Best way to make an uncrackable passphrase, using What3words

theoldmiser

The most important thing in a passphrase is its length, not using 'Capital letters, numbers, and symbols', like you so often hear.

So a passphrase such as

"responded impressed licks Theoldmiser444"

is uncrackable due to its length.

If you want to make a secure passphrase, just go to What3words.com, which is a website that has mapped every section of the Earth into 3m wide squares, and given each square a three word name. As a result, there are 57 TRILLION such squares on What3words.com, each with their own three word code.

So go onto the map and move away from the U.K. and into a random spot out at sea, write down the three words, and add a simple word or two of your own, and you have an uncrackable passphrase.

In the example above, I have added "Theoldmiser444" at the end, because most websites don't know the first thing about password security, and blindly copy each other, forcing you to use a capital letter, and/or a number, etc.

You should also always write down your passphrases. If you can remember more than two or three passphrases, then you are either a genius with a photographic memory (unlikely), or your passphrases are not long enough to be secure and uncrackable.

I use a simple address book, which has alphabetical tabs down the side, so I can easily find passphrases for all the websites I use. (I have about 200 passphrases.)

To my knowledge, nobody has EVER had their passphrase book stolen from their house and used illegally. Whereas THOUSANDS of people have their online accounts hacked every single day, because they use passwords instead of passphrases, and their passwords aren't long enough to be secure, because nobody is telling them the correct way to make passphrases.

Go to

https://www.passwordmonster.com/

to test the strength of any passphrases you make using this method, you'll see that they are incredibly secure.

oldernonethewiser

Do you carry the address book with you or do you only need to log in to sites when at home?

I've started using Bitwarden which is ideal for my needs. 

I do have a very long random password made up of unrelated words.

km1500

remember, if you consider an offline dictionary attack (eg someone is trying to get into your encrypted word document) then a three-word password is equivalent to a three-character password

you should not use words you should use random letters and numbers

FFHillbilly

all that just sounds so laborious. i'm just going to bury my head n the sand and continue with my unsecure passwords for now, hopefully it won't be too long until biometrics make passwords obsolete

IvanOpinion

km1500 said:

remember, if you consider an offline dictionary attack (eg someone is trying to get into your encrypted word document) then a three-word password is equivalent to a three-character password

That is a fallacy. The base for an average person using 3 words is 20,000 rising to 60,000 (or so) for those with better language skills. The base for characters is 26 (or 62 if you include upper, lower and numerics, rising to 95 if you include special characters).

IvanOpinion

theoldmiser said:

The most important thing in a passphrase is its length, not using 'Capital letters, numbers, and symbols', like you so often hear.

So a passphrase such as

"responded impressed licks Theoldmiser444"

is uncrackable due to its length.

Actually that is not correct either. As km1500 mentions a dictionary attack could eventually crack 3 words in a much shorter time than you anticipate (measurable in days or weeks).  However you are actually using 6 words and some numerics which would take significantly longer.

There are still weaknesses in your suggestion though - the biggest of which is that you have had to write something down. You could strengthen the password by interjecting characters between the words (symbols or (e,g,) the 4th letter of the previous word) and adding random mixed case e.g. resPondeDPimpreSseDrliCks@Theoldmiser444$$.

Alternatively you could mangle the words e.g.  resPimpRlicKondeDesseDs@OldTheMi444ser  (makes it a bit more difficult though).

These will cause a dictionary attack to fail and are as good as random characters with the added advantage of memorability and less of an issue if written down.

Neil_Jones

I'm at the point now where I just right-click, "Suggest Strong Password" and run with that, then let the browser save them all.  I have tried password managers but I am idle so...

Can't be bothered with the whole process thing, its far easier just to use 2FA where available as the next best thing.

alanwsg

As I said before, the best password is "Correct Horse Battery Staple"

https://xkcd.com/936/

oldernonethewiser

alanwsg said:

As I said before, the best password is "Correct Horse Battery Staple"

https://xkcd.com/936/

Certainly simplifies things if everyone in the world uses the same password for everything.

Wonder if that will cause any problems........

twopenny

All great news for someone who's dyslexic!
Yup, that's me.

I like the idea of using an address book though. If you can find one that is.

SteveJW

I look round the home and use three names I can see

For example at the moment

FriendshipsCoffeeGeralgine

Add the time and a couple of special symbols, so end up with

$FriendshipsCoffeeGeralgine1040#

Wonder how long that would take to crack

Then use a password manager to store my passwords

Steve