TL;DR:

  • Passphrases use fewer mental “chunks” than complex passwords and can be much longer
  • Length is better than complexity when it comes to password security
  • ✅ Crocodile eating my ice-cream! (easy to remember, hard to crack)
  • Already use passphrases? Skip this and read about hashes and salts.

XKCD Comic: Password Strength

This famous XKCD comic nails it. Previously, we talked about your brain’s limited capacity for “chunks” of information. A passphrase like “correct horse battery staple” seems too simple to be secure, but it’s actually:

  1. Easier for your brain: correct horse battery staple = just 4 chunks, that’s easier for your brain to link together
  2. Much harder for computers to crack: At 28 characters, it would take centuries to brute-force (trying every possible combination), compared to seconds or minutes for an 8-character complex p@SSw0rd.

Length is better than complexity

  • An 8-character password with uppercase, lowercase, numbers, and symbols has about 94^8 possible combinations (6.1 quadrillion)

    6,100,000,000,000,000

  • A 4-word passphrase using common English words (from a pool of just 5,000 words) has 5,000^4 possible combinations (625 trillion trillion)

    625,000,000,000,000,000,000,000,000

Each additional character exponentially increases the number of possible combinations. Adding just one character to a password makes it dramatically harder to crack.

That’s why something like Crocodile eating my ice-cream! is significantly more secure than P@ssw0rd!23!Work, despite being easier to remember.

Don’t websites force complex passwords?

Yes đŸ€Š, many sites still enforce outdated password policies like:

  • Must contain uppercase letters
  • Must contain at least 1 numbers
  • Must contain symbols
  • Must be changed every 90 days
  • No reusing a variation of your old password

These requirements, while well-intentioned, often lead us to create passwords that are hard for humans but relatively easy for computers. When faced with these requirements, we tend to make predictable substitutions (a → @, i → 1, etc.) that hackers already know to check for.

Some websites (looking at you, banks! 👀) limit password length to a silly 12 characters.

Creating Your Perfect Passphrase

The best passphrases are:

  1. Memorable to you: Use vivid imagery or silly scenarios
  2. Long enough: Aim for at least 15-20 characters
  3. Unique for each important account

Try one of these approaches:

  • Random words: Silly.dance.kangaroo.party
  • true Stories: Crocodile eating my ice-cream!
  • Personal anecdotes: I fell up the stairs in 2019...

The beauty is that these are easy for your brain to store as a single concept / related chunks rather than multiple disconnected chunks.

The Passphrase Challenge

Take 5 minutes right now to upgrade an important account—perhaps your email—with a new passphrase. Even a simple passphrase is likely more secure than whatever complex password you’re currently using.

Remember: Crocodile eating my ice-cream! is not just easier to remember than P@ssw0rd!23!Work, it would take millions of years longer to crack.

Let’s move to our next topic — how passwords are stored safely using “salty smoothies”.