How to create a strong passphrase, with examples

Why are we moving away from passwords?

Passwords offer a level of security for accounts that have sensitive information or actions. Attackers seeking to gain access to those accounts use multiple methods to bypass the security of passwords. One popular method, the brute-force attack, creates a combination of characters, tests whether the result is correct or not, then modifies the combination by one and tries again.

To combat those probes, many companies require users to make their passwords more complex; in other words, by adding more characters and increasing the password's depth. Consider the common four-digit bank PIN. These codes use numbers zero to nine, meaning it only requires up to 10,000 different combinations before it can be successfully hacked. In the case of a longer password, add some lowercase letters and an attacker would have to try up to 1,679,616 combinations before getting the right answer -- a huge increase.

The value of increasing a password's depth, however, comes at a cost: usability. When users are required to add special characters, numbers and capitalizations to passwords, these passwords become almost impossible to remember. As a result, users often resort to easy-to-guess patterns that attackers exploit. For example, if the password requires a special character and a capital letter, most users capitalize the first letter and put an exclamation point at the end. Cybercriminals use this knowledge to their advantage, drastically reducing the number of combinations they have to try in order to guess correctly.

The strategy behind passphrases, therefore, is to increase the breadth of the combinations. A 16-character passphrase with only lowercase letters would require a hacker to comb through more than 43 sextillion -- that's 43,000,000,000,000,000,000,000 -- combinations before cracking the code. That's why passphrases are better than passwords; they can be longer but still easy to remember.

What is a passphrase?

A passphrase is a sequence of random words or phrases strung together to create a longer, more complex and more secure password. Unlike conventional passwords that are often short and difficult to remember -- such as P@ssw0rd123 -- passphrases are generally longer and composed of unrelated words -- for example, PurpleElephantSingsAtDawn. Their length and randomness make them significantly harder to crack, while their word-based structure makes them easier to remember.

Why choose a passphrase?

As with any methodology, passphrases have benefits and challenges. Among their advantages are the following:

• Increased security. The length and complexity of passphrases make them resistant to brute-force attacks.
• Memorability. Because they are made of words or phrases, they are easier to remember than complex passwords with special characters.
• Versatility. Passphrases can be used across multiple devices and services, including email, banking and social media accounts.

Disadvantages of passphrases include the following:

• Length restrictions. Some systems have character limits that might not support longer passphrases.
• Compatibility. Not all platforms allow the use of spaces in passphrases.
• User behavior. Users might be tempted to create predictable or weak phrases, reducing their security.

How to create a strong passphrase

Many passphrase and password generators are available, but it's easy enough to make up your own. To create a passphrase that is both secure and easy to remember, follow these best practices:

• Don't use common terms. The value of passphrases, or passwords, is that no one else knows what yours is. If you choose one that is well known, it will be easy to guess, which defeats the purpose. Attackers use common password dictionaries as a first step when hacking into accounts; similarly, common phrases are also used. Have fun and come up with your own.
• Use unrelated words. Choose four or more words that are completely unrelated to each other. Avoid using phrases from books, movies or common sayings. For example, LemonCactusRocketWhisper.
• Make them longer. Longer passphrases are exponentially more secure. Aim for at least 16 characters, but ideally 20 or more. For example, DolphinPianoGalaxyBreezeCup.
• Make them more complex (optional). Although not mandatory, adding uppercase letters, numbers or special characters can increase complexity. This makes the passphrase less subject to brute-force attacks because of the amount of time and computing required to crack it. However, the downside is that it could make the passphrase more difficult to remember. For example, Lazy*Pineapple77!Moon.
• Make them memorable. Create a mental image or story to remember the passphrase. The more vivid and unique the imagery, the easier it will be to recall. For example, RobotDancesOnJellyMountain.
• Avoid predictable patterns. Don't use sequential numbers, keyboard patterns or common words related to you, such as your name, birthday or pet's name.

Tips for managing passphrases

As with password security, it is important to manage and protect passphrases. Users should follow these best practices, and security teams should include them in their password/passphrase trainings and policies:

• Use a password manager. Store and organize multiple passphrases securely.
• Avoid reuse. Never reuse passphrases across different accounts. Use a unique password for each account.
• Update regularly. Change passphrases periodically for added security. Require passphrase changes following a data breach.
• Enable MFA. Increase security by requiring a second verification step.

Passphrases offer a strong alternative to traditional passwords, combining security with ease of use. By choosing random, unrelated words and creating vivid mental images, users can create passphrases that are more secure against common cyberthreats.

Matthew Smith is a vCISO and management consultant specializing in cybersecurity risk management and AI.