A short guide on how to generate the best passphrases for your digital life.
The first step to a healthy digital life is an easy-to-implement strategy for managing your account credentials. You notice we’re using the term “passphrases” instead of pass “passwords.” Do you wonder why? In short, passwords are obsolete. They’re too short, they tend to be unimaginative, and chances are, they’re already in one of the many databases of breached credentials floating around on the web.
Over the last few years, there have been way too many data breaches, where millions of users’ passwords have been dumped onto the open web, and traded between criminal organizations. While this is bad enough, our tendency to reuse passphrases makes us even more insecure: even if you don’t really care that hackers have your LinkedIn password, if you’ve reused it anywhere else, they could gain access to another, more important account that you do care about.
Here are three tips for generating complex, but painless passphrases. Incorporating a mixture of the following types for different accounts will greatly improve your digital security. And remember, no matter how robust your new passphrases are, you should enable two-factor authentication for each account where available. (Check out the site, https://twofactorauth.org, for more info!)
Take the following song lyric, from funk legend Chaka Khan:
Je m'appelle La Flamme (ca c'est mon nom). Set off your alarm ce soir!
First layer of complexity : take the abbreviation of the lyric to create a seemingly “random" string. Passphrase becomes jmlfccmnsoyacs
Second layer : switch up the case, for a mix of uppercase and lowercase letters. Passphrase becomes jmLFccMNsoyacs
Third layer : substitute letters for numbers. jm1FccMN50y4c5
Fourth layer : add punctuation !jm1FccMN50y.4c5!
Good to use on:
Mobile devices (unlock/decrypt phone)
User account on your computer (unlock/decrypt Mac)
Web services where you have two-factor auth turned on
Passphrase Managers store an unlimited number of credentials in a database. That way, you never have to remember them, and you can easily eliminate password reuse from your live entirely! With a passphrase manager like KeePassX (which stores your passphrases on a local file on your machine) or LastPass (which stores your passphrases on third-party servers), you can generate long, complex, and virtually uncrackable passphrases like:
Good to use on:
Web services where two-factor auth is not an option
...just about anything you access from a web browser!
Get out 5 dice, a copy of the diceware word list, and generate your own strong, long, uncrackable and memorizable passphrases. Each roll corresponds to a word on the list. String 5 to 8 random words together, and create a funny story in your head to aid your memory. Your passphrase might look something like:
andre 23rd teeth sow monty poll debit footcozy
Good to use on:
Accounts where copy-pasting a password won’t work (i.e. certain pinentry programs)
To encrypt your passphrase database
Your PGP key
Accounts that might require you to read the passphrase outloud (i.e. with customer service)
Photo by David Huerta. CC0