How To Pick A Better Passphrase

How To Pick A Better Passphrase

We’ve discussed how using passphrases as passwords can boost your security, but if you’ve chosen a phrase used in every-day speech, you’re not doing yourself — or your data — any favours. According to a new Cambridge study, a common phrase such as “outofthepark” is only marginally more secure than a dictionary word, and anyone looking to crack your password already knows to try common phrases along with common words. If you prefer passphrases, here’s how to make them more secure.


Why Common Passphrases Aren’t As Secure As You Think

The reason that many password systems won’t allow you to choose dictionary words as your passwords (or at least require you to add numbers, capitals or special characters to those words) is because the first thing a hacker will do to try and guess a password is try every word in the dictionary to see if they can get in. Even swapping out “i” for “1” or “e” for “3” often isn’t enough; those tricks have been around long enough that those common substitutions are easily added to your dictionary list and included with the brute force attack. The goal of encouraging passphrases instead is to create credentials that are entirely nonsensical to a password cracking utility, but memorable to the human who needs to access a given system every day. Photo by Francis Storr.

The trouble is that so many people, when they embrace passphrases, use common phrases from books, popular movies, memorable quotes, sports teams, or other proper nouns that are easily guessed. A group of researchers from Cambridge University recently published a study (PDF link) where they found that using a dictionary of these common phrases allowed them to crack open about 8,000 passphrases in Amazon’s old PayPhrase system. They conclude that passphrases as a password system ultimately provide less then 30 bits of security, which they note is too weak to withstand most online attacks. Ars Technica explains what this means in plain terms:

The “30 bits of security” means the chances of a single guess cracking a four-word passphrase would be one in 230. What’s more, the two-word phrases cracked in the study provided just 220.8 (or 20,656/0.0113) bits of security. Another way of expressing the same finding is that a dictionary of slightly less than 21,000 phrases is enough to guess the login credentials that slightly more than 1 per cent of people in the real world will use.

Admittedly, 1 per cent of phrases is a very small number, but it’s still cause for concern, and drives home the point: any security system, even if it’s well built and sufficiently complex, can easily fall prey to user-introduced patterns. In the end, the user — and their password — is almost always the weakest link.


How to Improve Your Passphrases

This doesn’t mean that all hope is lost for passphrases, or that you should give up on them and go back to standard strong passwords. Honestly, if you can combine the two, you should — the strength of a strong password with letters, numbers, varying case, and special characters is improved significantly when strung together as a phrase. The key is to pick a phrase that’s easy for you to remember, but not to choose, for example, your favourite sports team, or the name of your city and state strung together, or the make and model of your car. Yes, it diminishes the ease of memorisation, but it vastly improves your security.

The study explicitly points out that “multi-word phrases, if chosen naively according to natural language tendencies, are not as effective at mitigated guessing attacks as alternate choices, such as choosing 2 random words or choosing a personal name at random”. So, in order to boost your passphrase security, you need to pick words that matter to you, but don’t matter to anyone else. For example, “NissanAltima” may not be a dictionary word, but it’s a proper noun that’s easily guessed. Instead, you might try “My03AltimaIsBlue.”

When we discussed The XKCD passphrase generator, we pointed out another more secure method worth repeating. If you want to use your favourite lyric from a song, grab the first couple of characters from the words in your favourite line, instead of stringing the whole lyric together. We proposed that a Jackson 5 lover might extract a password from the lyrics “Oh baby give me one more chance to show you that I love you” and come up with “obgmomctsytily,” which is significantly more secure.

The XKCD Password Generator itself is a robust tool to generate passwords, mostly because the words it strings together are random — they have no meaning behind them, and would be difficult to break in a dictionary attack, and even harder if you mix case and special characters. You could also take it up a notch and use the shift-to-right method for your passwords, which really makes them unintelligible.

Finally, once you’ve done all of this, and built a great passphrase that’s difficult to crack and hard to break, do yourself a favour and plug it into a password management system like LastPass, KeePass, or 1Password, so you can use different strong passphrases for every service you use, and one memorable one to get into your password vault.

Do you use passphrases, or stick to strong passwords isntead? Maybe you mix them up? Share your password tips and tricks in the comments below.

Title image by XKCD.


  • I teach my students to use pass phrases but to use the first letter only.
    So using the line: “You can’t handle the truth” by Jack Nicholson in A Few Good Men from 1992 generates
    It satisfies a mix of caps and lower case, numbers and letters and although it looks random to the casual observer it is memorable.

  • What about a combination of multiple words with the same meaning but in different languages? For example: “Night.yoru.noche” (Eng, Jap and Spanish)
    Basically you’ll have to remember only one or two words for a very long phrase.

  • Is the first character of your password a capital? Congratulations, you fail at mixed case passwords.
    Is your last character the number one? You fail at numbers and letters
    Is the last character an exclamation point , question mark or period? You fail at non-alpha-numeric characters
    Is your phrase grammatically correct? You fail at introducing randomness to avoid dictionary attacks
    Is your password so random that you have it written on post it notes? You fail as passwords
    Is your password based on your name, birth date or the name or birth date of your immediate family members? You fail at introducing randomness to avoid targeted guesses.
    Do you use the same password for your email, banking and social networking? You fail at remembering that your password is only as secure as the least secure company holding it
    Do you use services that can tell you your current password in the event that you forget it? You fail at picking secure service providers
    Do you ask your secure service providers if they salt their hash tables to prevent rainbow table attacks? You fail at being a crypto nerd… But seriously kids, you should. It’s important.

Show more comments

Log in to comment on this story!