Categories
online accounts passwords

Passphrases, Passkeys, and Passwordless: What to use?

In a previous article, I covered password security in detail.  In this post, I want to dive deeper into terms like “passphrase”, “passkey”, and “passwordless”. These terms are often used interchangeably, but they are far from being the same. Additionally, we’ll revisit best practices for password security, as weak or insecure passwords remain the most common cause of data breaches and hacks—especially in the world of distributed systems like cloud services.

Secure Passwords: The Basics

The traditional recommendation for passwords used to be: use as many special characters and numbers as possible, and regularly change your passwords. Today, we know these approaches often lead to weak security in practice because they’re not very userfriendly. For instance, passwords with lots of special characters are hard to type, and frequent password changes tend to make people reuse the same passwords without a password manager.

Here are some more practical guidelines:  

  • Uniqueness: Use a different password for every service to ensure that a breach of one account doesn’t compromise others.  
  • Length Over Complexity: Password length is the most significant security factor. Long passwords—16 characters or more—are far more secure than a short, complex one.  
  • Change Only When Necessary: Passwords don’t need to be regularly changed unless compromised in a data breach. Use tools like the HPI Identity Leak Checker or Have I Been Pwned to check if your credentials have been affected.
Photo by Kenny Eliason on Unsplash

Passphrases

Since password length is critical, passphrases offer an excellent way to enhance security. A passphrase consists of a combination of words that are easy to remember but complex enough to avoid being compromised, e.g., “DancingByTheLake14InAutumn.”  Benefits of Passphrases:

  • They’re easier to remember and faster to type, even on mobile devices.  
  • Intentional typos or unusual combinations further enhance security, e.g., “DanSingByThaLke_14InAutumnz.”  
  • For services requiring manual password entry, passphrases are often the best choice.

Password Managers and MFA – Essential Tools

To ensure you use a unique and lengthy password for every service, it’s advisable to use a password manager—preferably open-source, such as KeePassXC or Bitwarden.  

If you need a password manager for professional use, first check which one is approved by your organization. If there’s no official policy, store your password database locally rather than in a private cloud.

Multi-Factor Authentication (MFA) for Added Protection

Combining a password with a second factor, such as an authentication app, makes it much harder for attackers to compromise your account. However, avoid SMS-based MFA, as it’s vulnerable to “SIM-swapping attacks”, especially abroad. Instead, use TOTP (Time-Based One-Time Password) apps like Microsoft Authenticator or Google Authenticator. Secure your TOTP apps by creating backups in a cloud archive or setting them up on multiple devices (e.g., both your smartphone and tablet). This simplifies recovery if a device is lost.

Photo by Ed Hardie on Unsplash

Passkeys and Passwordless: The Future of Authentication

“Passkeys” enable password-free login to online services by using encrypted key pairs stored directly on your device. Although only a few services currently support passkeys, their adoption is growing. You can check which services already support passkeys on https://passkeys.directory/. The “passwordless” approach aims to eliminate passwords altogether by leveraging the FIDO2 (Fast IDentity Online 2) standard. This standard allows devices like smartphones or laptops to authenticate users via biometric methods such as fingerprints or facial recognition.  Which is easy for a user and protects against weak or stolen passwords.

Conclusion: What to Do for stronger Password Security?

In practice, the best security strategy depends on the technologies available to you. Here are my recommendations:  

  1. Use passkeys wherever possible—they are the most secure and convenient solution.  
  2. If passkeys aren’t an option:  Enable “MFA” and choose a long password.  
  3. Use a password manager, ideally open-source.  
  4. Avoid unnecessary special characters if you frequently enter passwords on mobile devices.  
  5. Set up backups of your TOTP apps or use multiple devices to regain access quickly if a device is lost.

Checklist

  • Use passkeys when available—they’re secure and practical.  
  • If passkeys aren’t supported, enable “MFA” and manage a long password with an open-source password manager.  
  • Avoid unnecessary special characters in passwords; focus on length instead.  
  • Create backups for your “TOTP” apps or set them up on multiple devices for easier recovery.