Blog ยป Security ยป Creating and Remembering a Strong Passphrase
locked fantasy treasure chest

Creating and Remembering a Strong Passphrase

By Lane Wagner on Aug 3, 2019

Curated backend podcasts, videos and articles. All free.

Want to improve your backend development skills? Subscribe to get a copy of The Beat in your inbox each month. It's a newsletter packed with the best content for new backend devs.

We all have hundreds of online accounts. Ideally, as many of those accounts as possible have unique passwords. Unique passwords however present a difficult problem.

No one can remember hundreds of strong passwords.

To fix this problem, we created password managers. Now, all of our passwords are neatly stored in one place, encrypted by one master password or passphrase. The problem with this of course is the master password or passphrase needs to be very secure.

Which should be used? A password or passphrase?

Passphrases are Better Than Passwords ๐Ÿ”—

password comic


This XKCD comic does a good job of explaining the difference between passwords and passphrases. A password is easier for a computer to guess (less entropy), and also is much harder to remember! There is NO REASON we should be using passwords. If you are an application developer, especially an app developer writing you backend in Go, take a look at go-password-validator. It will give users full control so they can create strong passphrases.

Entropy ๐Ÿ”—

You may have noticed in the comic that the example password has 28 bits of entropy while the passphrase has 44. Entropy just means the number of possibilities that an attacker would need to guess to crack a password or passphrase.

For example, imagine a password has 16 characters, and each character has 58 possibilities. This means that there are:

58^16 = 16,400,152,899,115,243,850,138,976,256 possibilities.

If we take the base 2 logarithm of the number of possibilities then we arrive at how many bits of entropy the recovery code contains.

log2(58^16) = 93.73 bits of entropy.

The chart below gives a rough idea of how long a given password or passphrase will take to crack based on how many bits of entropy it has and how many guesses per second the attacker can make (which depends on their hardware).

password chart

entropy chart

How to Remember ๐Ÿ”—

Now that we’ve covered why and how a passphrase is safer than a password, let’s look at how to create a memorable passphrase. The key to a memorable passphrase is imagery. The idea is to take 4 or 5 random words and use those words to create an image in your head. The more ridiculous the image, the easier it will be to remember.

The correct horse battery staple from the above XKCD is a good example, but I’ll give you another one. Let’s pretend you are trying to remember:

banana army acid nose spray

I would probably imagine an army of bananas doing acid while being sprayed out of a giant nose. If I repeat “banana army acid nose spray” out loud a couple times while imagining this ridiculous scene, then I can memorize it in just a couple seconds.

Repeating it a couple times allows you to remember the exact order of the words, but picturing the image is what will cement ii in your mind for the long term.

I hope this helps you create secure pass-phrases! As always, stay safe online! It’s a dangerous place.

Find a problem with this article?

Report an issue on GitHub