Want easy-to-remember and secure passwords? Use passphrases instead of complex passwords [Tip]
March 17, 2013 25
Email article | Print article 
Last year we wrote a post that provided five tips on how to create strong passwords and have secure accounts. Now I’d like to take the opportunity to provide another password-related tip — the idea that you should use passphrases instead of traditional passwords.
WHAT IS A PASSPHRASE?
A ‘passphrase’ is a password that uses a combination of words or phrases instead of random letters, numbers, and special characters. For example, ‘dog123zty’ is a traditional password but ‘dogpenchair’ is a passphrase. Passphrases can be as long or as short as you want and can contain any words or phrases that you desire.
WHY ARE PASSPHRASES BETTER?
When you need to create a password, you should always consider using a passphrase instead of a traditional password. Why? Two reasons.
Firstly, passphrases as easy to remember. For example, ‘oilplutowhacktoss’ is longer but is a lot easier to remember than ‘kplVE7IZ’.
Secondly, passphrases are more secure than traditional passwords. Thanks to the power of mathematics, the length of a password always makes a password stronger than its complexity. Keeping with the same example, ‘oilplutowhacktoss’ is a more secure password than ‘kplVE7IZ’ due to its longer length, even though it uses only lowercase letters whereas the second password uses uppercase letters, lowercase letters, and numbers. It is the power of permutations, people.
HOW TO COME UP WITH PASSPHRASES?
When coming up with a passphrase, it is generally recommended to use four words of five letters each so you have a total password length of twenty characters. However, if you are having trouble thinking of four words of five letters each, you can mix and match different length words. For example, you can use one three letter word, one four letter word, one five letter word, and one six letter word; or three six letter words; or three five letter words and one three letter word; etc. How many words of whatever length you decide to use, you want to make sure your total password length is not lower than sixteen characters. Sixteen characters is the minimum; the more characters you have above sixteen, the better off you are.
Passphrases can contain any words or phrases you want but the key to passphrases is to select four unrelated words.
If you use a passphrase that contains similar words, a modified dictionary-based attack (a type of cracking technique that tests a password to see if it contains words from the dictionary) could potentially crack your password easily. For example ‘dogcatfishturtle’ is easy to remember and is long but is easy to crack because dog, cat, fish, and turtle are related — they are all common house pets. On the other hand, ‘dogwalletdiskairplane’ is a relatively secure password not only because of its length but also because the four words used have no major relationship between them.
IMPROVE SECURITY FURTHER
While a passphrase in and of itself is one of the better types of passwords, you can have an even more secure passphrase by simply adding in one uppercase letter and one number. It is possible to modify a passphrase to have one uppercase letter and one number without making it difficult to remember, and adding in one uppercase letter and one number increases the strength of the passphrase by a huge magnitude.
For example, ‘oilplutowhacktoss’ can be turned into ‘oil4plutoWhacktoss’; both are easy to remember but the second number is more secure because now instead of 1.18 x 10^24, password strength is 1.86 x 10^32 (assuming uppercase letters are counted as separate from lowercase letters — some systems don’t differentiate between uppercase and lowercase). In other words, while it would take 3.75 centuries to crack ‘oilplutowhacktoss’ at one hundred trillion guesses per second (which, by the way, requires a massive amount of computing power and likely isn’t going to be used for the average Joe’s account), it takes 5.92 hundred million centuries to crack ‘oil4plutoWhacktoss’ at one hundred trillion guesses per second. See the difference one uppercase letter and one number make, without making the password very much more difficult to remember?
Aside from enhanced security, getting into the habit of modifying a passphrase to include one number and one uppercase letter is very good practice because many websites require that passwords include a minimum of one number and one uppercase letter.
IMPROVE SECURITY EVEN FURTHER
Once you have a passphrase with sixteen characters or more that includes one uppercase letter and one number, you have a passphrase that will withstand brute-force and dictionary attacks, which constitute 99% of all attacks. However, there are some extremely sophisticated attacks out there that try to guess your password based on trends in the English language. For example, as dotTechie AFPhy6 points out, in English the letter ‘L’ is more likely than the letter ‘D’ to follow the letter ‘P’ in a word, such as in “pluto”. So a more sophisticated attack would guess ‘L’ after it discovered ‘P’ before it guesses ‘D’, which cuts down on the time it takes to crack a password.
So what to do to counteract this more advanced type of attack? There are two things you can do:
- Make up words vis-a-vis bad spelling and/or grammar. Keeping with the same example, instead of ‘oil4plutoWhacktoss’ the passphrase can be ‘yil4plutyWhacktyss’ where I simply replaced all the ‘O’ in the passphrase with ‘Y’. ‘yil4plutyWhacktyss’ is, admittedly, harder to remember than ‘oil4plutoWhacktoss’ but it is more secure and also easier to remember than a similar length randomly generated password. [Thanks dotTechie AFPhy6 for pointing out this tip!]
- Use non-English words. While most systems won’t let you use non-Late alphabets, you can use Romanized words from other languages in your password. For example, instead of ‘oil4plutoWhacktoss’ I can make the passphrase ‘oil4plutoWhackpaika’ with ‘toss’ being replaced with the Urdu word ‘paika’ which means throw. You can even combine this method with the previous one and do ‘yil4plutyWhackpaika’. [Thanks dotTechie thegreenpixel for pointing out this tip!]
Making up words and/or using non-English words does make a passphrase noticeably more complicated and harder to remember, which defeats one of the major purposes of using a passphrase — ease-to-remember. However, it also makes passphrases stronger while still being easier to remember than similar length randomly generated passwords.
I’d recommend utilizing the trick of making up words and/or using non-English words if you feel you need the enhanced security. Truth is most people likely don’t need the enhanced security. Using a passphrase of sixteen characters or more with one uppercase letter and one number is highly secure, and the type of sophisticated attacks that making up words and/or using non-English words counteracts are not as common as you think — the people that have the resources for them typically have agendas that target a specific type of people, not the average Joe. However, if you feel you need it, then do it.
What you don’t want happening is you using a passphrase with sixteen characters or more that has one uppercase letter, has one number, uses fake words, and uses words from another language and you stop remembering it and/or using it because it has become too complicated. Passwords are all about trade-offs and if you feel you can easily remember a passphrase with sixteen characters or more that has one uppercase letter, has one number, uses fake words, and uses words from another language, then use it; if you feel you cannot, then stick to a passphrase with sixteen characters or more that has one uppercase letter and one number — don’t bother with fake words and words from another language.
CONCLUSION
Passphrases are more secure and easier to remember to than traditional, complex, or randomized passwords. What other reasons do you need to go with a passphrase?
Share your thoughts on passwords in the comments below.
About the author: Ashraf View all posts by Ashraf
Related »
![[Windows] Batch install software updates with OUTDATEfighter](http://cdn.dottech.org/media/2013/05/OUTDATEfighter-main-UI-134x90.png)
![This password must be at least 6639 characters long [Image]](http://cdn.dottech.org/media/2013/05/password_policy-134x90.jpg)
![How to read or view non-English text or font on Android, iOS, BlackBerry, Windows Phone, and Symbian [Guide]](http://cdn.dottech.org/media/2013/05/opera-134x90.jpg)
25 Comments »
Leave A Response »
Just using Dottech as a password example using other ascii’s is going to take one heck of a time breaking it down.
?????¢?
??tt???
???????
d0773(h
DoTtEcH
döttë?h
Darn I’m guessing some of the ascii characters don’t post well on WordPress… oh well…
You can see what I wanted to show you all at
http://needaddys.com/msnnames.php
Just enter the password you would like in the msn name section.
[@Shawn] ? You lost me. Are you saying using ASCII letters make passwords hard to crack? With the power of GPU acceleration combined with traditional CPU processing, you’d be surprised how quickly passwords can be cracked regardless of what type of characters they use. This is why length > complexity.
There is one problem with using passphrase as a password. Almost all secure websites REQUIRE the use of a number, letters alone are not enough. What do you do in that situation which is often?
[@r1xtremerider] Yeah, I hate it when that happens. Websites should be encouraging users to use passphrases, not forcing them to use a letter or uppercase letter.
In such a situation, I recommend thinking of a passphrase then simply adding a letter, uppercaseletter, etc. to conform to the requirements of a specific website. For example, a website says you must use one uppercase letter and one number. So instead of ‘oilplutowhacktoss’ use ‘oil51plutowhackToss’ or something to that effect.
[@Ashraf]
From: http://arstechnica.com/security/2012/08/passwords-under-assault/
“At any given time, Redman is likely to be running thousands of cryptographically hashed passwords though a PC containing four of Nvidia’s GeForce GTX 480 graphics cards. It’s an “older machine,” he conceded, but it still gives him the ability to cycle through as many as 6.2 billion combinations every second. He typically uses a dictionary file containing about 26 million words, combined with programming rules that greatly extend its effectiveness by adding numbers, punctuation, and other characters to each list entry. Depending on the job, he sometimes uses a 60 million-strong word list and something known as “rainbow tables,” which are described later in this article.”
Check the viability of your password here: https://www.grc.com/haystack.htm
For a “passphrase” attack, I suggest that each word be considered as coming from a 10,000 word dictionary, so 4 words would be complexity 10^16 in length. Of course, if you put characters or numbers other than lower case in your words, you enlarge the dictionary and complexity, but that is defeating the reason for using a passphrase to begin with.
To expand on what I just wrote:
A 4-word passphrase would then be approximately similar complexity to a random 8-digit password using upper, lower, numbers and special characters. The cracker described in the article above would have that password cracked in about 12 days.
Ouch.
Finally, here is a password generated easily at Gibson’s site: https://www.grc.com/passwords.htm
-936>&A&!i9@[T~E%K06Y"gF?~iWji^)PYR4g+6L:q?]sv>]sq-$}4Z06^H>~~u
It would take that same cracker about 2 thousand million trillion trillion trillion trillion trillion trillion trillion trillion centuries to crack it… but you better not lose your password keeper or you are so out of luck!
[@AFPhy6] [@AFPhy6] [@AFPhy6] I made a mistake originally recommending 4-word passphrase of 4 letter words. I should have recommended 5 letter words. I’ve updated the article to reflect this.
I’ve also updated the article to include enhanced security tips about adding an uppercase letter and number to passphrase, without making the passphrase too hard to remember.
Thanks for the tips and the website!
[@Ashraf]
Oh, one more addendum to the problem with passphrases, although, as you point out, the longer, the better…
One of the attack modes that is NOT mentioned in that security article is that modern cracking techniques for “exhaustive mode” searches are not simply “random”, orderly, exchanges of characters. The crackers use an algorithm that looks at “most common groups” of letters, so, for example, if an analysis of a cracked password dictionary shows that the most common character to follow “t” is “h”, that is the first character checked for in the search, instead of “a” or “1″. That strategy is followed recursively throughout the search space.
That results in “regular words” like “pluto” in your example being much more easy for the cracker to discover than “pzuto” since “l” is far more likely to follow “p” than is “z”. That strategy seriously reduces the effectiveness of normal word dictionary generated passphrases.
For this reason, I suggest that if a reader is going to use a “passphrase” strategy, they use a few “words” that they invent, and then shuffle those “words” when they wish to change passwords.
For example, suppose my dictionary of easy to type and recall “words” (given keyboard layout and my own mind) are “Qaz”, “2389″, “mk.KM”, “*9*”, and “1M!b”. I don’t tell anyone what those are. I DO write them down in a couple places just in case, even in plain sight. Using those 5 “words” of mine, in the manner of “passphrase” philosophy, I can generate many dozens (but not trillions) of passwords like:
Qaz2389mk.KM =3″words”,12chars
mk.KM1M!bQaz =3″words”,12chars
1M!bQaz2389mk.KM =4″words”,16chars
*9*1M!b2389*9* =4″words”,14chars
Even if these were cracked by brute force, it is unlikely my “words” would take up residence in a cracker’s dictionary… they are pretty random looking.
For a site like DotTech, I will use 3″words” separated by “D” and “T”, so QazD2389Tmk.KM . But, if your password base is compromised a cracker could say “gee – it is likely that D and T separate ‘words’”. He might add them to his dictionary and make me easier to crack in the future. Instead I may use the keyboard keys following the DT, eg., FY, as my separators. (I suggest wrapping around “P” to “Q” instead of using “[“, for example, but use your OWN ideas!) This allows me to have simple passwords for ME, different for each web site, and a lot of confidence, even if one of my passwords is obtained the others won’t.
When I have forgotten a site’s password, it is simple for ME to bust it since MY dictionary is only a few words, and it is MY pattern! Hackers don’t have it so easy, since they are really in brute force mode.
I will be using 3-word passwords for sites like DotTech… 4-word passwords for banking and such sites.
My “words” will be 3-5 characters long. There will be at least two of each in a specific class, so for example, I’ll have three like “MKLM” or “QRFV” or “2389″ so I can use my same pattern on those horrible sites that only allow capital letters and numbers. Most of my dozen words will have at least three of the classes: upper-case, lower-case, numbers, specials, non-ASCII unicodes. I will also have one of each that is single-class, like “%$#”.
By the way, the change I’m making is not going to be that radical. I have been using this for nearly 20 years… I will simply add one letter to each of my “words”, and go from 2 or 3 “words” to 3 or 4 “words”. I believe that I’ll have no need to change my approach 20 years from now unless it is to again add a “word”. In all the articles I’ve studied about this concern, I’ve never seen a better approach to passwords, though Gibson’s “padding” would be a good addition that I will probably not adopt.
By the way, if you wish, please feel free to use this material and modify it, if you think it useful enough, as an article on the site instead of a mere reply.
Again, an addendum:
First, Even my short, 3″word” passwords without the added “Spacer” take over ten times longer to crack than the 16 character passphrases. Each of those additional spacers multiply the time by 95 (due to my using at least one of each class) instead of 26 or 52.
Second, my “words” may appear difficult to type or recall, but after doing them 10 times or so, they are remarkably fast to type.
Third, someone were going to adopt _mostly_ a passphrase such as you suggest above, I strongly recommend that they invent one simple-to-type “word” such as &*78 to add somewhere in every one of their passphrases. That will force the attacker to go to a full 95-character search, and even if the phrase remains 16 characters, it will be over 10,000 times more difficult to discover.
[@AFPhy6]
Thank you. A really valuable ‘primer’.
I like the fact that you can crack your own password – simply brilliant!
I have a simpler system, but having read your post(s) I am going to redo all of mine. Hope you haven’t done an ‘Apple’ and patented it!
I feel like I am beating a dead horse to some extent here, but since it is a subject that I have strongly considered, at length, in detail, and from a position of understanding the basics of the field, I am going to add yet another thing after reading and thinking about your revised article:
Your “complex” oil4plutoWhacktoss password is much much better than your original example. I’m glad you augmented the article in that way. Note, however, with the calculator I linked above that o!l4plutoWhacktoss would register as 20,000 or so times more difficult in a brute force attack.
However, that passphrase ought not be considered as 18 separate characters, but as 5 words coming from a rather simple dictionary: the 37,000 words in a simple pocket dictionary, including the single characters. Such dictionary attacks are very common tools used by hackers, probably even more common than brute force random attacks. The passphrase gains by having a higher “base” of 37000 (or so) compared to the complex common ASCII base of 95, but loses out due to the low exponent. So, the 5-word attack must deal with about 7×10^22 variations of that small dictionary, not the 10^32. The dictionary may have to go to “all words capitalized” mode for your specific example, which would make it 32 times longer search … 10^24. That would make it about the same difficulty as a 12-character totally random string, and I consider that sufficient strength now, and for at least 5 years. This is far better than your initial 4-word, lower case example which was equivalent to about 9-10 random ASCII characters, (that comes in at around 2×10^18), but still, it is not even close to 10^32.
And by the way, the “o!l” instead of “oil” thing I used herein really doesn’t “count” as using the 95-character set of ASCII, but instead as using a slightly “expanded” dictionary of maybe 100,000 words and having “common substitutions” for specific characters … a dictionary containing “words” such as l0ve, and 4eign. Those are so trivial to check that in hackers lists of cracked passwords they don’t even list such things separately but include them as being the same words as “love” and “foreign”. You don’t get the full benefit of the 95-character ASCII set you gain from a totally random password, or the “invented words” that I suggest earlier in this thread.
Ah… rereading what you wrote yet again and what I did herein, I am going to make yet one more comment right here as a “PS” instead of trying to fit it in the right place above: Your “5 letter word” suggestion runs into the teeth of another simple attack mode, dictionary attack starting with all 1-letter words (26), then all 1&2 letter words (384), then all 1,2&3 letter words (2532), on to 123&4-letters (6515), (26+358+2148+3983+5794), finally 1,2,3,4&5 letter words(12,309). I got those numbers using a wild card search in TheSage dictionary of 210,000 words, and I can tell you that there are quite a few of those that are not in a typical dictionary (zb, kd, “a few”, a-non, a’man, for example) I did not bother to purge the list, but an actual list of dictionary words from a Merriam-Webster would be many fewer than 12,000.
This means that even including capitalized and “common substitution” words, the dictionary is probably more on the order of my “moderate-sized” figure of 37,000 words, and the 4 and 5 “word” passphrases would be more on the order of 2×10^18 and 7×10^22, corresponding to approximately 9-10 (barely acceptable 9 years) and 11-12 random characters respectively (around 300,000yrs for Redman). Presumably, those would be much easier to remember than such random passwords, at least.
I still like my method better than passphrases, though.
[@jayesstee]
LOL- No,I have not tried to patent it, but I hereby Copyright everything I wrote in all my replies to this article and the other password article now up on DotTech… the concept, and assume that Ashraf will claim rights also! … if only so some fool company like Apple will NOT be able to come by and patent it without running into some real difficulties! …
Time to save the right page now, just in case some wise guy tries it…
[@AFPhy6]
Oh dear, I have already copied your posts numbered 6, 7, 8, 11 and 12 to a word document. It is the first ‘in-depth’ treatise on the subject that I could read (and understand) past the first few lines . . . .
If you would like me to destroy it or you would like a copy please send me a PM. Otherwise thanks again.
This is a simple cross-link to another post today and many comments I made on it which are pertinent to this whole subject:
http://dottech.org/100945/windows-review-pwgen/
[@jayesstee]
I’m going to also add a MAJOR YES about “being able to easily crack my own passwords”. That is why I devised the system to begin with.
Ah – I thought I had explained somewhere about Unicode,so while I’m at it I’ll put this all in one place:
Though they are often considered pretty much only 2-characters linked together, Unicode characters are more than that. Such character sequences (revert to hex for a while) as hex 0×2301 are virtually impossible to use in an ASCII password since 0×01 and many other unprintable characters are “escape” characters with special meanings. However there are many Unicode characters that have form 0×2301, where one or more of the pair are unprintable.
A properly chosen Unicode character set, where useable, expands the “base” from which the exponent on the password evaluation page linked above from 95 (or 95×95=9,025 if you want to look at a Unicode as a double character), up to at least 63,000 due in large part to the inability to use the full hex space in ASCII.
Gibson does not (yet) include Unicode possibilities in his evaluation, probably since Unicode support is still spotty, so I have been doing my own calculations using the approximation that one Unicode character has similar complexity to three characters created from the character set of “UPPERCase+Numbers”
Again, since some people think this is a decent primer: it is easy to think that if someone is using a random attack mode you don’t have to worry about them using a dictionary attack. That is false. What goes on in the real world is that the encoded password files get released, and dozens or thousands of hackers go to work on that file, each using their own strategy. There may be some duplication, but there is a lot of variation in each person’s or teams’ approach, and many of them have setups similar to Redman’s and even more capable.
[@jayesstee]
No! Keep it! You can always have a copy for personal use of such material… you simply can not sell it, pretty much!
Hello, all.
Great article, and the comments [AFPhy6, especially] are fantastic, too.
The only thing; nobody mentioned “padding”, or the addition of punctuation or numbers to a ‘passphrase’, to expand its complexity and length.
I think I saw at Steve Gibson’s site, which is referenced above by “AFPhy6″, @ #8.
Have a GREAT day, neighbors!
It’s so easy…mix different languages and you put out of business the dictionnaries and for number.use..the Roman number. for exemple for your SSN.
Salutguapaw1egoestyou?
French, Spanish, German+1, Swiss-German, English and with the Swiss german, you don’t have dictionary.
“Hello pretty (1) how are you?”
[@AFPhy6] When it comes to security, there are two aspects: the technical element and the human element. The biggest problem with passwords is the human element. If a password technique is too complicated, many people won’t use it. You are right, there are hacking techniques out there that help in cracking software and using fake words/bad grammar is a way to counteract those techniques. However, using fake words/bad increases the complexity of a passphrase which will discourage many people from using passphrases, and a passphrase is better than no passphrase.
However, as I said, you are right. I have updated the post to include the tips you have provided but have included a caution, too.
Thanks!
[@thegreenwizard] Thanks! Updated post with your tip, too.
[@sl0j0s]
I had one sentence referring to Gibson’s very good idea of “padding”. I’m agnostic about that.
[@thegreenwizard]
Very cute! I like that concept. In addition, if you are allowed to use the extended character set (higher ASCII characters with values greater than 128 with umlauts and other such accent marks) by the password-asking site, you greatly expand the search space, probably to a base in excess of 200, though you still can’t get to the “escape” characters that are smaller than 0×20. … One problem for me: English is my second language (and I have no third)… Math is my first … LOL I would really screw up if I tried other language words!
[@Ashraf]: I truly respect you, friend. Your article was very good for discussion, and I am excited that you updated it. I absolutely agree with your paragraph in post#20. I guess I am going to have to go pore over the main article again, though!
[@Ashraf]
Congratulations, Ashraf! A much stronger and better article now! I won’t withdraw my comments, especially my post#10 technique since it results in a password that is essentially breakable only by me, but you’ve really tightened this up. And Gibson would probably really make sure we added padding… lol.
[@thegreenwizard] …and you most probably don’t have a Malagasy dictionary and use Canadian slang, eh?
The premise of this whole article was “easy to remember” passwords. (Look back at the title.) I think this method fails.
So you use “oil4plutoWhacktoss” for a website. Good luck remembering even that. Now multiply that by however many websites for which you need passwords. I have passwords stored for over a hundred websites. (That doesn’t mean I use them regularly; some I haven’t been back to since my first encounter, but registration was required. Still, I probably use twenty or more regularly.)
Try to remember all those? Forget it. Since I’m going to use a password utility, then it doesn’t matter whether the characters are words or gibberish; the main thing is to make the passwords plenty long.
[@Bruce Fraser]
I agree, due to the virtually unlimited size of the dictionary.
Please consider the method I outline in #10 – passphrases composed by short, “strong”, “words” you generate yourself, separated by website-specific characters. If I lose my password keeper (which I did a few months ago on a system reinstall), I still am able to recover with a few tries due to my limited dictionary.