STOP USING PASSWORDS
Why passphrasesare more secure
When is a password not a password? When it’s a passphrase. These are combinations of words that, if chosen correctly, are a much smarter way of staying safe than using passwords. At least, that’s the advice from the UK’S National Cyber Security Centre (NCSC). It recently recommended using three-word phrases because they’re easier to remember than a random string of numbers, letters and characters.
The NCSC also said that complicating your password with symbols is flawed because hackers use algorithms to spot them. So while ‘P@$$w0rd’ is more secure than ‘Password’, it’s still easy to crack. But that doesn’t mean you should pick any three-word phrase. Using ‘I love you’ is about as safe as posting a set of your home keys to every known burglar in the country.
On page 13 you’ll find some ideas from readers, but here we’ll explain how the web can help you pick a passphrase that would have foxed even Alan Turing.
Generate a four-word passphrase
Start at www.useapassphrase.com, which is almost evangelical in its support of passphrases. It explains why they’re necessary (“because humans are terrible at creating secure passwords”), and has a phrase-generator at the top of the page. This churns out a new four-word phrase every time you click ‘Generate New Passphrase’, and tells you how many centuries it would take to crack based on 10,000 guesses every second.
For example, ‘untaxed overbite famine blush’ ( 1 in our screenshot below) would remain uncracked for 731 billion centuries 2 (though we’ve now rendered it useless by publishing it). You can make your passphrases even harder to guess by making them longer – just click the dropdown menu and select five words or 12 3 .
You can use the site’s passphrase generator to test the security of any existing passwords. It told us that ‘I love you’ would be cracked in 13 seconds, and ‘P@$$w0rd’ in a mere 29 milliseconds.
Roll virtual dice to create a passphrase
Another way to create an iron-clad passphrase is not to use software, but diceware. This term is used to describe hardware random number generators, which are physical methods for creating security details – for example, creating a passphrase by rolling dice, where the numbers correspond to words.
Doing this yourself is neither quick nor secure, so instead try the site https:// diceware.dmuth.org, which replicates the physical aspect of rolling dice (see screenshot above). Choose how many dice to roll (three dice means three words in your phrase), then click Roll Dice. Your phrase will appear below.
For rolls with up to five dice, the site gets its words from a list compiled by digital-rights campaigners Electronic Frontier Foundation ( www.snipca. com/39396). It contains 7,776 words, equal to the number of possible combinations when rolling five six-sided dice. So, five dice landing 11111 equals Abacus, 66666 equals Zoom, and there are 7,774 words in between. That’s a lot of numbers, but the site needs even more
when rolling six, seven and eight dice, so it uses a list from US computer scientist Peter Norvig, comprising the third-of-amillion most frequently used words
( www.snipca.com/39397).
Also consider using the browser extension Dicephrase ( www.snipca.
com/39401), which is handy for creating instant phrases as you browse. Once installed, click the dice icon in your browser toolbar ( 1 in our screenshot above), select how many words you want, then click Skip 2 . On the next page click ‘Show it’ 3 to reveal your phrase, and tick the boxes below to add characters. You’ll see a 10-minute timer 4 counting down how long you’ve got to make a note of the phrase, before it disappears.
Add numbers and separators
Hopefully by now we’ve persuaded you not to use ‘P@$$w0rd’. But that doesn’t mean you can’t tweak your passphrase using non-alphabetic characters. For examples, visit www.snipca.com/39398, then click ‘Create a Passphrase’. You’ll see three dropdown menus: one to choose the number of words, one to set the minimum number of letters, and one to add a separator. It’s this last option that adds real complexity to your passphrase. Type a symbol into it, such as a dash, * (asterisk) or @, then click Generate Password, and a phrase will be suggested with that symbol inserted between the words. We chose the equals sign to produce ‘nursery half soften=pressure’
(see screenshot right). As well as a separator, you can tick the boxes to add an upper-case letter at the start, and a number at the end.
Get a second opinion
Most passphrase-generating sites tell you how secure a phrase is by estimating how long it would take to crack. For a second opinion paste your passphrase into https://howsecureismypassword.net. We pasted a 12-word phrase created by www. useapassphrase.com, and it claimed it would take eight hundred quintillion quadragintillion years to crack. That’s so long as to be meaningless in human terms (quadragintillion is a 1 followed by 123 zeroes!).
Incidentally, click the accessibility icon (stick man) at the bottom right of https:// howsecureismy password.net for an impressive menu of options to make the site easier to read. These include changing colours, contrast, font size and letter spacing.
Should you trust a website to generate your password?
It’s a fair question. The creators of www. useapassphrase.com answer it this way: “Honestly? Probably not”. They go on to
say that all the passwords it suggests are generated in your browser, and therefore not saved nor sent anywhere. Similar claims are made by all the sites we recommend here, and we have no reason to doubt them.
But you may also ask why you need a website to give you a random phrase. The answer is that randomness doesn’t come easily to humans. We can’t help but look for patterns in life. That doesn’t mean humans can’t devise suitably obscure phrases, and to prove it we just came up with ‘tusk banana alabaster cottage’, which https://howsecureismypassword. net says would take six thousand trillion trillion years to crack. But some bias in our neural circuitry would’ve helped to produce that phrase: we did eat a banana earlier, for instance, and we’ve just booked a holiday cottage in Devon.
Probably the best option is to combine human brains with computer brawn – so ask one of these sites for phrases, choose one you’re likely to remember, then personalise it to make it harder to crack.