Passwords. We all hate them. And we hate our own especially. We know they’re terrible, but making them stronger seems so hard: Use upper and lower cases. Numbers. Symbols. Don’t use sentences, don’t use words, yada yada yada.
So you end up with something like M@5t3Rp@$$w0rd1967.
And who can remember that?
Well, what if I told you preachy glutton legislate shorter monsoon author made for a stronger password than M@5t3Rp@$$w0rd1967?
This kind of password is called a passphrase: a random collection of common words. It’s far easier to remember than "conventional passwords", and you don’t need to be Edward Snowden to make one —even an 11-year-old can do it.
All you need are a few minutes and some dice...
How do I make a passphrase?
Making a passphrase is simple. But don’t pick the words yourself. Humans are notoriously bad at creating true randomness. We love patterns too much and all our words have meaning, so it makes it doubly hard for us to generate random passphrases.
Better to rely on Diceware, a passphrase generating method developed by a far smarter guy than I: Arnold Reinhold. It involves using a simple list of 7776 words, each of which has a corresponding 5-digit number you can roll with a die.
It’s a lot simpler than it sounds. I’ll walk you through it:
- Download the Diceware word list: A simple word or text editor can open it.
- Roll a die five times (or five dice once) and mark out the numbers in order.
- Find the word that matches what you rolled and note it.
- Repeat so that you have a total of 6-7 words.
That’s it, really.
So for example, if you roll your die five times and come up with 34462, you would look through the list:
…and find Jockey.
You repeat the process until you’ve picked at least six words.
Feel free to add symbols, capitals, or numbers into the mix if you like. This will increase the strength of the passphrase, and most services that have any pretense at security require special symbols.
But be careful about these two rare occurrences:
- You end up with so many short words you have less than 17 characters.
- You actually end up with some sort of sentence.
In both those cases, start over.
Remember, with this method, you’re literally letting the dice decide your passphrase to make it random. So don’t go around fudging the results because you think two words look good together. You’d be creating patterns.
Write down your passphrase on a piece of paper until you’ve memorized it. It should sink in after a few uses. If you’re having trouble, create stories to make it easier to remember.
For example: The preachy glutton would legislate for a shorter monsoonseason, the author said.
This is what memory masters do. Once you have it, destroy the paper.
I don’t like dice. Can’t this be automated?
It can. In fact, there are plenty of useful Diceware passphrase generators like this one.
However, keep in mind that while generators like this one are still very secure, computers are never fully random, and this will never be as secure as rolling your own passphrase into existence.
So can I use this passphrase everywhere?
No, you really shouldn’t.
Repeating passwords or passphrases for different services is among the worst security practices out there. If one account gets hacked, they all get hacked.
Ideally, you would use a passphrase as the master password for a password manager. The manager can then create long, random passwords for each of your accounts, and keep track of it all for you. There are plenty of free or affordable password managers out there now, so there’s really no reason not to give one a try.
If you don’t want to use a password manager, then there are a couple of additional steps you should take:
- Create a passphrase for your most critical accounts, then add modifiers
These can be simple short-hands for the service or the full name. Using the example above, you could end up with:
G@G1 preachy glutton legislate shorter monsoon author
preachy glutton legislate shorter monsoon author Facebook1@
- Create a second passphrase for all the throwaway accounts
But even managing two passphrases can be a bit of a chore, so we’d really recommend a password manager.
And that’s all there is to it. You're now armed with one of the most powerful passwords possible. Go and enjoy the web…
…but if you want to know more about passphrases and why they boost security, carry on.
Why regular passwords fail us
All the usual advice you get for passwords isn’t exactly wrong. But without getting too technical (without getting technical at all, really), there are only two essential requirements for a strong password:
- It should be long: Really long. 17 characters should be the minimum. For some future proofing, making it at 20+ characters is better.
- It should be random: Hackers are excellent at recognizing patterns and programming their tools to look for them.
Adding lower and upper cases, weird symbols, and numbers – all of that’s supposed to help make even small passwords stronger by increasing the number of possible combinations far beyond what can be obtained with the 26 letters of the alphabet. But length can make up for that.
The other problem with all these added symbols is that we humans are terrible with randomness, and worse at remembering it. So we inevitably create patterns. We’re just wired that way.
So back to my original example, M@$t3Rp@$$w0rd1967 may seem like a strong password, and many password checkers like this one will tell you so. But it wouldn’t stand a chance against today’s hackers because it actually has a very simple structure: two words + a date.
Not only are the two words very common ("master" and "password"), they commonly go together. The substitutions taking place are predictable and so also easy to crack: A looks like @, S looks like $, and so on. And when people add numbers to their passwords, they often do it at the end, and use a PIN or date – often of their birth.
Hackers know all these tricks and usually try them first. And they use machines to do it, while we have trouble remembering what letter we upper-cased and where we added the @.
Why passphrases make for better passwords
Despite being long, passphrases are a lot easier to remember because you’re not doing any fancy capitalization, additions, or symbol-swapping — just using plain old words.
Whoa, I hear you say. Just hold on a minute. You’re not supposed to use words.
Well, yes and no.
Conventional wisdom tells people not to use words because words are patterns by definition. Patterns reduce the randomness a hacker is fighting against when trying to crack your password.
Worse yet, words tend to get used in sentences which have logical rules — and therefore more patterns. Popular quotes, sayings, song lyrics, names, etc, are the worst kinds of patterns because they’re just waiting to be tried first.
If your passphrase is It was the best of times, it was the worst of times — then you may as well stick to password as your password.
What makes passphrases work is that they are a tradeoff: they use just enough patterns to be easy to remember, while offsetting that with length. The key is that the word choices must be totally random. Hence the dice.