Josh McArthur

'Password' or 'Passphrase'

23 Jun 2011

So apparently pass phrases are the new ‘secure password’ - kinda the step you get to when you finally accept that your users are going to use something like ‘password’ for their account password. The natural step here is to reinforce a secure password strategy by requiring x numbers, x special characters and a certain length - but I find this really annoying when I just want to get signed up, and that means that other users do as well. Something I’ve just been thinking about is the naming semantics of password field - labeling it ‘password’ immediately prompts users to think of an actual word - if they are computer-savvy, then they might throw a symbol or number in, but most likely it will still be based on an actual word. I wonder what would happen if you labelled this field ‘Passphrase’ though? I think it is inevitable that many users will recognize the pattern of the form rather than the labelling of the fields and still enter their ‘password’, but just maybe there will be some users who get the semantics of the label, and enter a sentence, instead of a word. Even though there may not be special characters in that sentence, it’s still just as, if not more secure from dictionary attacks - guessing one word is pretty easy, but it’s much, much harder to guess a string of words, in the correct order - especially if one or two of those words are obfuscated with some special characters or numbers. Just a thought…. but interesting nonetheless.