Let’s face it. Passwords suck. I hate passwords – at least if I have to create and remember them. This is why I use a password manager (and you should, too). There are some other interesting technologies that can replace passwords in some cases, but the combination of user name and password is still really the best general purpose authentication method today, in terms of convenience versus security. Creating a truly strong password pretty much requires using a password manager to generate a totally random string of characters. And this pretty much guarantees that it’s something you couldn’t memorize. You still need to have a strong master password that you can remember, though. And that’s where you might want to try using a passphrase.
What is a Passphrase?
A password is a sequence of keyboard characters; a passphrase is a sequence of dictionary words. Now, surely you’ve heard that to create strong passwords, we need to use all types of characters: upper case, lower case, numbers and special characters. And that’s true. We’re also told to avoid using dictionary words, common phrases, quotes, slogans, and so on – because it’s too easy to guess these. Also true. And therefore, what I’m about to tell you should seem very questionable: passphrases can be just as strong as passwords. How can that be true? The short answer is: math.
Let’s review what makes a password strong. It basically comes down to lack of guessability. Bad guys have automated their password guessing tools to start with combinations of English dictionary words, pop culture terms and phrases, dates and so on. This include variants of words that swap a zero for the letter “O”, and “@” instead of “a”, and so on. Once they exhaust all of these possibilities, they’re forced to just start guessing all possible combinations of letters, numbers and special characters. This is called a brute force attack. So after eliminating the easy-to-guess passwords, what makes a password strong mostly depends on how many types of characters are used and how many characters it contains (password length).
How to Create Strong Passphrases
But if a passphrase uses dictionary words, wouldn’t that make it easy for a computer to guess? Not if you select the words randomly and you use enough words. Let’s look at the math. There are about 95 possible characters you can use in a password when you add up all the letters, numbers and special characters. The number of possible passwords you can make (i.e., the possible permutations) is equal to the number of character possibilities (95) raised to the power of the number of characters in the password (its length). If you have a 12-character password, there are 9512 possible passwords. That’s a big number… it’s 23 digits long, in fact.
Let’s do the math on passphrases. Let’s say you use a dictionary list of 8000 words, and you randomly choose those words from the list. The number of possible passphrases is the number word possibilities (8000) raised to the number of words in the passphrase (length). If you have a 6-word passphrase, there are 80006 possible passphrases. That’s also a very big number, which also has 23 digits in it. In other words, it’s roughly as secure as a truly random 12-character password.
Now… the actual math is a lot more complicated because there are several nuances I’ve glossed over to keep the math simple. You can learn more here and here if you really want to dig deep.
When to Use a Passphrase
Despite the previous math, I would still use a password just about everywhere. Why? Because I can generate a 20- or 30- or even 50-character random password easily using a password manager. And (crucially) I don’t have to remember it. So when should you use a passphrase?
I would use a passphrase for cases where you need to be able to easily recall the secret – like your password manager’s vault key. Or any other login or authentication situation where you will need to type it from memory. Short passphrases can also be handy for any secret you might have to enter using a simple device, like an on-screen keyboard with a directional pad. Passphrases use only lower case letters (usually) so no need to go down-down-left-left-left-left… to hit the “shift” or “numbers” key and then up-up-right-right-right… to find the value on the keyboard.
How to Generate a Passphrase
There are actually a couple cool ways to generate a passphrase. You need a word list, a good source of truly random numbers, and a simple way to map your random numbers to a particular word in the list. The classic tool for this is diceware. You just need some standard 6-sided dice and the diceword dictionary. You roll five dice and this will choose a word from the list.
However, I would use the Electronic Frontier Foundation’s word list over the old diceware list. EFF replaced several weird, vulgar, and confusing words. (They have a really nice write-up about their list that’s worth a read.)
But here’s another really fun way to generate your passphrase: head over to d20key.com. Instead of using boring old 6-sided dice, you can use 20-sided dice (“d20’s”)! These are the dice used all the time in table top role playing games like Dungeons & Dragons. You choose the style of dice and the number of words you want in your passphrase, then click on each row to “roll” your dice and randomly select your word! If you don’t trust a web page to generate truly random numbers, you can also select the “Manual” style to roll your own dice and enter your results. Click the tabs at the top of the site to learn more. (If you want a truly unique and fun way to “roll” your dice, check out the official Firewalls Don’t Stop Dragons challenge coin!)
It’s Okay to Cheat (a Bit)
You can make your passphrase easier to remember by coming up with some sort of personal mnemonic device. I’ll refer you to the obligatory XKCD comic on the matter. But sometimes the random words are just hard to remember. Maybe you don’t know what they mean. Or maybe you often get them confused with other words with similar spellings. So, if you’re randomly generating your numbers, it’s okay (in my book) to re-roll a few times in order to get words you can more easily remember. You can also re-roll to try to get some shorter words to save on typing. Just don’t do this a lot or it will defeat the purpose (that is, they won’t be very random).
You can also improve your passphrase by adding a touch of salt. No, not table salt… a cryptographic salt. Basically, just tack on a short extra “word” with numbers and special characters, like “8$9#” for example. Something easy to remember, but adds complexity to the overall passphrase by introducing other characters. You could also introduce a word delimiter (separator), like a space or dash or slash. So, here’s an example passphrase:
And then come up with a phrase to remember it… maybe: my tutor with a poncho has an audible maternal walk that costs eight dollars or 9 pounds. It doesn’t have to make sense. 🙂
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!