there are many possible outcomes for each choice so they multiply up to more possible passwords.