How To Choose A Secure Passphrase

1. Shuffle an ordinary deck of playing cards. Fan the cards, facedown, and choose four number cards. (You can also choose by cutting the cards repeatedly.)

An Ace is the number 1. A Ten is the number zero. Choose again if the card is anything other than ten, Ace, or 2 through 9. The result is a sufficiently random 4-digit number.

Alternately, you can use this online true random number generator: Random.org. Set the range at "1" to "10,000".

2. Look up each 4-digit number on this word list. Each number corresponds to a pair of words. Choose ONLY ONE of the two words, whichever word is easiest to remember.

3. Repeat this process (1 and 2 above) until you have chosen ten words. This set of ten words is your passphrase. It has better than 128-bit security. (Specifically, it has just over 139 bits of entropy.)

4. Memorize the passphrase thoroughly by calling it to mind several times a day for a month.

5. Keep the passphrase written in multiple secure locations, such as on paper inside a physical safe, or in a plain text file in an encrypted folder.

6. Hash your passphase and keep a copy of the first four characters of the hash in an accessible location. If you forget part of the passphrase, you can type your best guesses into HashCalc and quickly see which version of the passphrase is correct.

7. At least once a week, test your memorization of your passphrases against each hash.



Return to: Secure Passphrase Resources