Tips for creating a strong passphrase

The first step in protecting your online privacy is creating a secure password/passphrase - i.e. one that a computer program (password cracker) or persistent individual won't easily be able to guess in a short period of time.

What is a passphrase?

A passphrase is a password.  We’ve all been told to create passwords with upper and lower case letters, numbers and special characters: JkLp20*&QX2z!  The problem? That’s hard to remember, and not so hard for a password cracker wielding cybercriminal to crack.

The National Institute of Standards and Technology (NIST) recommends using a passphrase. Their recommendation is based on the research findings from Carnegie Mellon’s Lorrie Faith Cranor. Watch her Ted Talk - "iloveyou password 123456." .

A passphrase is a long combination of words that is hard to guess, but easy for you to remember. The idea is to put words together based on how you associate meaning from the words. 

How do I create a good passphrase?

This article, posted on the NIST website, is worth reading: https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-pw0rd

Create a passphrase by putting together words that go together in your mind, based on the way that you think and make associations between objects, people, rooms in your house, etc.

The above referenced NIST article tells us to create a passphrase from a picture in our head. The author says that while sitting in his dining room chair, he sees elements of his kitchen: “blenderventpendantredchair.” This is easy for him to remember because the elements are listed in the order they appear as he looks around the room. A hacker would not know that.

• If you like cats, maybe something like: "IHeartOrangeTabbyCats" 
• If you like football, maybe something like: "JoshAllenForMVP"
• If you like movies, maybe something like: "BarbieWasAMasterpiece"
• If you like TV shows, maybe something like: "JeffProbstIsStillHostingSurvivor"
• If you like camping, maybe something like: "LoveCampingAtLetchworth"
• If you like Taco Bell, maybe something like: "Beefy5LayerBurrito"

Using a different spelling for some words is also a good idea. For instance, instead of "My," use Meye (M+eye). Instead of "didn't," use dint and so on. If the site on which you're using a password allows it, use apostrophes, spaces, quotation marks, commas, etc.

What's important?

• Passphrase length: make your passphrase at least 15 characters long.
• Passphrase idiosyncrasy: make it unique to your thinking and not a popular phrase like “Who’s on First?”
• Create a unique passphrase for each account you own.
• Creating a passphrase/password is only one part of staying secure, and keeping your information safe.

What to avoid?

• Don’t use your phone number, address, birthday, or other private information in your passphrase. Stay away from phrases that start with “I love…,” or “I hate….” Don’t use popular sentences like:
  • "Fourscoreandsevenyearsago" (Gettysburg Address)
  • "Thisdaywillliveininfamy" (Pearl Harbor Address)
  • "MaysTiantBondsVaughnClemens" (Major League Baseball Greats)
  • "JackJillJoeJane" (the names of your four children, for instance)
• Don't use the same password for more than one account.
• Don’t use keyword patterns like QWERTY or 54321
• Don't share your password with anyone, in any form. Never.

How can I remember all of these passphrases?

If you have trouble remembering all of your passwords and passphrases, you may want to consider using a password manager. There are several popular password manager applications on the market. See our Password Manager article for more information.