Passphrases Are the New Passwords

I‘ve changed the way I create and use passwords. You need to as well. I liked using a particular password until I was speared by a phishing attempt. No more. (See last week’s post, Are You a Victim of Spear Phishing?).

Passphrases Are the New Passwords

You must change the way you think about passwords. The National Institute of Standards and Technology (NIST) recommends we use unique mental images and our power of association. Their article, Easy Ways to Build a Better P@$5w0rd, is worth the read.


Outdated passwords met all kinds of requirements: capitals, numbers, symbols. YOU can’t remember it, but a hacker can figure it out in three days with a computer program (at 1000 guesses per second). You may run across a site that still asks you to make these kinds of passwords.


Create a more secure login with a long, random passphrase that you can remember and a hacker cannot guess. For example, four random common words as a passphrase would take the same software 550 years to guess.

You and I Need These New Habits for Passphrases

For those of you who like the bottom line, here’s your action points from this post:

  • Use a unique Passphrase on every site, always storing it in your password manager.
    • Don’t reuse your Google account password on any other sites. Keep it unique to Google only.
  • Use two-step authentication whenever possible.
  • Respond to notifications.
    • Agree to updates from software and apps. These are often due to current viral attacks and are meant to protect you.
    • Change your passphrase whenever an account alerts you to a breach.

Read on for how and why you need to take these steps.

Data Breaches and You

This partial list of businesses have had their data compromised.

  •         Adobe
  •         Arby’s
  •         Best Buy
  •         Bitly
  •         Cheddar’s Scratch Kitchen
  •         Delta
  •         eBay
  •         Facebook
  •         Home Depot
  •         JP Morgan Chase
  •         KMart
  •         LinkedIn
  •         Macy’s
  •         Panera Bread
  •         Sears
  •         Sonic
  •         Target
  •         Uber
  •         Verisign
  •         Whole Foods
  •         Yahoo

Full list at Wikipedia

Ouch. Feeling uncomfortable? I am. This list doesn’t mean your data was stolen, but the risk hits closer to home. I see twelve that I’ve done business with this past year or two. When your nicely crafted passphrase is stolen from a database, you’ll be alerted to change it. Update to another unique, secure passphrase right away. (Another advantage to unique passphrases is, you’ll only have to update one account instead of multiple ones when a data breach occurs.)

Learn what the new norms are for secure passphrases. In a world of huge data breaches, some hackers may pick at your little individual account. Instead of breaking into a business’ database, they’ll use software until they figure out your password. To avoid this, it’s important to create unique passphrases.

Your First Steps to Get Started

I know, new habits may seem overwhelming, but try the following first steps. Keep at this until you have secure passphrases for all your accounts.

  • Choose a Password Manager to store your passphrases. Read part one of this series or Security Tip Series: Use a Password Manager.
  • Update your sensitive accounts right away (banks, eCommerce sites, etc.) with unique passphrases.
  • Update all other accounts. Change one or two every other day until you do them all.
    • If a site asks for symbols:
      • add a symbol or a number
      • replace a letter with a symbol or a number
  • Choose Two-Step Authentication whenever offered (again, see part one.)

While you’re working your way through your accounts and passwords:

  • Delete accounts you’re not using.
  • Make sure your mobile device is secure.

What about Auto-fill?

Please don’t use your browser as a password manager. You have, haven’t you? Me, too. Clean these out and move new passphrases to your password manager. When you’re done, turn off the password manager setting for your browser. (Look in settings under passwords.) My long list of saved passwords surprised me. I’ll just have to chip away at them and stop allowing Chrome to store login information for me.

What Makes a Secure Passphrase?

Now that you have a Password manager, your Passphrases can be completely random. The longer the better.

Try these ideas for a  long and random passphrase that is easy to remember.

  • Long is 20+ characters. My expert friends suggest even 25 or 30 characters.
  • Use random words that don’t make a logical sentence; even include spaces.
  • Memorable is addressed in the following paragraphs.

Four Random Words

The NIST article stated that four random words would take 550 years to crack. But how would you make any passphrase memorable? With your passphrases stored in a password manager you don’t need to. Every passphrase will also be unique.

The author uses his mental image of four items in his office or “CorrectHorseBatteryStaple” as his passphrase prompts. For me, I’m thinking of a favorite photo that reminds me of going to county fairs as a family. I have four words that have nothing to do with each other, but come to my mind from the photo.

A bad passphrase uses: music lyrics, lines from poetry or literature, quotable quotes, or Bible verses. Hackers first try these and other known words and phrases. Another article suggested using, instead, the first letters from a memorable piece. You’ll create a long string of random characters that are easy for you to remember. Can you guess what this is? FGsltwtHgHoaoSJ316a (Don’t use this since I’ve made it public). Personally, I’d still stay away from popular quotes.

You’ll need a long, random, memorable passphrase to open the password manager. This should be the only password you need to remember.

Knowing our human natures, you may want a memorable passphrase for a favorite account so you don’t have to open your password manager to retrieve it. I can understand that. You visit that site often and don’t want the bother of going to your manager for your passphrase. If this is what you want to do, memorize unique, long, random, memorable passphrases for only a few sites that only know your name and/or email address. If an account has financial and personal information, be safe; log in with a secure passphrase that you look up in your password manager.

When are you going to start using a Password manager? Will you join me in replacing old passwords?

Related Posts


  • Much of the material from this two-part series comes from:
  • When I did a search for random images on Unsplash. Quite a few had pineapples in them. Okay. That works for me. Photo by Pineapple Supply Co. on Unsplash

Creative Commons License
Passphrases Are the New Passwords by Sus Schmitt is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

What do you think?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.