Password Phrases (Passphrases)

How secure is your password?

With the ever increasing speed and efficiency of CPUs and GPUs, the time it takes for a computer to crack a password is decreasing. Humans are predictable choosing passwords that have a meaning, such as favourite food, team or place, these are easy to guess as specialist 'dictionaries' exist to aid in password cracking.

With use of algorithms and the application of 'rules', simple substitution passwords (such as 'P4ssw0rd') are too simple and easy to crack.

If a password manager can be used, then the use of random letters, number and symbols will generate a very strong password. However, password manager integration is not possible for all passwords.

This has led the use of passphrases, which are memorable, long and easy to type. However, these may not be as secure as you would like them to be. The use of opening lines from a favourite book is not a good passphrase "Call me Ishmael".

The use of random words is a good way to generate a passphrase, however, does the sequence of these words have an impact on the password strength?

Take for instance the following six word passphrase: MORTIFY ANTIQUE LYRE BALANCE SPRAIN TWIDDLING. This passphrase can be generated by other another five passphrases.

  • MORTIFY ANTIQUE LYRE BAL ANCE SPRAIN TWIDDLING
  • MORTIFY ANTIQUE LYRE BAL ANCE SPRAINT WIDDLING
  • MORTIFY ANTIQUE LYRE BALANCE SPRAINT WIDDLING
  • MORTIFY ANTIQUELY REBALANCE SPRAIN TWIDDLING
  • MORTIFY ANTIQUELY REBALANCE SPRAINT WIDDLING

    • These are the same passphrases but generated by different words, they are the same letters in the same order!

    Out of the possible 720 permutations of the words, is this the strongest sequence that yields the fewest other phrases that will generate the same password? The answer is clearly no.

    By simply switching the first two words, the number of other possibilities reduces to 3, further switches will reduce the possibilities to one other. However, there are no permutations of these specific words that result in only one sequence.

    The above examples utilise an 'official' English dictionary, however there are many word lists available, that utilise 'cracked' passwords, this vastly increases the possibilities of additional matches.

    One thing that has not been discussed is the introduction of a symbol or a number in the sequence or the capitalisation of words or mid-word. Users can also omit letters in the words, making new non-dictionary words.

    These additional techniques can further strengthen a passphrase whilst still making it memorable and easy to type.

    Generate Passphrase