DON’T Use Passphrases for Passwords

notebook with password
Reading Time: 2 minutes

[Reading Time – 1 minute 44 seconds]

When I am speaking to users about passwords, towards the end of the presentation I give my three password principles:

  1. Any password that can be memorized is a weak password  (This is somewhat tongue-in-cheek, but it is to remind everyone that long passwords are more important than complex passwords, and our brains simply cannot remember long passwords).
  2. Any password that is repeated is a weak password  (Stolen password digests are routinely cracked and then posted on the Internet for attackers to download and use as the starting point when they attempt to crack new passwords. One web site boasts that it has over 1.6 billion cracked passwords that can be downloaded. And because users often repeat a password on more than one site, attackers routinely use these stolen passwords to see if the password they are trying to crack has already been used before–and it very often is).
  3. We must use technology instead of our brain for managing our passwords  (Because attackers use technology to crack our passwords, we must likewise use technology to protect them. This means using a password manager to store and retrieve your passwords).

However, invariably when I finish speaking, someone will come up to me and say that they use long passphrases instead of a password. They say that these are easy to memorize, so they don’t have to use a password manager. And usually these passphrases are the words to their favorite song or a famous line from a book or poem.

Is it safe to use a passphrase instead of a password?


And here’s the reason why.

Attackers know that users often use passphrases. So, in addition to using stolen passwords to see if your password matches it, they now also use huge repositories of known phrases and titles to quickly find a match and crack your password. And what are some of these repositories? Here’s just a small sample:

  • 15,000 Useful phrases
  • Movie titles and famous movie lines
  • Song lyrics
  • Titles of over 300,000 books
  • Wikipedia article titles
  • Words from the 2016 US presidential debates
  • 250,000 Women’s names

So, if you use a passphrase that includes music lyrics (“If_we_weren’t_all_crazy_we_would_go_insane”), movie lines (“May_the_Force_be_with_you”), or words from a famous saying (“Abandon_all_hope_ye_who_enter_here”) then your passphrase can easily be broken.

All passwords should be long, unique, not phrases–and stored in a password manager. And be sure to use the password manager’s built-in password generator to create long and complex passwords that are different for each account.

Anything less is just begging for your password to be cracked. And it will be.