Passphrases - Memorable Yet Strong Passwords

About 2 min read

A passphrase is a long password made up of several words combined together. By stringing together unrelated words like "mountain-river-clock-purple," you can create credentials that are easy for humans to remember yet hard for computers to guess. Compared with traditional short, complex passwords (e.g., xK#9mP!2), passphrases more readily secure high entropy and reduce input errors, so they are gaining attention as a method that balances security and convenience.

The History and Mechanism of the Diceware Method

The most famous method for generating passphrases is the Diceware method, devised by Arnold Reinhold in 1995. You roll a physical die five times and match the resulting combination (e.g., 4-1-6-2-3) against a list of 7,776 words to determine a single word. You repeat this procedure to select multiple words and build a passphrase.

The essential strength of Diceware is that its entropy calculation is transparent. Each word guarantees log2(7776) ≒ 12.9 bits of entropy. Six words yield about 77 bits, and seven words about 90 bits. Not relying on a software random number generator and instead using a verifiable randomness source, namely physical dice, is what makes it a cryptographically honest design. Today, the EFF (Electronic Frontier Foundation) publishes an improved word list, designed so that more memorable words are chosen.

The Difference from Passwords - An Entropy Comparison

The decisive difference between traditional passwords and passphrases lies in how they accumulate entropy. An 8-character random password (uppercase and lowercase letters + digits + symbols, about 95 types) has at most about 52 bits of entropy. A 6-word Diceware passphrase, on the other hand, has about 77 bits. It comes to around 25 characters in length, but in memorability the passphrase is overwhelmingly superior.

However, this comparison has a prerequisite. The strength of a passphrase depends on the words being chosen at random. If you compose a meaningful sentence yourself, the entropy drops sharply. A sentence like "I love my cat very much" does not have strength matching its apparent length, because of grammatical constraints and the bias toward common words. Resistance to brute-force attacks and dictionary attacks ultimately depends on randomness.

The Merits and Demerits of xkcd #936

The xkcd comic #936 "correct horse battery staple," published in 2011, deserves credit for popularizing the concept of passphrases. Its claim that lining up four random words surpasses a complex but short password like "Tr0ub4dor&3" in both strength and memorability was intuitive and persuasive.

However, this comic also has problems that tend to be overlooked. First, the entropy of four words (about 44 bits) could not be called sufficient even back in 2011, and with today's computing power it is vulnerable to offline attacks. NIST recommends a minimum of 8 characters in its 2017 guidelines (SP 800-63B), but for passphrases the practical recommended line is 5 words or more, and preferably 6 words or more. Another ironic lesson is that "correct horse battery staple" itself became so famous that it is highly likely to be registered in attackers' dictionaries.

Practical Recommendations and When to Use Each

Passphrases are most effective in situations where a password policy calls for a master password. Specifically, they are suited to uses that require frequent manual entry and the highest level of strength, such as a password manager's master password, a disk-encryption passphrase, or an SSH key passphrase.

On the other hand, for the passwords of individual services, random strings generated by a password manager are more sensible than passphrases. Memorizing dozens of different passphrases for each service is not realistic, and you will ultimately succumb to the temptation to reuse them. Please also refer to How to Create Secure Passwords and The Psychology of Passwords.password security books on Amazon let you learn more deeply about the design philosophy of passphrases.

Common Misconceptions

The oversimplification that "longer is safe" is dangerous. A passphrase's strength depends not on length but on how randomly its words are chosen. A line of song lyrics, a famous quotation, or a phrase that is personally meaningful are easy candidates for an attacker to guess. Also, the separators between words (spaces, hyphens, periods, and so on) contribute almost nothing to entropy. Adding one more word is far more effective than tinkering with separators. Looking back on The History and Culture of Passwords reveals the limits of authentication that relies on human memory.