How PassPhrases Beat Passwords

The most powerful thing your password can be is unique. If it’s unique it’s unlikely anyone can guess it, and it’s impossible that when they find a password somewhere else that it will unlock your account.

So how do you make a password unique?

One way is to take a boring password like your dog’s name or the street you grew up on and change the i’s to 1’s and the s’s to $ – and maybe even put an ! at the end. Except that’s not unique because so many people do the same thing. 

The next way is to use a random set of letters and numbers and characters, make it 10 or 12 characters long or more – and probably use a password manager to generate it in the first place. That’s cool, it works. But you obviously can’t remember those passwords (which is fine) but they’re also a pain to type if you can’t cut/paste or have your password manager enter them for you. And if you don’t use a password manager, then this solution is even more out of reach.

The last way – one that makes passwords both strong and human friendly – is to use passphrases.

What are passphrases?

If you think of a password as a collection of characters and numbers, passphrases are essentially the same, except made up of words. So a passphrase will be a lot longer than a traditional password but may be easier to remember because they’re phrases, not words. And because they’re longer, they’re technically more mathematically complex. Tools that “crack” passwords do so by attempting hundreds of thousands of different combinations of letters and characters – the longer a password is, the more attempts are needed (and the more time is needed as well).

Passphrases can also vary in complexity—you can apply similar strategies described here to make the passphrases harder to solve. This is done by using varying capitalizations, replacing letters with numbers, and using special characters such as periods and exclamation points.

Here’s an example:

Please DON’T use these examples as your passphrase – while we’re following the right guidelines for making a good password, the fact that this password is out in the open automatically makes it risky.

  1. “FiveFragrantCloudDrawHumbly”

Here’s a passphrase that passes the length test and it doesn’t consist of common phrases or even words that go together. It’s over 10 characters so any password cracking tools will take a long time to figure out simply because it would take a high number of attempts to reach that combination of letters given the length.. There is also a fairly high probability that no one in the history of the world has ever chosen those five words as a password; which is the holy grail of strong passwords! 

This level alone is an EXCELLENT way to create super strong passwords. If you’d like, however, perhaps on accounts that are really important to protect, you can up your game even further. Here’s how to make it more complex (we’ve bolded the changes).

  1. “FIVEFragrantCloudDrawhumbly

This password is slightly more complex because the first word is completely capitalized while every other word (except the last one), only has the beginning capitalized. This is still relatively easy to remember as a rule – capitalize the first word, don’t capitalize the last word, capitalize the beginning of all others – but is hard to discern as a pattern by humans or by automated tools.

Here’s another layer of complication

  1. FIVEFragrantCloudDrawhumbly1!0”

While it doesn’t seem like a big change this password is much more complex because it’s introduced numbers and special characters. And that string – “1!0” can always be used in any new password as long as the words/phrase are unique. That way you don’t have to memorize a new string of characters everytime you make a new password

While you can add more complexity to this password by, for example, replacing “0”s with zeros and, in a different phrase, replacing “s”s with “$”s, those are known tricks and hackers know to check for that.

You also want to avoid adding too many different elements and making the passphrase much harder to memorize. If it becomes too hard and you have to reset the password and opt for an easier one, all that hard work goes to waste and your accounts aren’t any safer.

Remember, what works well are rules that you know and can apply to any passphrase. Our example works well because it balances complexity and recollection well enough. While the addition of zeros and one exclamation point may seem like minor improvements, the fact that we’re adding a whole set of possibilities to a password (numbers and special characters) will only make it more difficult for a password cracking tool to reach that combination as it has way more possibilities to work through instead of just the alphabet.

Another alternative? Using a compatible password manager

If you’re going the passphrase route, a password manager will help you store those passwords so you don’t have to remember them and, depending on the password manager, will generate passphrases for you. Both 1Password and Dashlane have settings that let you change the password generator from characters to full words.

If you’re concerned about anyone getting into your account, we absolutely recommend updating your password strategy to use passphrases – it’ll help you avoid reusing passwords and make your accounts much safer.

Photo by Moritz Schmidt on Unsplash

Show More
Back to top button