What Passphrase Should I Use - ligos/readablepassphrasegenerator GitHub Wiki

What passphrase should I use?

Well, it all depends on what you're trying to protect vs what you're willing to memorise.

Passwords and passphrases work because they're long and random enough other people can't guess them. But because you know the secret, you can get in. The more sensitive or valuable something is, the longer (harder to guess) you make your password / passphrase.

For example, my Facebook, Google, Steam and Internet banking accounts are all pretty sensitive to me. They either contain private information, financial details (or both). So they all have long passwords.

On the other hand, my Paint.NET forum account is a) rarely used and b) doesn't really have anything important in it. So that can have a shorter password.

My KeePass database is the most important of all, because it contains all my passwords (at last count about 200 of them). Its the classic "all my eggs in one basket" (and watch them like a hawk) approach. It needs an appropriately strong password. And a memorable one. Because all the other accounts I've mentioned so far are remembered for me by KeePass, but I still need "one password to rule them all". So it needs to be long (lots of combinations) so people can't guess it, but memorable because I can't store the password for my password database in my password database (chicken and egg problem)!

(And, another real world trade off, my wife has to be able to deal with it as well, so it can't be an essay).

This is where a readable passphrase is brilliant. Because it's both easy to remember, yet long enough to be hard to guess.

So I selected a passphrase about 8-10 words long, from a randomly generated list.

So what phrase strength should I use?

Answer: Random.

And then choose the longest passphrase you're prepared to remember.

I'd recommend at least 8 words (remembering that "a" and "the" count as separate words) for protecting anything financial or private (internet banking, Facebook, Google, Ebay, etc). The longer the phrase, the better.

What about all the other phrase strengths?

If you find that you want shorter (or longer) passphrases, you can use RandomShort, RandomLong or even RandomForever (although don't blame me if people make fun of you entering your 100 letter passphrase when you login).

Previous versions of readable passphrase forced you to choose between Normal, Strong and Insane. But that's complicated and requires thinking. With the Random phrase strength, it's easier to just generate 10 or 20 phrases and choose one which is long enough.

Of course, if you have more specific requirements, feel free use a specific phrase strength, vary the min / max restrictions, build your own template, use the mutators or even hook into the .NET API to do something even more funky.

I'm a Password Geek, Tell Me Everything!

The easiest way to see the differences between the different phrase strengths is to try them out. A list of 20 phrases is enough to see most variations. But if you want to know the formal differences, read about Combination Counting.

What About Upper Case, Numbers, Punctuation, etc (Password Requirements)

If you need to add or change your passphrase to meet certain password requirements, go right ahead. Or, you can use mutators to add some at random. Adding extra stuff or changing things is almost certain to make your passphrase harder to guess.

A final important point

Please, please, please don't use the statesmen will burgle amidst lucid sunlamps!