Why should I use a random passphrase?
Because humans are terrible at creating secure passwords. The famous xkcd comic got it right: humans have been trained to use hard-to-remember passwords that are easy for computers to guess.
Try as we might, humans usually end up using one of a few predictable patterns when creating passwords. We base them on things we can remember, such as names, locations, dates or just common English words. Then, we add some spice with a capital letter, some numbers, or a symbol.
Is it really that easy to crack a password? How is it done, exactly?
The method for cracking usually looks something like this:
- First, the hackers start with a bunch of wordlists. The top 10,000 passwords is a good place to start. Also, lists of all English words, all names, dates, and so on. In less than one second, 30% of all passwords will be cracked.
- After exhausting those wordlists, they will try all of the words again with common substitutions: capitalizing the first letter (december → December), making common letter-for-number swaps (december → d3cemb3r), and other common password variations.
- Next, they start combining the previous wordlists. Name + date (doug3251983). Name + [separator] + date (doug.3251983).
- If all else fails: brute force, a.k.a. try every combination of characters. Try a, then b, then c ... eventually aa, ab, ac ... eventually 6j2b#hi8, 6j2b#hi9, 6j2b#hi0, et cetera.
If your password is based on any kind of pattern, using some combination of the above steps, it will eventually be cracked. Depending on how well-protected a website keeps your password, modern computers can make somewhere between 10,000 and 350 billion guesses per second.
Your best defense is using a truly random password generator (like our passphrase generator).
I get it, simple passwords are cracked easily. But why a random passphrase?
There are dozens of random password generators out there that will happily put together a bunch of random characters for you to use as a password. These random passwords are secure, but they're a huge pain to actually remember.
Random passphrases provide the best combination of memorability and security.
By way of example, here are two passwords with similar crackability:
p%9y#k&yFm? | Approximately 90,182,663 centuries to crack
logic finite eager ratio | Approximately 189,658,722 centuries to crack
Which would you rather remember?
Fine, you've convinced me. I'll use a passphrase. What else can I do to increase my security?
The recipe for perfect password management is straightforward.
1. Use a password manager.
Firefox, Chrome, Safari and Internet Explorer all have built in password managers. But if you plan to use your passwords across devices, you probably should use one of these:
- 1 Password (Windows, Mac, iOS, Android)
- LastPass (iOS, Android; Chrome plugin works on Windows, Mac, Linux)
- KeePass (Linux, Windows, Mac, Android)
2. Use a strong master password for your password manager.
This is when a passphrase would be especially useful.