Tips for creating a secure password/passphrases

The first step in protecting your online privacy is creating a secure password/passphrase - i.e. one that a computer program (password cracker) or persistent individual won't easily be able to guess in a short period of time.

What is a passphrase?

A passphrase is a password.  We’ve all been told to create passwords with upper and lower case letters, numbers and special characters: JkLp20*&QX2z!  The problem? That’s hard to remember, and not so hard for a password cracker wielding cybercriminal to crack.

The National Institute of Standards and Technology (NIST) recommends using a passphrase. Their recommendation is based on the research findings from Carnegie Mellon’s Lorrie Faith Cranor. Watch her Ted Talk - "iloveyou password 123456." .

A passphrase is a long combination of words that is hard to guess, but easy for you to remember. The idea is to put words together based on how you associate meaning from the words. 

Tips for creating a good passphrase

This article, posted on the NIST website, is worth reading:

Please Note: All examples below are written without spaces, just as you would enter a password.

Create a passphrase by putting together words that go together in your mind, based on the way that you think and make associations between objects, people, rooms in your house, etc.

The above referenced NIST article tells us to create a passphrase from a picture in our head. The author says that while sitting in his dining room chair, he sees elements of his kitchen: “blenderventpendantredchair.” This is easy for him to remember because the elements are listed in the order they appear as he looks around the room. A hacker would not know that.

  • Maybe you’re a bird watcher: falconfieldflyrat
  • Maybe you like rice: ricewaterplumproundpan.
  • Maybe you have a vase from your great grandmother: Vasegrannyheirloomgreen
  • Maybe your child will go to college next year: savingstaxescollegeexemption, or, awaycreditcardheadache, or, something that you think about when you think about your child going to college.

Using a different spelling for some words is also a good idea. For instance, instead of "My," use Meye (M+eye). Instead of "didn't," use dint and so on. If the site on which you're using a password allows it, use apostrophes, spaces, quotation marks, commas, etc.

What's important?

  • Passphrase length: make your passphrase at least 15 characters long.
  • Passphrase idiosyncrasy: make it unique to your thinking and not a popular phrase like “Who’s on First?”
  • Create a unique passphrase for each account you own.
  • Creating a passphrase/password is only one part of staying secure, and keeping your information safe.

What to avoid?

  • Don’t use your phone number, address, birthday, or other private information in your passphrase. Stay away from phrases that start with “I love…,” or “I hate….” Don’t use popular sentences like:
    • Fourscoreandsevenyearsago… (Gettysburg Address)
    • Thisdaywillliveininfamy. (Pearl Harbor Address)
    • I’mthenewSinatraandsinceImadeithere… (Jay Z)
    • MaysTiantBondsVaughnClemens (Major League Baseball Greats)
    • JackJillJoeJane (the names of your four children, for instance)
  • Never use the same password for more than one account.
  • Don’t use keyword patterns like QWERTY or 54321
  • Never share your password with anyone, in any form. Never.
  • Never believe that a strong passphrase is the only thing you need to be secure online. Read more about your role in Information Security

Protect yourself at all times.




100% helpful - 3 reviews
Print Article


Article ID: 43591
Tue 12/5/17 4:51 PM
Wed 6/12/19 9:41 AM

Related Articles (2)

Learn how to set up your Network password and multi-factor authentication. This article applies to students only (not faculty/staff).
Learn how to activate your Student Gmail account. [LEGACY ARTICLE - APPLIES TO STUDENTS ATTENDING SPRING 2023 OR EARLIER]