Our passwords are the primary way we log in to all the services we use day in and day out. Unfortunately, passwords are becoming increasingly complex as pressure from hackers push us towards more secure choices. But what if there were a better way that didn’t involve memorizing an incomprehensible string of characters?
What Is a Passphrase?
A passphrase is similar to a password and does the same thing, but instead of a random string of letters, numbers, and special characters, it is composed of a series of words instead.
For example, a decent passphrase might be “phramacy-original-black-hotwheels”.
What Makes a Strong Password or Passphrase?
A passphrase, much like a conventional password, relies on two things for strength: length and complexity.
Complexity refers to how many different kinds of characters are in the password, like uppercase, lowercase, numbers, and symbols. In practice, you’re basically always limited to those four types, and some characters are typically excluded, since they can introduce problems when fed into a computer program.
Length is pretty straight forward—it is just how many characters make up the password.
If, at this point, you’re going “Wait! Don’t phrases make bad passwords?” The answer is “sometimes.”
If you pick a phrase that is famous, like lyrics from a popular song, you’re at relatively high risk.
However, that isn’t really the case if you pickrandomwords.
Let’s assume the average speaker knows about 25,000 words in a language, and that they choose a passphrase that is 4 words long. That means there are 25,000 x 25,000 x 25,000 x 25,000 different passphrases, which is about one hundredquadrillion(10^17) combinations.
If you were onlyusing a dictionary attackto try and guess it, you’d be there for a very, very long time. Of course, the security of this approach also depends a lot on the words you choose. If you chose words that were all two letters long, you’d be much more vulnerable to a brute force attack than if you picked words that were all six letters long.
How Do You Pick a Good Passphrase?
To pick a good passphrase, verify to meet the following criteria:
Most password managers have the ability to generate a passphrase built-in, andBitwarden offers a servicethat lets you generate a passphrase on the internet.
Passphrases Are Vulnerable to Your Choices
If you aren’t going to use a random generator to create a passphrase, there are a few common pitfalls you really need to avoid.
Don’t Use Short Words
If you were to randomly pick a four-word passphrase from all the words in the English language, you’d likely get one that is pretty resistant to brute-force attacks. Conservatively, you’re looking at years or decades to crack it by force.
However, if youdon’tpick randomly, it is a very different story.
Short words will be your downfall here. For example, if I picked the phrase “anbetome,” I’d be in trouble. A password that is only 8 characters long (drawn from a pool of only 26 characters) is not secure, and a passphrase composed of only two-letter words is even worse, since there are only around 130 two-letter words in the English language. A competent hacker with good hardware would be able to break a passhrase like that in less than a day—likely only a few hours.
Avoid Musical Lyrics
Song lyrics are easily memorable, oftentimes personal, and you might be tempted to use a portion of your favorite song as your passphrase.
You definitely shouldn’t, though.
There are programs out there dedicated to brute-forcing passwords using common phrases from music that make your musical passphrase more vulnerable than it might be otherwise.
Don’t Use Famous Movie or Book Passages
Just like the programs that are designed to crack passphases that are inspired by music, the exact same sort of program is easily adapted to famous lines from books, television, or movies.
As a general rule, if most people would find the phrase familiar, it is too popular to use as a passphrase.
Don’t Use Your Life
While you may be tempted to use a phrase like “BornInNineteenNinetyOne” as your passphrase, you probably shouldn’t.
If you’re unlucky enough to wind up in a situation where someone is making a concerted effort to crackyourpassword specifically, biographical information about you tends to make a poor password or passphrase.
Memorization Made Easier
The big advantage of passphrases is how much easier to memorize they are than passwords. If you’re having trouble remembering yours, there are two tricks I’ve seen people use that seem to help:
Remember, a good passphrase is only one part of good security. Regardless of how strong your password is, you should alwaysset up two-factor authentication (2FA)on all your important services.
