What is a passphrase and how do I create one?
Note: This is merely a guide. Password/passphrase policies will vary between companies and websites. This guide is just a starting point to encourage further interest.
Unlike a password, a passphrase is much longer and potentially more complex. The longer the passphrase is, the more secure it will be. Many of the same best practices for passwords will apply to a passphrase. It is best if the passphrase is truly random and devoid of any personal information:
Use of the categories below at least once will exponentially make it stronger:
- Uppercase letters
- Lowercase letters
- Special characters
Some best practices that would improve a passphrase:
- Replace letters with special characters:
- Instead of ‘Password01’ try ‘P@$$word01’
- The longer the better.
- I’d rather be fishing vs. I’d rather be deep sea fishing
- Avoid re-using passphrases (this includes concatenating it):
- HereIsMyPassPhrase à HereIsMyPassPhraseOkay
- Passphrases should be completely different:
- HereIsMyPassPhrase à Whatever-You-Want-As-Long-As-Its-Different!
- Use passphrases with the above requirements and suggestions.
Create at truly random passphrase with Diceware!
Diceware is one method for picking passphrases that are completely random using a six-sided dice and a Diceware Word List. This word list contains 7776 words, numbers, and special characters. 7776 is number of possible combinations for rolling a six sided dice five times.
Once you have the dice and list, decide on the length of your passphrase (I suggest 5-6 word minimum). For higher risk access (administrative/elevated accounts for instance), increase the length of the passphrase.
Roll the dice five times, note the result then locate the corresponding word in the word-list. Repeat this process for each additional word to complete your passphrase. Lastly, memorize your passphrase.
I suggest using a password management software. Then, use your new random passphrase as a master password for the management software which securely generates and stores other passwords. I strongly recommend enabling two factor authentication (2FA) whenever possible.
You can now produce random passwords for multiple accounts without having to remember them. This will ensure you can have a random and complex password for every account or website all secured by your master passphrase.
By using passphrases instead of passwords, you can better protect information systems from brute force attacks. These methods also help protect against social engineering attacks. But, personal awareness and training are much more important there. The complexity and randomness of passwords/passphrases provide protection against automated attacks from botnets and hackers.