Why Passphrases Are Still Better than Passwords & Fingerprints

Philip Bates 30-05-2016

Remember the days when you set “password” as your password? Many still use such insanely insecure methods 25 Passwords You Need to Avoid, Use WhatsApp for Free... [Tech News Digest] People keep using terrible passwords, WhatsApp is now completely free, AOL is considering changing its name, Valve approves of a fan-made Half-Life game, and The Boy With a Camera for a Face. Read More , but even the humble password has evolved.


We now use passcodes or passphrases wherever we go. They unlock your online banking, games accounts, and devices.

But to some, even these have been rendered superfluous, replaced by supposedly-superior validation practices. Here’s why you should stick with passcodes and passphrases.

What Are Passcodes?

Most of us use passcodes or passphrases for our smartphones, emails, and other apps and services: they’re simply a string of characters and digits, typically longer than a password. So if your password is MakeUseOf, this might translate into M@k3U$£0f2006!

“MakeUseOf” is easy to guess. Changing the majority of vowels into numbers, adding in the year this website was launched, and finishing it off with punctuation makes it much harder to figure out.

Perhaps the most important passcode we use all the time is the one to access Wi-Fi. It’s initially a string of numbers, and upper- and lower-case letters. You can change it, but be sure to alter it to a passcode, not the name of your dog.


What’s Wrong With These Other Processes?

In a bid to tackle hackers, firms are using or trialing other means of verification.

But nothing is infallible. Passcodes are still king.


We rely on Personal Identification Numbers (PINs). If you pay by card — and don’t or can’t use contactless payments Are Contactless Payment Systems A Threat To Your Finances? Contactless payments have become more popular, but are they secure? What threats surround this new financial fad? More importantly, should you sign up? Read More — you need to put in a four-digit code. Many of us lock our smartphones with PINs. It seems pretty darn secure, especially considering that a four-digit number, consisting of the numbers 0 to 9, can have 10,000 potential combinations. If we factor in 6-digit codes (once again using 0 to 9) even without repeating a number, there are 136,080 possible combinations.



The chances someone would guess your PIN, whatever you may use one for, seem remote, but they might not be as astronomical as you’d initially think. This is especially true if your PIN is 1234 or a similarly-popular code How Safe Is Your PIN? [INFOGRAPHIC] Ah, the trusty PIN number, the 4 digits that separates you from your money. We use our bank PIN number in a wide variety of situations, whether it's taking money out of the ATM machine... Read More . Hackers can predict the action of an average person.

Your date of birth will be one of the first things cyber-criminals will find out about you, and further basic information isn’t hard to come by Here's How Much Your Identity Could Be Worth on the Dark Web It's uncomfortable to think of yourself as a commodity, but all of your personal details, from name and address to bank account details, are worth something to online criminals. How much are you worth? Read More on the Dark web. People set their PINs as something memorable, for obvious reasons, so some might elect to use their anniversary, year of their 21st birthday, or birthdates of parents or children.

More likely, a hacker would use a brute force attack What Are Brute Force Attacks and How Can You Protect Yourself? Yyou've probably heard the phrase "brute force attack." But what, exactly, does that mean? How does it work? And how can you protect yourself against it? Here's what you need to know. Read More . Very basically, this is a programme that systematically runs through a multi-digit system. It may start with 0001 then continue 0002, 0003, and carry on in a similar fashion very quickly.

Normal Passwords

You might think that setting your password as something obscure should be alright: nobody will ever guess it’s in another language, a personal pet-name, or your favorite Chesney Hawkes song… right?


While passwords are preferable to a pattern lock Which Is More Secure, A Password Or a Pattern Lock? Our smartphones carry a lot of personal information. All of your text messages, emails, notes, apps, app data, music, pictures, and so much more are all on there. While it's a very great convenience to... Read More , if a hacker finds out enough details about you, they could make an educated guess as to what words you might use. How? They could buy details about you, or scour your blog and social media presence. Just take a look at how Digital Shadow pulls apart Facebook profiles Digital Shadow Exposes What Facebook Really Knows About You While it began as a mere marketing stunt, Ubisoft's Digital Shadow remains a very useful (and potentially scary) application that shows you how much people can find out about you from Facebook. Read More and runs through potential passwords.


Even scarier, a hacker could employ a variation of the brute force attack called the dictionary attack. This runs on the same principle but further tries out strings of characters; its first attempts, though, specify words pinpointed by hackers as the most likely passwords. If they’re not immediately successful, it might try adding years to the end.

It’s worse if you use the same passwords for different accounts.


Arguably, your email password is the most important: if someone gains access to that, they could go through all the other accounts you might have and click “Forgot Password?” then reset them through that. You should definitely make sure you use a password unique to your email address. Wired‘s Mat Honan says:

“How do our online passwords fall? In every imaginable way: They’re guessed, lifted from a password dump, cracked by brute force, stolen with a keylogger, or reset completely by conning a company’s customer support department.”


Touch ID seems like an ingenious way of securing your devices. Apple introduced it to their smartphones Why The Latest iPhone Announcement Was More Significant Than You Think [Opinion] Another underwhelming iPhone was announced: the same size, the same basic features, and it doesn't even make your morning cup of coffee yet. Sigh. Read More with 2013’s iPhone 5S and their iPads in 2014, and many saw it as a brilliant new security measure. Because fingerprints are unique. It seemed impossible that someone else could copy your fingerprint.

But they can. Of course they can.


We leave fatty fingerprint residue wherever we go, but it’s certainly all over the device anyway — what’s less certain is if it’s a complete, useable fingerprint — so a clever thief might consider Touch ID easier to unlock Does the iPhone 5S Fingerprint Scanner Increase The Chance of Theft? The iPhone's new fingerprint sensor seems like a great way to use biometrics to keep the device secure and personal, but could the feature be used against the owner to circumvent existing protections? Read More than a phone that uses a PIN!

That’s becoming a widely-held viewpoint, helped along by various techies finding a way around the security protocol. Most notably, the Chaos Computer Club (CCC) 4 Top Hacker Groups And What They Want It's easy to think of hacker groups as some kind of romantic back-room revolutionaries. But who are they really? What do they stand for, and what attacks have they conducted in the past? Read More , hackers dedicated to exposing such flaws, took a high-resolution image of a fingerprint, printed it out in reverse using excessive printer ink on a transparent sheet, then is smeared with white wood glue.

This process has since been refined using silver conductive ink.

In addition to that, the bio-metric technology itself wears out. Let’s take the iPhone as an example. This uses a Complementary Metal Oxide Semi-conductor (CMOS) scanner, and is easily damaged. In fact, just dirt will affect it. Sweaty hands? Your phone might not recognize you, and it might be damaged. CMOSs have a very limited lifespan, which is probably great for Apple because you’ll take it as a sign your phone’s getting old and you’ll buy a new one.

Okay, that’s not a security risk per se, but is indicative of their uselessness. If Touch ID fails, you fall back on a passcode. Nonetheless, we admit that fingerprints will probably be secure enough Should You Use a Fingerprint or a PIN to Lock Your Phone? Should you protect your phone with a fingerprint or a PIN? Which one is actually more secure? Read More for the average person — just not if you’re concerned about law enforcers wanting you to unlock your device FBI Backdoors Won't Help Anybody - Not Even the FBI The FBI wants to force technology companies to enable security services to snoop on instant messaging. But such security backdoors don't actually exist, and if they did, would you trust your government with them? Read More .

How You Can Make Your Passcode Even More Secure

Passphrases are especially useful: you reduce a sentence to the first letter of each word. Maybe you’ve a favorite song title, quote, or book.  Let’s say you love The Golden Apples of the Sun by Ray Bradbury. This becomes TGAOTS. You could add RB at the end of that. You could change the “O” to a zero. If you’re a Bradbury buff, you could even add its publication date, 1953.

Fahrenheit 451

In the end, your passphrase would be TGA0TSRB1953.That looks like complete gobbledegook to an onlooker, and not something easily guessed, but it’s easy to remember if you know what the acronym means.

Throw in some punctuation too. Most go for an exclamation mark, so why not use something a little more obscure? An “S” can easily turn into “$”, and no one ever uses a back-slash, so that’s always an option too.

Mix upper- and lower-case characters, but do so without simply having the first letter capitalized with the rest lower-case. If you’ve a favorite author, combine two book titles. So if we take Fahrenheit 451 into account, you add “F451” to the phrase.

If you do use a four-digit number (ie. a year), why not bookend the rest of the password with two digits? You’ll end up with something like…


And to top it all off, you can test the strength of passcodes at various sites Put Your Passwords Through The Crack Test With These Five Password Strength Tools All of us have read a fair share of ‘how do I crack a password’ questions. It’s safe to say that most of them are for nefarious purposes rather than an inquisitive one. Breaching passwords... Read More .

What other tips do you have? Which identification method do you think is the most secure? Let us know below.

Image credits: Freewheelin pin pad by Aranami; Volkwagon Password by Automobile Italia; and Fingerprint by Kevin Dooley.

Related topics: Online Security, Password, Smartphone Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Anonymous
    May 31, 2016 at 8:30 pm

    The problem is that you don't need just one password. The average person has 90 online accounts -

    You can't use a method based upon the site because once a site is compromise you have to change all of your passwords. A password manager is the only solution.

  2. tbolton
    May 31, 2016 at 3:40 pm

    To me, the best option is a univeral mixed acronym followed by the site name. Thus, yahoo password might be something like this hImP2LiYahoo (acronym: here Is my Password to{2} Log into Yahoo). Amazon password would be hImP2LiAmazon.

    Of course you can change the acronym to anything you want, such as Cr8PW4yahoo (Create password for Yahoo).

  3. Tobi
    May 31, 2016 at 6:12 am

    Using a sentence is a good way to have a strong “password”.
    But to make it extra secure you should not use a grammatically correct sentence.
    Those can be brute forced as well. Like after a noun will probably follow a verb so let’s check every verb in the dictionary.
    Better than “I love horses” would be “horses over bookend green seven” … or something like that.
    But that’s just to make it extra secure.

    As for “how should I remember every password and have a unique one for every site?
    Use KeePass!
    Or something like LastPass if you really what to. (I prefer to store my database myself)
    Just set and remember a secure masterpassword and you can max security on every password that follows. allows passwords up to 50 characters with 0-1, a-z and special characters? So let’s do this. No need to remember it.

  4. Adam
    May 31, 2016 at 5:42 am

    Using a sentence would be a good option. "I love horses, the best of all the animals" would take ages to brute force hack even without punctuation, is easy to remember, and you can let your imagination run wild.

  5. J-Paul
    May 31, 2016 at 3:37 am

    OK, I believe the passcode technique is a worthwhile option. Why, I even use it myself. What I have a great problem with is the apparent ability of a "hacker" to try more than, say, 20 variations of your password without the system locking that account. How is it that a hacker can attempt to login to an account with hundreds or thousands of wrong passwords and no logging of this "questionable" activity ever occurs or is reported to the designated owner by email? I cannot believe in this day and age that kind of activity is condoned [or at least allowed] and regarded as 'just some user trying to remember his password'. Am I missing something here?
    I can understand how a standalone device with a password can be hacked, but someone connecting to a server and the thousands or millions of failed password attempts does not raise a flag is certainly a failure of the obligation to provide a "duty of care". Maybe someone needs to get sued so the rest of the community takes proper action and refuses to allow this nefarious activity.

  6. Mike
    May 31, 2016 at 12:31 am

    Why can't devices be programmed with short pauses between input attempts so brute force programs would take forever to run?

  7. Brad
    May 30, 2016 at 11:54 pm

    Adding numerals and special characters just makes the password harder to remember, not safer against a brute force attack. See this:

  8. Anonymous
    May 30, 2016 at 6:59 pm

    "Why Passphrases Are Still Better than Passwords & Fingerprints"
    The difference between 'password', 'passphrase' or 'passcode' is semantics. When you get down to it, they all are just combinations of characters.

    It could be argued that '19tGa0t$f451\53' is less secure than a password made up of 15 random characters because the former has been logically formed while the later is illogically random.

    " if a hacker finds out enough details about you"
    Aye, there's the rub! The problem is that people become very 'chatty' when they get on the 'Net. Normally reticent people get diarrhea of the keyboard when they post on social sites. They willingly reveal details that they would never think of revealing in face to face conversations. The people who are most voluble online are the ones most vulnerable to hacking. To paraphrase the Miranda Warning "You must remain silent because anything you say CAN and WILL be used against you". Or as the posters used to proclaim during WWII "Loose lips sinks ships".

  9. Johng
    May 30, 2016 at 5:43 pm

    This is so ridiculous. Using your book and author example, you still need to remember 75 different versions of this method, which is the bigger problem. Give us a solution to remembering. Of all the breaches, was it guessed passwords or weak server side issues?

    • Anonymous
      May 31, 2016 at 8:46 am

      Hi Johng, why 75 different versions to be remembered? Can you explain please?

      • Axel
        May 31, 2016 at 1:33 pm

        Because you should never use the same password twice (although I tend to do it with websites where I basically don't care if somebody get's into it. You wanna hack into my account? Be my guest, as it's annoying that you mess up my progress bar, but nobody will ever do that as that makes no sense to them).
        For things like ebay, your mail, Facebook, Twitter, Google, other payment sites or things nobody should get to, you should use seperate passwords. That's what he means with 75 passwords.

        Personally, I am somebody who is redicoulus at (very bad) wordjokes, so my passwords are easy to remember for me, but nobody else will understand the coherency of the letters or (parts of) words as their mind isn't as f**ked up as mine.

        • Anonymous
          May 31, 2016 at 4:09 pm

          I usually add a separate identifier along with my passphrase based password exactly for this reason. For example, if TGA0TSRB1953 is my passphrase and I am creating an account in MUO, my password will be passphrase followed by mf (first & last letter of the website name). My facebook password will be TGA0TSRB1953fk. That creates unique but still mostly re-used password.

        • Johng
          June 6, 2016 at 3:05 am

          You created a pattern. If one of your passwords is guessed or a breach at one of the sites, the others are easy to figure out. What happens when you have to change your password? Side note, Password managers are the worst because now 1 keylogger and they have all your passwords.