A password is a set of characters used for authentication to verify identity or an access authorization to gain access to an account. With the help of password, we protect our online accounts, whether it's a social media account or bank accounts. Nowadays, we encrypt our Wi-Fi network and even confidential files or documents with a password and keep our password secret from others. Well, passwords are your last line of shield against snooping eyes. Nowadays, hacking attempts are increasing tremendously.

User: Why would someone want to hack my account?

Security Expert: To be honest, there are many people around the world or near you, who might want to spy on your personal life for their personal gain or they may have a malicious mind, people who want to hack your bank accounts to steal all your money and people who hack just for fun, not a specific purpose.

Every few months, some company gets hacked, which results in many people’s account details being compromised and released online on the dark market.

• LinkedIn was hacked in 2012 but details were not exposed however, recently after 4 years, 164 million user credentials, like email addresses and passwords, have been exposed and are selling on the dark market with an exchange of bitcoins.

• MySpace data breach, where almost 360 million user account details, like email, username, and weak passwords were exposed.

• In 2013, Adobe’s 153 million user accounts were compromised and internal ID, user name, email address, encrypted passwords and password hint details were exposed.

And there are many data breaches that happened in the past. The most common reason for all the breaches that happened is because of the use of insecure passwords because weak credentials can be hacked by using a guessing password technique or by using some specific tool to brute force (in this method, a hacker uses a tool that tries out all possible combinations until it finds the real matching one).

User: So how can I make my account secure?

Security Expert: By using a strong combination of phrases that doesn’t embrace your personal recognizable data, things like date of birth, your name, or anything that is associated with you.

User: Thank god! I am using a strong combination of passwords including uppercase, lowercase, and one number.

Security Expert: I am sorry to disappoint you, but that’s not 100% secure. And nowadays even a password is not 100% secure to use.

User: What??? So what should I use?

Security Expert: Well, you can use a strong Passphrase.

User: What is a Passphrase? And what is the difference between ‘password’ and ‘passphrase’?

Security Expert: Basically, a passphrase is like a password but it’s lengthy and according to the hacking point of view it’s more secure than a password. A passphrase contains combinations of phrases and each phrase contains a minimum of 4 letters.

User: Okay! I got it. So, how do I create a strong passphrase?

Security Expert: To create a passphrase use Diceware. Diceware is a technique to create a passphrase that uses a dice to select random words from a diceware word list which contains 7,776 words. To learn more about the diceware technique, you can visit official Diceware site. To create a passphrase, you can randomly pick short words according to you from the diceware word list.

For example: ask binary been buy crisp issue alive

This way, you can create an easy to remember and passphrase.

User: How many words should I use for the strong passphrase?

Security Expert: It is recommended to use 7 words passphrases. It is recommended to protect the latest technology and systems with at least 90 bits long password entropy passphrase.

User: What is password entropy?

Security Expert: Password entropy is the capacity of how random or unpredictable passphrase is. So it is always recommended to use words from the diceware words list because it is designed in that way. In Diceware passphrase, 6 words have the entropy of 77 bits, 7 words have 90 bits, 8 words have 103 bits and 10 words have 128 bits of passphrase entropy. Hence, all passphrases in the list are presented in lower case; you can increase password entropy by capitalizing any of the letters or words and adding a space after every word.

User: Is it secure to use a passphrase to protect and encrypt documents, hard drives, and accounts? Can the passphrase be cracked like passwords?

Security Expert: Yes, it is very secure to use a passphrase to protect any kind of data, including files, hard drives, online accounts, even Wi-Fi. You can encrypt your private key with a passphrase if you are using PGP to encrypt your emails or PGP enabled cloud storage.

It is very hard to crack a passphrase.

• A 5 words passphrase is breakable by a PC that contains a very high-end graphics processor,

• 6 words are breakable by a large organization or group who are able to spend very large amounts of money to build a system with a high-end graphics processor and other high-end hardware,

• 7 words are almost unbreakable with any of the known technology right now in the world; not sure about the NSA.

• 8 words or above are totally impossible to crack, not even NSA can crack unless they put all their money toward building some system for password cracking. So passphrases that have 8 or more words are secure for the next 20 to 25 years.

You can choose the number of words according to the security level you want to achieve.

User: Wow! Thank you for telling me about password security. But I still have one question in mind, is applying a passphrase enough to secure all my online social media and bank accounts?

Security Expert: Well, a passphrase is enough to encrypt emails, hard drives, important documents and even cryptographically generated private keys. But a passphrase is one of the most important methods to secure online accounts, not the only method. To secure online accounts you can apply these methods:

1. Use a passphrase instead of a password.

2. Enable 2 factor authentications; by this method your account will be verified by two different components. Like 1st your passphrase and 2nd can be verification code sent to you by SMS on mobile or email by the website where you try to log in.

3. Always use a different passphrase for different accounts.

4. Never share your passphrase with anyone or write it down anywhere, like on the last page of a notebook or somewhere else like that. If you can’t remember, then use password manager where you can store your passphrases for different accounts and lock your password manager software with a master passphrase.

User: Thanks! I have to work on it and I’m going to apply these methods to secure myself because it is very important nowadays.


Author: Akshay Bhardwaj is a Certified Ethical Hacker | Information Security Researcher | Technical writer, focused on mobile & application security and user privacy. You can follow him on LinkedIn and Twitter.

June 23, 2016
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Þór Sigurðsson
5 years ago

Another way of “upping the ante” is to use multiple languages in your passphrase – That way, you don’t have a “simple” dictionary search (with or without numerical obfuscation) only – you’ll have something that won’t be solved without brute-forcing the whole string.

Example: gluðra fangorn 是的 できます båt skæg

Also, your passphrase CAN be shorter with multiple languages (but still the time limits of a brute force should be kept in mind)

Obviously, this will only help those that are bi-, tri-, multi-lingual :)

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013