Passwords vs passphrases vs passkeys
Passwords
Passwords are just about everywhere from your favorite app to banking online and they come in all forms. They range from the short to long and weak to strong. And more often than you’d like, they have to be 8 or more characters long, a combo of uppercase and lowercase letters, symbols and numbers.
In many businesses, it’s common to switch passwords every 30 to 90 days which has the danger of instilling poor security habits like plastering sticky notes on screens as users find it hard to remember complex passwords.
Passwords can be super simple like Password123 which make them a target for fiendishly evil hackers to wreak havoc or they are downright complex such as 2~^C_jtW.T+*8G5 which makes it next to impossible to remember if you have multiple accounts with their very own passwords.
Passwords that are difficult to memorize or keep track of have the side-effect of users using and reusing weak passwords or writing them down which introduces them to threats like account takeovers or shoulder surfing.
Most passwords end up being a mnemonic or sequence that could fall prey to threats such as dictionary or rainbow attacks unless a tool like a password manager is used to generate and save randomized passwords.
Passphrases
In comparison, passphrases tend to be longer, use a mix of 4 or more memorable words in with or without numbers, symbols and spaces. You can also use associations to create them so that they look like table-towel-crown-99-rocks which makes it a breeze to memorize.
Passphrases can be weak too. Like passwords, they can be less secure too if the mixture of words are related in some way or are common phrases from a book, song or movie. Apps like password managers make it convenient by generating random passphrases over gibberish gobbledygook.
Passkeys
Passkeys take on a completely different approach. They are passwordless and in passkeys for beginners, we cover them from A-Z. With passkeys, there’s nothing for you to create, remember or write down. Your browser, password manager (if you aren’t already the one built into your fav browser), operating system and/or device do all the hard work for you. Best of all, passkeys give you the same experience you have unlocking your device with biometrics like your fingerprint or face. It also works using the pin or pattern you have for your devices.
In the background, a unique pair of keys are created for every account you have using public-key encryption. The first key is private and it’s stored in a secure location on your device. It could also be saved in a password manager or dedicated hardware like the YubiKey.
The second key is public and the app or site you are using such as Google keeps a copy of it. The next time you login to your account, you’ll get a prompt for a biometric scan, pin or pattern. It’s similar to a puzzle lock which reveals the secret when the pieces interlock. While not all apps or websites support passkeys yet, there’s growing support for them.
Wrap-up
Picking passwords, passphrases or passkeys one over the other comes down to personal choice and your threat model. For instance, if you are already using your fingerprints or face to unlock your device, passkeys could be the right solution for you. If you have go-to password manager, passkeys are an added bonus to convenience too. You don’t have to generate long passwords or use the auto-fill features.
On the flipside, if you aren’t using a password manager, passkeys would boost your security or if you have a preference that even if someone got a hold of your biometrics, they wouldn’t be able to log into your device or accounts, strong passwords and passphrases may be the ideal choice.