Last year we wrote a post that provided five tips on how to create strong passwords and have secure accounts. Now I’d like to take the opportunity to provide another password-related tip — the idea that you should use passphrases instead of traditional passwords.

WHAT IS A PASSPHRASE?

A ‘passphrase’ is a password that uses a combination of words or phrases instead of random letters, numbers, and special characters. For example, ‘dog123zty’ is a traditional password but ‘dogpenchair’ is a passphrase. Passphrases can be as long or as short as you want and can contain any words or phrases that you desire.

WHY ARE PASSPHRASES BETTER?

When you need to create a password, you should always consider using a passphrase instead of a traditional password. Why? Two reasons.

Firstly, passphrases as easy to remember. For example, ‘oilplutowhacktoss’ is longer but is a lot easier to remember than ‘kplVE7IZ’.

Secondly, passphrases are more secure than traditional passwords. Thanks to the power of mathematics, the length of a password always makes a password stronger than its complexity. Keeping with the same example, ‘oilplutowhacktoss’ is a more secure password than ‘kplVE7IZ’ due to its longer length, even though it uses only lowercase letters whereas the second password uses uppercase letters, lowercase letters, and numbers. It is the power of permutations, people.

HOW TO COME UP WITH PASSPHRASES?

When coming up with a passphrase, it is generally recommended to use four words of five letters each so you have a total password length of twenty characters. However, if you are having trouble thinking of four words of five letters each, you can mix and match different length words. For example, you can use one three letter word, one four letter word, one five letter word, and one six letter word; or three six letter words; or three five letter words and one three letter word; etc. How many words of whatever length you decide to use, you want to make sure your total password length is not lower than sixteen characters. Sixteen characters is the minimum; the more characters you have above sixteen, the better off you are.

Passphrases can contain any words or phrases you want but the key to passphrases is to select four unrelated words.

If you use a passphrase that contains similar words, a modified dictionary-based attack (a type of cracking technique that tests a password to see if it contains words from the dictionary) could potentially crack your password easily. For example ‘dogcatfishturtle’ is easy to remember and is long but is easy to crack because dog, cat, fish, and turtle are related — they are all common house pets. On the other hand, ‘dogwalletdiskairplane’ is a relatively secure password not only because of its length but also because the four words used have no major relationship between them.

IMPROVE SECURITY FURTHER

While a passphrase in and of itself is one of the better types of passwords, you can have an even more secure passphrase by simply adding in one uppercase letter and one number. It is possible to modify a passphrase to have one uppercase letter and one number without making it difficult to remember, and adding in one uppercase letter and one number increases the strength of the passphrase by a huge magnitude.

For example, ‘oilplutowhacktoss’ can be turned into ‘oil4plutoWhacktoss’; both are easy to remember but the second number is more secure because now instead of 1.18 x 10^24, password strength is 1.86 x 10^32 (assuming uppercase letters are counted as separate from lowercase letters — some systems don’t differentiate between uppercase and lowercase). In other words, while it would take 3.75 centuries to crack ‘oilplutowhacktoss’ at one hundred trillion guesses per second (which, by the way, requires a massive amount of computing power and likely isn’t going to be used for the average Joe’s account), it takes 5.92 hundred million centuries to crack ‘oil4plutoWhacktoss’ at one hundred trillion guesses per second. See the difference one uppercase letter and one number make, without making the password very much more difficult to remember?

Aside from enhanced security, getting into the habit of modifying a passphrase to include one number and one uppercase letter is very good practice because many websites require that passwords include a minimum of one number and one uppercase letter.

IMPROVE SECURITY EVEN FURTHER

Once you have a passphrase with sixteen characters or more that includes one uppercase letter and one number, you have a passphrase that will withstand brute-force and dictionary attacks, which constitute 99% of all attacks. However, there are some extremely sophisticated attacks out there that try to guess your password based on trends in the English language. For example, as dotTechie AFPhy6 points out, in English the letter ‘L’ is more likely than the letter ‘D’ to follow the letter ‘P’ in a word, such as in “pluto”. So a more sophisticated attack would guess ‘L’ after it discovered ‘P’ before it guesses ‘D’, which cuts down on the time it takes to crack a password.

So what to do to counteract this more advanced type of attack? There are two things you can do:

• Make up words vis-a-vis bad spelling and/or grammar. Keeping with the same example, instead of ‘oil4plutoWhacktoss’ the passphrase can be ‘yil4plutyWhacktyss’ where I simply replaced all the ‘O’ in the passphrase with ‘Y’. ‘yil4plutyWhacktyss’ is, admittedly, harder to remember than ‘oil4plutoWhacktoss’ but it is more secure and also easier to remember than a similar length randomly generated password. [Thanks dotTechie AFPhy6 for pointing out this tip!]
• Use non-English words. While most systems won’t let you use non-Late alphabets, you can use Romanized words from other languages in your password. For example, instead of ‘oil4plutoWhacktoss’ I can make the passphrase ‘oil4plutoWhackpaika’ with ‘toss’ being replaced with the Urdu word ‘paika’ which means throw. You can even combine this method with the previous one and do ‘yil4plutyWhackpaika’. [Thanks dotTechie thegreenpixel for pointing out this tip!]

Making up words and/or using non-English words does make a passphrase noticeably more complicated and harder to remember, which defeats one of the major purposes of using a passphrase — ease-to-remember. However, it also makes passphrases stronger while still being easier to remember than similar length randomly generated passwords.

I’d recommend utilizing the trick of making up words and/or using non-English words if you feel you need the enhanced security. Truth is most people likely don’t need the enhanced security. Using a passphrase of sixteen characters or more with one uppercase letter and one number is highly secure, and the type of sophisticated attacks that making up words and/or using non-English words counteracts are not as common as you think — the people that have the resources for them typically have agendas that target a specific type of people, not the average Joe. However, if you feel you need it, then do it.

What you don’t want happening is you using a passphrase with sixteen characters or more that has one uppercase letter, has one number, uses fake words, and uses words from another language and you stop remembering it and/or using it because it has become too complicated. Passwords are all about trade-offs and if you feel you can easily remember a passphrase with sixteen characters or more that has one uppercase letter, has one number, uses fake words, and uses words from another language, then use it; if you feel you cannot, then stick to a passphrase with sixteen characters or more that has one uppercase letter and one number — don’t bother with fake words and words from another language.

CONCLUSION

Passphrases are more secure and easier to remember to than traditional, complex, or randomized passwords. What other reasons do you need to go with a passphrase?

Share your thoughts on passwords in the comments below.