Not so long ago, I was reading Coding Horror and came across two rather interesting posts: Passwords vs Pass Phrases and Passphrase Evangelism. If you don't want to read those posts (though I highly recommend you read them) the golden rule is "stop thinking of passwords as single words, and start thinking of them as pass phrases".

A few people I know (including myself) have problems coming up with strong passwords and remembering them - and I think this is the solution! From psychology we learnt that on average people remember 7 things - be that 7 letters or 7 words. So that means, a password is usually 7 characters, but if you remember a pass phrase that will be 7 words - which is approximately 28 characters if you average 4 letters per word!

So for those who just can't remember a random string of characters, or are already using semi-pass phrases...how do you choose a strong pass phrase? Well, over the weekend I did a bit of Googling and found some basic guidelines:

  • Try to use medium-long words - short words can still be cracked
  • Try to have at least 4 word pass phrases - the longer the better
  • Don't use famous phrases (eg. "To be or not to be" probably isn't the best idea)
  • Include spaces, numbers, caps, and special characters
  • Personal information isn't recommended

Here are some of my tips which might be useful if you're thinking of changing to pass phrases:

  • Mix it with your password! If you've already got a half decent password, use it everywhere and will never forget it, why not use it? "Didn't you know my password is z1%SwL?" is probably stronger than just "z1%SwL"
  • Use your own abbreviations. This will probably make it harder for a dictionary hack on your pass phrase.
  • Don't be too fussed with your grammar/spelling. Again, if you're sentence isn't quite normal it's more unique and thus harder to crack.

For those who know and are relatively fluent in a foreign language, use it! I'm Chinese myself, so these are all based on Mandarin, but I would assume other languages would work in a similar fashion. I'm using the standard Bopomofo keyboard layout, and if you use a different input method, it'll turn out to be different - but hey, isn't that a bonus?

  • Just type in Chinese, but without the language option turned on. So something easy to remember like "How are you?" turns out to be "su3cl3a8 2?". It still looks like a password, but is much easier to remember and will likely be longer than your standard password.
  • Type the pronunciation in English (for Chinese this is known as pinyin) and mix it with English if you want. Quite sometime ago I used this as a password "muphas hen3 nan2" which translates to "muphas is very hard" (MUPHAS is an extension maths course now known as UMEP).
  • Combine the above two...and you get "muphas 5p 27k hen3 nan2" (MUPHAS is really very hard)

Just a note, I'm no expert for password (pass phrase) security, but the tips above come from my random readings, general knowledge and they make sense to me.

As you can see it's not all that hard coming up with pass phrases (easier than coming up with passwords) and they are definitely much easier to remember! Though I must warn you, after many years of using passwords it might take some time to get used to it - I signed up to a new online account with a pass phrase, but then I forgot my pass phrase...probably because I had thought of so many different possible pass phrases!