How to create a good passphrase
As you work your way through how to create a good passphrase, check how good your working examples are with this passphrase strength checker – https://thycotic.com/resources/password-strength-checker/ . It also gives tips on how you can make your passphrase even stronger.
One of the golden rules is ‘longer is better’. The more characters you have in your phrase the better. This is down to pure mathematics – the greater the combinations of characters you have the longer it takes for a password cracker to run through that number of combinations.
A password you can’t remember is of no use. A better idea is to create a collection of letters, numbers and symbols you can remember by encapsulating them into a phrase. There are a few ways to do this.
A phrase is better than a word of the same number of characters as it’s easier to remember. We’re looking for phrase lengths ideally of 16 characters or more.
Creating a phrase
If we’re looking for 16 characters or more, one way is to pick four words, each of four characters. You’ll need to get a bit creative with where you put the uppercase, number and special characters, but the principle is simple. For example
First attempt:
- Hair
- Leaf
- Road
- Blue
(Would take 138,000 years to crack, using standard methods)
Upgraded attempt:
- haiR
- 6eaf
- road
- B#ue
(Would take 5 trillion years to crack, using standard methods)
Another way to create a phrase is to use a pattern. Think of sentence that means something to you. For example:
The daffodils in spring make me think of yellow trumpets welcoming me home in the evening
Take the first letter of each word and you have:
tdismmtoytwmhite
(138,000 years to crack using standard methods)
Include the additional character requirements and:
tDi5mmtoy*wmhitE
(63 billion years to crack using standard methods)
Use a Dice
The Electronic Frontier Foundation, an organisation that promotes online privacy, has a method for selecting words from their Long Wordlist, and uses dice throws to select those words. Check-out their page for how this works and their Wordlist. They also have a Short Wordlist, using shorter words, in case you find these easier to use. In this page the EFF recommends using 6x words, but we’ll leave you to interpret that as you will! You get the point – the more characters the better, but there are limits.
The final tool to help you generate a quality password is to use this page by the makers of one of the best Password Managers, 1Password – https://1password.com/password-generator/. This tool gives you the option of creating a Memorable Password, just as we’ve described above, consisting of multiple unrelated words. Or a random password. It’s very simple to use, with settings for the number of characters you’d prefer, and the inclusion of number & symbols
Rotation
Conventional wisdom, and corporate policy say we need to change our passwords at a given frequency. At IPG this is currently every 90 days, increased in 2020 from 60 days. New thinking suggests that, combined with 2-Factor Authentication, a good strong passphrase needs changing much less often. Within IPG, this policy is unlikely to change anytime soon, for lots of reasons including fulfilling client obligations. However, for yourself you could consider changing those good strong passwords only when you need to, if combined with 2FA.
