How to Create a Strong Passphrase, with Examples

Cyberattackers often target traditional passwords when looking for ways to burrow into enterprise networks. Brute-force methods, social engineering, and sophisticated hacking tools can crack weak passwords in mere seconds. To combat this, cybersecurity experts recommend replacing traditional passwords with passphrases, which offer enhanced security and are easier for employees to remember.

Why are we moving away from passwords? Passwords offer a level of security for accounts that have sensitive information or actions. Attackers seeking to gain access to those accounts use multiple methods to bypass the security of passwords. One popular method, the brute-force attack, creates a combination of characters, tests whether the result is correct or not, then modifies the combination by one and tries again.

To combat those probes, many companies require users to make their passwords more complex; in other words, by adding more characters and increasing the password's depth. Consider the common four-digit bank PIN. These codes use numbers zero to nine, meaning it only requires up to 10,000 different combinations before it can be successfully hacked.

In the case of a longer password, add some lowercase letters and an attacker would have to try up to 1,679,616 combinations before getting the right answer -- a huge increase. The value of increasing a password's depth, however, comes at a cost: usability. When users are required to add special characters, numbers, and capitalizations to passwords, these passwords become almost impossible to remember.

As a result, users often resort to easy-to-guess patterns that attackers exploit. For example, if the password requires a special character and a capital letter, most users capitalize the first letter and put an exclamation point at the end. Cybercriminals use this knowledge to their advantage, drastically reducing the number of combinations they have to try in order to guess correctly.

The strategy behind passphrases, therefore, is to increase the breadth of the combinations. A 16-character passphrase with only lowercase letters would require a hacker to comb through more than 43 sextillion -- that's 43,000,000,000,000,000,000,000 -- combinations before cracking the code.

That's why passphrases are better than passwords; they can be longer but still easy to remember. A passphrase is a sequence of random words or phrases strung together to create a longer, more complex, and more secure password. Unlike conventional passwords that are often short and difficult to remember -- such as P@ssw0rd123 -- passphrases are generally longer and composed of unrelated words -- for example, PurpleElephantSingsAtDawn.

Their length and randomness make them significantly harder to crack, while their word-based structure makes them easier to remember. As with any methodology, passphrases have benefits and challenges. Among their advantages are the following:

  • Better security against brute-force attacks
  • Easier to remember due to word-based structure
  • Increased length of combinations

D disadvantages of passphrases include the following:

  • May be longer and harder to type
  • May require more complex management procedures

How to Create a Strong Passphrase

Many passphrase and password generators are available, but it's easy enough to make up your own. To create a passphrase that is both secure and easy to remember, follow these best practices:

  • Random nouns: Pick four unrelated nouns. For example, TableFalconMirrorCloud.
  • Descriptive phrases: Combine adjectives with nouns for vivid imagery. For example, SilentOceanBrightStarFish.
  • Action-oriented: Use verbs and nouns for a more dynamic passphrase. For example, JumpingCatPaintsBlue, Whimsical stories. Create a mini-story that's easy to remember. For example, PirateEatsLemonUnderMoon.

As with password security, it is important to manage and protect passphrases. Users should follow these best practices, and security teams should include them in their password/passphrase trainings and policies:

  • Use a passphrase manager to securely store and generate new passphrases
  • Rotate passphrases every 90 days or as required by company policy
  • Use a unique passphrase for each account, especially sensitive ones

Passphrases offer a strong alternative to traditional passwords, combining security with ease of use. By choosing random, unrelated words and creating vivid mental images, users can create passphrases that are more secure against common cyber threats.