The humble password serves to protect your financial transactions, your social networking sites, and a host of other nominally secure websites online. If you use a simple, easy-to-remember password, a malefactor might crack it using what's called a dictionary attack. If you carefully memorize a complex password like 3Yx3FnmQVt%e (generated for me just now by LastPass) and then use it on every site, a security breach at one site could expose all of your other accounts. And yet, remembering a different strong, complex password for every site is just not possible. Or... is it?
Sophos's Graham Cluley has suggested starting with a memorable phrase and boiling it down to a collection of letters, numbers, and symbols like F+Wsd4adoe&h. The wags who write the xkcd webcomic ridiculed this approach, advising that you instead combine random common words to get a long password like CorrectHorseBatteryStaple. "Long password" is the key concept here—the longer the password, the tougher it is to crack.
Creating a Passphrase
A passphrase is simply a phrase or sentence that you use instead of a word or set of characters. Most password systems don't allow the space character, so you'll typically capitalize the first letter of each word instead. The key to creating a strong passphrase for a given website is to use something that's meaningful to you but that wouldn't be easily guessed.
Suppose you want to create a passphrase for the Bank of America website. If you have a historical bent, you might use something like A.P.GianinniFoundedTheBankOfItalyIn1904. That's plenty strong; it has uppercase and lowercase letters, digits, and special characters. Did you notice my sly tweak? I tend to misspell Giannini, so even if clever hackers somehow guessed my passphrase that misspelling might throw them off.
Maybe your association is the sculpture nicknamed "The Banker's Heart", outside what used to be the Bank of America Center in San Francisco. OK, how about TheBanker'sHeart@555CaliforniaStreet for a passphrase? The point is to use a phrase describing something that you associate with the site, and to use as lengthy a phrase as you can bear to type.
As I mentioned earlier, the strongest password in the world isn't secure if you use it for every one of your secure sites. You do need to come up with a different one for each site. Maybe you regularly use PayPal to pay the kid down the block for mowing your lawn. Your PayPal password could be something like KeepItTrimmed,Kid,AndI'llGiveYou$$. See? It's not so hard.
A Few Drawbacks
Occasionally you'll find a site whose password length limit makes using a passphrase tough. In that case you might consider boiling down the passphrase to just the first letter from each word, retaining any digits or special characters. And of course you still have to be alert for phishing sites. If the page looks like PayPal but the Address Bar shows www.pyapal.gotcha.ru or some such, get out of there fast! The strength of your password is irrelevant if you give it away to fraudsters by entering it at a phishing site.
For an accomplish typist, typing in a passphrase on the keyboard is almost effortless. However, entering that same passphrase on a smartphone or tablet will be supremely difficult. One possible solution is to install a cross-device password manager and use a passphrase as the master password that unlocks all the rest of your passwords.
There are many paths to password perfection. Some may prefer to rely on a password manager to generate and manage strong passwords. For others, the passphrase solution offers a dandy balance, being both easy to remember and tough to crack.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
