This project has moved. For the latest updates, please go here.

What passphrase should I use?

Well, it all depends on what you're trying to protect vs what you're willing to memorise.

Passwords and passphrases work because they're long and random enough other people can't guess them. But because you know the secret, you can get in. The more sensitive or valuable something is, the longer (harder to guess) you make your password / passphrase.

For example, my Facebook, Google, Steam and Internet banking accounts are all pretty sensitive to me. They either contain private information, financial details (or both). So they all have long passwords.

On the other hand, my Paint.NET forum account is a) rarely used and b) doesn't really have anything important in it. So that can have a shorter password.

My KeePass database is the most important of all, because it contains all my passwords (at last count about 200 of them). Its the classic "all my eggs in one basket" (and watch them like a hawk) approach. It needs an appropriately strong password. And a memorable one. Because all the other accounts I've mentioned so far are remembered for me by KeePass, but I still need "one password to rule them all". So it needs to be long (lots of combinations) so people can't guess it, but memorable because I can't store the password for my password database in my password database (chicken and egg problem)!

(And, another real world trade off, my wife has to be able to deal with it as well, so it can't be an essay).

This is where a readable passphrase is brilliant. Because it's both easy to remember, yet long enough to be hard to guess.

So I selected a passphrase about 8-10 words long, from a randomly generated list.

So what phrase strength should I use?

Answer: Random.

And then choose the longest passphrase you're prepared to remember.

I'd recommend at least 8 words (remembering that "a" and "the" count as separate words) for protecting anything financial or private (internet banking, Facebook, Google, Ebay, etc). The longer the phrase, the better.

What about all the other phrase strengths?

If you find that you want shorter (or longer) passphrases, you can use RandomShort, RandomLong or even RandomForever (although don't blame me if people make fun of you entering your 100 letter passphrase when you login).

Previous versions of readable passphrase forced you to choose between Normal, Strong and Insane. But that's complicated and requires thinking. With the Random phrase strength, it's easier to just generate 10 or 20 phrases and choose one which is long enough.

Of course, if you have more specific requirements, feel free use a specific phrase strength, vary the min / max restrictions, build your own template, or even hook into the .NET API to do something even more funky.

I'm a Password Geek, Tell Me Everything!

The easiest way to see the differences between the different phrase strengths is to try them out. A list of 20 phrases is enough to see most variations. But if you want to know the formal differences, read about Combination Counting.

What About Upper Case, Numbers, Punctuation, etc (Password Requirements)

If you need to add or change your passphrase to meet certain password requirements, go right ahead. Or, you can use mutators to add some at random. Adding extra stuff or changing things is almost certain to make your passphrase harder to guess.

A final important point

Please, please, please don't use the statesmen will burgle amidst lucid sunlamps!

Last edited May 11, 2014 at 11:01 AM by ligos, version 10

Comments

ligos Jan 15, 2013 at 9:13 AM 
Sorry it didn't make sense to you. What I'm trying to say is that you're introducing a human bias toward 'coolness' or 'funniness' if you chose phrases you like. The generator isn't biased, but humans are. And, if hackers can figure out what makes 'cool' and 'funny' they can test phrases that are more cool than others.

It's like a password "p@s5w0Rd". It looks complicated and if you're trying every combination, it is complicated. But hackers have special rules which make that password trivial to guess (eg: an 'a' might be an '@'). If enough people use 'cool' passphrases, they'll figure out some measure of 'coolness' and generate similar rules which will make a passphrase which seems complicated much less so.

nopivnick Dec 25, 2012 at 4:42 PM 
> When you choose your readable passphrase, it's important all
> passphrases are equally likely. So when you choose, please
> choose the first passphrase you are offered and not wait for a
> cooler or funnier one to appear!

sorry, can you explain this further?

does not each generated passphrase have the same likelihood, regardless which one we may choose to use based on perceived humor or 'coolness?'