- FBI advises internet users to use passphrases of at least 15 characters, instead of “strong” short passwords.
- Short and hard to remember passwords have gotten very easy for today’s computers to crack.
- Passphrases are much harder to guess, as long as the words in them are as unrelated as possible.
Is it better to use long passphrases over strong passwords? The FBI says that it is, as we’re living a time when regular people have access to powerful computers that can brute force and guess passwords no matter how hard they are for us to remember. Using passphrases makes it practically impossible for machines to crack them, as their complexity is beyond what’s attainable by the existing technology. So, should you ditch that password manager that is helping you use impossible to remember but “strong gibberish” in favor of something like “upside-down-heart-pink-cow-27”?
An increasing number of security experts believe that this should be exactly the case nowadays. These passphrases would take a current machine whole centuries to guess, they are easy to remember for the user, and won’t cause the password anxiety that hits people when they have to juggle many different ones. However, that is not to say that password managers should be thrown out of the window. After all, you can set passphrases in them manually, or have them generate very long passwords (up to 64 characters) that would undoubtedly be extremely hard to crack.
If you have a fear for single-sign-on tools in general, if you dread the possibility of forgetting or losing your master password, or if you just don’t trust what the vendors are doing with your password vault, then yes, maybe ditching them in favor of a long passphrase would make perfect sense in your case. Still though, just picking a passphrase that is easy to remember and making it adequately long isn’t enough to enjoy peace of mind. Not all passphrases are made equal, and hackers performing “dictionary attacks” can possibly crack longer passphrases pretty easily, as long as some specific criteria are met.
According to the latest FBI advice (based on NIST recommendations), users should pick words that are entirely unrelated. If you have trouble coming up with something like that, there are online passphrase generators that can help you. Just be careful not to set too many words making the passphrase hard to remember for you too. FBI says that you should aim for a minimum of 15 characters, so something with even three words would be enough. Ideally, pick a passphrase with four words as they are still easy to remember and the entropy will increase exponentially.