Passwords – Do you use a passphrase instead of a password?

<introEmbed body={<> The available list of 10, 12, or 16 (or better yet in terms of length, 20) character words is limited. So if you pick one of these words you don’t afford yourself much protection. Possible combinations of words, or phrases as we call them, are almost infinite. While we still use the term ‘password’, you should use a short phrase rather than a word. <asideEmbed variant="info" body={<> **Note:** Ideally you should not need to **remember** any password, instead use a [password manager](/password-manager). </>} figureEmbed={{ preset: "default", figure: 'XXX', shouldDisplay: false }} /> </>} />

There’s a now famous web comic from XKCD that explains this:

The specific advice in the comic about how to pick a good passphrase may not be relevant to you, but the resulting impact on security is.

To choose a good passphrase, use a combination of words that are unique and memorable. For example, you may have a distinct memory of a cat licking your ice cream when you were 4 years old. So 4yearicecreamcat might be a memorable phrase for you.

You might think a favorite sentence from a book might be better, given that it’s longer. While this is true in the context of time taken to brute force a password with procedural character combinations, as attackers adapt to their techniques to longer passwords, it’s important to remember that a combination of words known to anyone in the world other than you is bad to use as a password.

❌ Figure: Bad Example – It's a word that other people know

❌ Figure: Bad Example – It’s the opening to one of Shakespeare’s sonnets so is known to other people (and painful to type in)

😐 Figure: OK Example – It's 16 characters, composed of 5 words, is not a phrase that is known by anyone else, and is easy (for you) to remember