What is Passphrase & How to Use It?

A passphrase is similar to a password. However, a password generally refers to something used to authenticate or log into a system. A passphrase generally refers to a secret used to protect an encryption key. Commonly, an actual encryption key is derived from the passphrase and used to encrypt the protected resource.

A good passphrase should have at least 15, preferably 20 characters and be difficult to guess. It should contain upper case letters, lower case letters, digits, and preferably at least one punctuation character. No part of it should be derivable from personal information about the user or his/her family.

Sometimes there is a need to generate random passwords or phrases automatically. 

The purpose of the passphrase is usually to encrypt the private key. This makes the key file by itself useless to an attacker. It is not uncommon for files to leak from backups or decommissioned hardware, and hackers commonly exfiltrate files from compromised systems.

To use an encrypted key, the passphrase is also needed. In a way, they are two separate factors of authentication.

SSH keys are used for authenticating users in information systems. The SSH keys themselves are private keys; the private key is further encrypted using a symmetric encryption key derived from a passphrase. The key derivation is done using a hash function.

Passphrases are commonly used for keys belonging to interactive users. Their use is strongly recommended to reduce risk of keys accidentally leaking from, e.g., backups or decommissioned disk drives.

In practice, however, most SSH keys are without a passphrase. There is no human to type in something for keys used for automation. The passphrase would have to be hard-coded in a script or stored in some kind of vault, where it can be retrieved by a script. An attacker with sufficient privileges can easily fool such a system. Thus, there would be relatively little extra protection for automation.

More than 90% of all SSH keys in most large enterprises are without a passphrase. However, this depends on the organization and its security policies.

Use of proper SSH key management tools is recommended to ensure proper access provisioning and termination processes, regularly changing keys, and regulatory compliance.

SSH keys can be generated with tools such as ssh-keygen and PuTTYgen. These tools ask for a phrase to encrypt the generated key with.

Private keys used in email encryption tools like PGP are also protected in a similar way. Such applications typically use private keys for digital signing and for decrypting email messages and files.