Best Practices for Provably Secure Passphrases

1. Choose words for the passphrase from one list with a known number of entries.

2. Choose each word randomly. Try the Playing Cards method or Diceware.

3. Only randomness and length are provably secure.

The number of possible unique passphrases is determined by the number of entries in the word list, raised to the Nth power, where N is the number of words in the passphrase. Choose a passphrase with greater than 3.4028 x 10^38 (2^128) possible combinations for full 128-bit security.

For 128-bit security, with no repeated words in the passphrase, you need one of the following:
* a word list with 927 entries and a 13-word passphrase
* a word list with 1,632 entries and a 12-word passphrase
* a word list with 3,189 entries and an 11-word passphrase
* a word list with 7,137 entries and a 10-word passphrase
* a word list with 19,117 entries and a 9-word passphrase
* a word list with 65,540 entries and an 8-word passphrase

The number of entries in the word list, stated above, is the minimum.
128-bit security is more than sufficient for almost any purpose.
See the word lists here.

4. Memorize the passphrase thoroughly by calling it to mind several times a day for a month.

5. Keep the passphrase written in multiple secure locations, such as on paper inside a physical safe, or in a plain text file in an encrypted folder.

6. Hash your passphase and keep a copy of the first four characters of the hash in an accessible location. If you forget part of the passphrase, you can type your best guesses into HashCalc and quickly see which version of the passphrase is correct.

7. At least once a week, test your memorization of your passphrases against each hash.

Comments: The Playing Cards Passphrase method works well to choose random numbers easily and securely. Look up each number in this double word list and choose only one of the two words. Ten random numbers gives you ten words. A passphrase of ten words, chosen in this way, has about 140 bits of entropy. (16,281 unique words across the two lists, raised to the 10th power.)

Return to: Secure Password and Passphrase Resources