Not so long ago, I was reading Coding Horror and came across two rather interesting posts: Passwords vs Pass Phrases and Passphrase Evangelism. If you don’t want to read those posts (though I highly recommend you read them) the golden rule is “stop thinking of passwords as single words, and start thinking of them as pass phrases”.
A few people I know (including myself) have problems coming up with strong passwords and remembering them - and I think this is the solution! From psychology we learnt that on average people remember 7 things - be that 7 letters or 7 words. So that means, a password is usually 7 characters, but if you remember a pass phrase that will be 7 words - which is approximately 28 characters if you average 4 letters per word!
So for those who just can’t remember a random string of characters, or are already using semi-pass phrases…how do you choose a strong pass phrase? Well, over the weekend I did a bit of Googling and found some basic guidelines:
- Try to use medium-long words - short words can still be cracked
- Try to have at least 4 word pass phrases - the longer the better
- Don’t use famous phrases (eg. “To be or not to be” probably isn’t the best idea)
- Include spaces, numbers, caps, and special characters
- Personal information isn’t recommended
Here are some of my tips which might be useful if you’re thinking of changing to pass phrases:
- Mix it with your password! If you’ve already got a half decent password, use it everywhere and will never forget it, why not use it? “Didn’t you know my password is z1%SwL?” is probably stronger than just “z1%SwL”
- Use your own abbreviations. This will probably make it harder for a dictionary hack on your pass phrase.
- Don’t be too fussed with your grammar/spelling. Again, if you’re sentence isn’t quite normal it’s more unique and thus harder to crack.
For those who know and are relatively fluent in a foreign language, use it! I’m Chinese myself, so these are all based on Mandarin, but I would assume other languages would work in a similar fashion. I’m using the standard Bopomofo keyboard layout, and if you use a different input method, it’ll turn out to be different - but hey, isn’t that a bonus?
- Just type in Chinese, but without the language option turned on. So something easy to remember like “How are you?” turns out to be “su3cl3a8 2?“. It still looks like a password, but is much easier to remember and will likely be longer than your standard password.
- Type the pronunciation in English (for Chinese this is known as pinyin) and mix it with English if you want. Quite sometime ago I used this as a password “muphas hen3 nan2” which translates to “muphas is very hard” (MUPHAS is an extension maths course now known as UMEP).
- Combine the above two…and you get “muphas 5p 27k hen3 nan2” (MUPHAS is really very hard)
Just a note, I’m no expert for password (pass phrase) security, but the tips above come from my random readings, general knowledge and they make sense to me.
As you can see it’s not all that hard coming up with pass phrases (easier than coming up with passwords) and they are definitely much easier to remember! Though I must warn you, after many years of using passwords it might take some time to get used to it - I signed up to a new online account with a pass phrase, but then I forgot my pass phrase…probably because I had thought of so many different possible pass phrases!
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
I think coming up with a good passphrase/password is an art on itself…
I would normally use a staggered security level in passwords - for trivial stuff like a disposable email/registration/forum, i ll use a simple name i can remember, but for a uni login or important web email, i will use a very secure password of 12 chars or so.
personally, i dont think password security matters, because for something as important as banking, i will not do it online simply coz its not secure enuf no matter what password i use!
@marty
yeah, I agree with you there - good passphrases and passwords need a fair bit of thought behind them especially passphrases. I haven’t yet switched to using passphrases because haven’t thought of anything that seems suitable
@Chii
same - I’ve got ’staggered’ security levels too, some of my passwords are very simple, while others are 10 mixed chars. though with passphrases it might become the ‘weak’ passwords are 10 chars, and the stronger ones are much longer!
as for just not using online banking etc…i find it too convinient to not use it, so I just try and come up with extra secure passwords - which will now become extra secure passphrases