Our passwords are the primary way we log in to all the services we use day in and day out. Unfortunately, passwords are becoming increasingly complex as pressure from hackers push us towards more secure choices. But what if there were a better way that didn’t involve memorizing an incomprehensible string of characters?
What Is a Passphrase?
A passphrase is similar to a password and does the same thing, but instead of a random string of letters, numbers, and special characters, it is composed of a series of words instead.
For example, a decent passphrase might be “phramacy-original-black-hotwheels”.
What Makes a Strong Password or Passphrase?
A passphrase, much like a conventional password, relies on two things for strength: length and complexity.
Complexity refers to how many different kinds of characters are in the password, like uppercase, lowercase, numbers, and symbols. In practice, you’re basically always limited to those four types, and some characters are typically excluded, since they can introduce problems when fed into a computer program.
Length is pretty straight forward—it is just how many characters make up the password.
If, at this point, you’re going “Wait! Don’t phrases make bad passwords?” The answer is “sometimes.”
Common Passwords You Should Never Use—These Take Less Than a Second to Crack
Still using “admin” or “password” as your password? Don’t—everyone else is too.
If you pick a phrase that is famous, like lyrics from a popular song, you’re at relatively high risk.
However, that isn’t really the case if you pick random words.
Let’s assume the average speaker knows about 25,000 words in a language, and that they choose a passphrase that is 4 words long. That means there are 25,000 x 25,000 x 25,000 x 25,000 different passphrases, which is about one hundred quadrillion (10^17) combinations.
If you were only using a dictionary attack to try and guess it, you’d be there for a very, very long time. Of course, the security of this approach also depends a lot on the words you choose. If you chose words that were all two letters long, you’d be much more vulnerable to a brute force attack than if you picked words that were all six letters long.
How Do You Pick a Good Passphrase?
To pick a good passphrase, make sure to meet the following criteria:
- Use at least four words, though more is better.
- Make sure each word is at least 4 letters long, though the average number of letters per word should be higher than that.
- You must randomly select the words from a dictionary.
Most password managers have the ability to generate a passphrase built-in, and Bitwarden offers a service that lets you generate a passphrase on the internet.
Passphrases Are Vulnerable to Your Choices
If you aren’t going to use a random generator to create a passphrase, there are a few common pitfalls you really need to avoid.
Don’t Use Short Words
If you were to randomly pick a four-word passphrase from all the words in the English language, you’d likely get one that is pretty resistant to brute-force attacks. Conservatively, you’re looking at years or decades to crack it by force.
However, if you don’t pick randomly, it is a very different story.
Short words will be your downfall here. For example, if I picked the phrase “anbetome,” I’d be in trouble. A password that is only 8 characters long (drawn from a pool of only 26 characters) is not secure, and a passphrase composed of only two-letter words is even worse, since there are only around 130 two-letter words in the English language. A competent hacker with good hardware would be able to break a passhrase like that in less than a day—likely only a few hours.
Avoid Musical Lyrics
Song lyrics are easily memorable, oftentimes personal, and you might be tempted to use a portion of your favorite song as your passphrase.
You definitely shouldn’t, though.
There are programs out there dedicated to brute-forcing passwords using common phrases from music that make your musical passphrase more vulnerable than it might be otherwise.
Hey Google, What Song Is This? 7 Ways to Identify Music on Android
Turn your ‘la-la-las’ into song titles and get rid of that earworm.
Don’t Use Famous Movie or Book Passages
Just like the programs that are designed to crack passphases that are inspired by music, the exact same sort of program is easily adapted to famous lines from books, television, or movies.
As a general rule, if most people would find the phrase familiar, it is too popular to use as a passphrase.
These Are the Best Sites for DRM-Free eBooks and Comics
In case you want to actually own your digital books.
Don’t Use Your Life
While you may be tempted to use a phrase like “BornInNineteenNinetyOne” as your passphrase, you probably shouldn’t.
If you’re unlucky enough to wind up in a situation where someone is making a concerted effort to crack your password specifically, biographical information about you tends to make a poor password or passphrase.
Memorization Made Easier
The big advantage of passphrases is how much easier to memorize they are than passwords. If you’re having trouble remembering yours, there are two tricks I’ve seen people use that seem to help:
- Set your passphrase to a tune or rhyme, and hum it to yourself occasionally. You might find yourself humming as you enter your passphrase from then on, but it will make it easier to remember.
- Set it to a story. Create a brief narrative that combines the words (in order) into a coherent story. That can make the string of words easier to retain.
Remember, a good passphrase is only one part of good security. Regardless of how strong your password is, you should always set up two-factor authentication (2FA) on all your important services.
