Harlo Holmes

Chief Information Security Officer and Director of Digital Security

Last updated

Photo by David Huerta. CC0

The first step to a healthy digital life is an easy-to-implement strategy for managing your account credentials. You’ll notice that we’re using the term “passphrases” instead of “passwords.” Do you wonder why? In short, because passwords are obsolete. They’re too short, they tend to be unimaginative, and chances are, they’re already in one of the many databases of breached credentials floating around on the web.

Over the last few years, there have been way too many data breaches, with millions of users’ passwords dumped onto the open web and traded between criminal organizations. While this is bad enough, our tendency to reuse passphrases makes us even more insecure: Even if you don’t really care that hackers have your LinkedIn password, if you’ve used it anywhere else, they could gain access to another, more important account that you do care about.

With this in mind, we’ve compiled three tips for generating complex but painless passphrases. Incorporating a mixture of the following types for different accounts will greatly improve your digital security. And remember, no matter how robust your new passphrases are, you should enable two-factor authentication for each account where available. (Check out the site, https://2fa.directory, for more info!)

First Type: Short Codes

Take the following song lyric, from funk legend Chaka Khan:

Je m'appelle La Flamme (ca c'est mon nom). Set off your alarm ce soir!

  1. First layer of complexity: Take the abbreviation of the lyric to create a seemingly “random" string. Passphrase becomes jmlfccmnsoyacs
  2. Second layer: Switch up the case, for a mix of uppercase and lowercase letters. Passphrase becomes jmLFccMNsoyacs
  3. Third layer: Substitute letters for numbers. jm1FccMN50y4c5
  4. Fourth layer: Add punctuation. !jm1FccMN50y.4c5!

Good to use on:

  • Mobile devices (for example, to unlock/decrypt phone)
  • User account on your computer (unlock/decrypt Mac)
  • Web services where you have two-factor authentication enabled

Second Type: Password Database

Passphrase managers store an unlimited number of credentials in a database. That way, you never have to remember them, and you can easily eliminate password reuse from your life entirely! With a passphrase manager like KeePassXC (which stores your passphrases on a local file on your machine) or 1Password (which stores your passphrases using third-party servers) you can generate long, complex, and virtually uncrackable passphrases like:


These are good to use on:

  • Web services where two-factor authentication is not an option
  • ...just about anything you access from a web browser!

Third Type: Diceware

Get out five dice, a copy of the diceware word list, and generate your own strong, long, and memorizable passphrases. Each roll corresponds to a word on the list. String five to eight random words together, and create a funny story in your head to aid your memory. Your passphrase might look something like:

andre 23rd teeth sow monty poll debit footcozy

Good to use on:

  • Accounts where copy-pasting a password won’t work (e.g., certain pinentry programs)
  • To encrypt your passphrase database
  • Your PGP key
  • Accounts that might require you to read the passphrase out loud (e.g., with customer service)

Donate to support press freedom.

Your support is more important than ever.