Passwords should be Passphrases

How to make a strong, secure, and memorable passphrase

Why Passphrases?

It turns out that much of what you have learned about how to create a strong secure password is no longer the best advice. The web comic XKCD covers it best in this comic.


Basically, the length of a password beats randomness for both security and the ability to remember it. Current advice based on existing and future computing power is to use at least five random words in your passphrase.1

How to create a passphrase

  1. Let your password manager do it

  2. Employ Diceware Passwords

    1. Diceware passwords are a method of generating a password by using a very large list of potential words and using a 6 sided die to randomly determine which words to use in your passphrase. 

    2. Reference:The Diceware Passphrase Home Page

    3. Reference:The Intercept - Passphrases That You Can Memorize

  3. Online tools

    1. Use a Passphrase

      1. This website will generate random passphrases four, five, and twelve words in length

      2. Keep generating until you find one you like

    2. There are several websites that will ask you to enter your passphrase to check its strength. You should be very careful about using websites like this, as they may log the passphrases and you cannot control what they do with the information once it has been entered it into their website.

Using Passphrases at Geneseo

At first glance using a passphrase seems incompatible with our Password Controls for Geneseo Accounts; however with just a few slight modifications you can use them for our services. Some options include capitalizing the a letter and adding a special character, or adding a number. Doing just two of those options does not hurt memorability and adds just a little bit more security while making it acceptable to our policy.

Passphrases and password managers

If you use a password manager it is not necessary to make all your passwords passphrases. In fact, on some sites in may be impossible due to them limiting the length of your password or not allowing dictionary words. But if you have one very good passphrase you use to access your password manager then you can use random strings of characters for all your passwords you do not need to remember, and only use passphrases when you need strong memorable passwords.


1. Protonmail blog: Passwords vs. passphrases

Related articles