Why should I use a random passphrase?

People are really not that great at creating secure passwords. The famous xkcd cartoon explained it well. Humans have been trained to use hard to remember passwords that are easy for computers to guess. It’s not easy to create a strong memorable password. Most people can make their passwords strong or memorable, but usually not both.

Advertisement

People usually end up using one of a limited and predictable set of patterns when creating passwords. They base them on things they can remember. Such as names, locations and dates or even common English words. Sometimes they’ll add some security with an uppercase letter, some numbers, or a symbol.

Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.

Password Strength cartoon on xkcd.com
Advertisement

Does your password fall into this group?

Bad Password PatternsWill a user remember it?Time To Guess
A common word. (example: password, computer, happy)Yes.10 milliseconds
An easily-typed keyboard pattern. (example: qwerty, abc123, 1qaz, or aaaabbbb)Yes.22 milliseconds
The family dog. (example: fluffy, bowser, sparky)Yes.27 milliseconds
An important number, such as a date or zip code. (example: 90210, 09112001)It’s memorable to you, certainly.3.5 seconds
A word with trivial letter-to-number substitution. (example: c4t, d0g, fr3sh)Somewhat memorable, however you could forget which letters are substituted for numbers.6.3 seconds

Given these points, if your password follows any of the listed patterns consider your password to be insanely crackable. Even if you chose a mix of these patterns, such as common word + number, in the long run it would be trivial for cyber criminals to crack.

Compare to passphrases:

Advertisement
Password PatternIs It Memorable?Time To Crack
Four or more randomly selected words (example: wiggly tudor hammer wrestler)Enter this several times and you’ll have it committed to memory.7.6 centuries. 
Advertisement

Help us on our quest to make passwords more secure!




Your contribution to our cause is highly appreciated!
Donate Now!

Is it really so simple to crack passwords? How do they do it, exactly?

The way hackers go about cracking looks something like this:

  1. First, the hackers start with common wordlists. There are websites that offer compiled lists of frequently used passwords, for example. Other sources are dictionary files containing every word in a particular language. There are also lists of all Medical words, or all Programming terms, all names, dates. In other words, in under one second 30% of all passwords will be cracked.
  2. Once the hackers have exhausted those wordlists, they will try all of the words again using common substitutions: capitalizing the first letter (manual → Manual), common letter-for-number replacements (buccaneers → buc4n33rs), as well as many other common password tricks people use.
  3. Next, the hackers combine the previous wordlists using many different character and numbers seeded into each final password. Name + date (sara122521). Name + [separator] + date (sally-092121).
  4. When none of these methods work, hackers fall back to generating every possible combination of characters. This means a to aaaaaaaaaaaaa, and a1 to a99999999999, b9999999 and so on. This is why having more characters, numbers and letters in your password is useful.

If a password is based on any combination of the above steps, it can eventually be cracked. Depending on how well-protected a website secures your password, modern computers can try anywhere between 10,000 and 350 billion guesses per second.

Keeping yourself secure requires using a random passphrase instead of a password.
Your passphrase can protect you from cyber crime. Selecciona el vínculo Restablecer contraseña en la pantalla de inicio de sesión

Your best security is using a truly random password generator like the one at Safestpasswords.com.

Normal passwords are easily defeated. Why should I make a random passphrase instead of, rGz3$!baz5kd0h?

There are all kinds of password generators on the internet that combine a bunch of random characters to create a strong password. These random passwords are definitely secure, but they are also extremely difficult to remember. Therefore people end up writing them down. Or they constantly need to use the forgot password or password reset feature of the site. As a result, these practices only make the password less secure.

Random passphrases provide the best combination of security and memorable passwords.

Compare two 15-character passwords:

PasswordTime to crack
Fe+4NTs1&A38ih453 million years
OasisPapaLegBot8.9 centuries
Which will you remember? Plan on being around in 9 centuries?

Let’s put it another way, the formula for the perfect password management strategy is really easy.

1. Use a password manager.

Firefox, Chrome, Safari and Internet Explorer have built in password managers. But if you want to use your passwords across devices you should probably use one of these:

  • 1 Password (Windows, Mac, iOS, Android)
  • LastPass (iOS, Android; Chrome plugin works on Windows, Mac, Linux)
  • KeePass (Linux, Windows, Mac, Android)

2. Use a strong master password for your password manager.

This is why a passphrase would be especially useful. In the long run you’ll have better security and peace of mind.

3. Use a new passphrase for every site or account.

sage cost decor unify steam
xerox drama tree plus stem
baked cycle wound clasp tusk
unyielding dug nefarious

If you are really paranoid, however, you can use something called diceware. Diceware is a completely offline, completely analog method of creating passphrases. It involves six dice, and a printed wordlist. The author also recommends that you close your blinds while creating new passwords using it if you truly care about password security.

Advertisement

Help us on our quest to make passwords more secure!




Your contribution to our cause is highly appreciated!
Donate Now!

Editor's Note: If you can, please consider donating to the United Nations High Commissioner for Refugees during this time of crisis in Ukraine. Our sister site has put together a great explanation of what the UNHCR does, with links to the UN donation site.

5 thoughts on “Why should I use a random passphrase?

  1. I have a website that is protected by a password.
    I have a form on the site that allows users to login.
    I am concerned about how easy it is for a hacker to guess my password.
    How can I prevent this?

    1. There are a few ways to go about this, but the best is to use a password manager.
      This way you will be able to generate a new password that is much more difficult to guess.

    2. I think you are looking for a password manager, not a password generator.
      A password generator is a tool that generates passwords for you.
      A password manager is a tool that stores your passwords.

  2. How can I prevent hackers from getting into my facebook account?

    I have a facebook account, and I’m concerned about hackers getting into my account. I’m not really worried about them stealing my information, but I am worried about them changing my profile picture, and/or posting inappropriate comments on my wall. I have a facebook account that I use for my business, so I don’t want to give my personal information to a stranger. I’m not sure if I should just delete my account, or if I should just give my information to my business account.

  3. I have a tik tok account, but I don’t know how to prevent hackers from getting into my account. I know that I need to have a strong password, but I don’t know how to make it strong. I don’t know how to make it so that it’s not easy for someone to hack into my account. I have a friend who has a tik tok account, and he has a really easy password. I don’t want to be like him. How can I make my password strong?

Leave a Reply

Your email address will not be published. Required fields are marked *