display | more...

A passphrase is used as a replacement for a password in encryption programs such as PGP and SSH in which it is important to have a very large number of possible password/passphrases.

Diceware, at http://world.std.com/~reinhold/diceware.html , is an easy way to choose a secure passphrase.

I came with a method to form valid passphrases I believe could be of some use to others. Obviously if you are using clear text you should not use any sentences taken from famous books, quotes books or other kind of well known literary sources, which is a pity since they are the ones people remember most easily. However if you manage to disfigure these clear text sentences in some way you should be able to use your favorite quotes. Here is how I do.
Choose your passphrase

Select your quote or sentence. Be sure however that you can remember it easily in its details. It is advisable that you associate an hint to it so that you can write down only the hint in order to recall the passphrase. Obviously the hint should only be meaningful to you. Another way of doing it is by using a scene of your own history that no one knows about, something meaningful to you but so trivial that you did not bother telling anyone.
For instance: If you used to count the number of dots on ladybirds when you were ten in a field nearby your parent's holiday house with a girl called Sonia, then your passphrase could be:

Counting dots on ladybirds in a field with Sonia.

The hint could be: "When I was ten" or "Being ten on holiday". However such a sentence is exposed to a dictionary attack, you need to scramble it a bit but in a way that minimise the need for pencil and paper to recall it.

Select a number of filtering rules

A rule is a simple mechanism to substitute part of or alter the initial passphrases. You could decide to replace all the "a" by "@", "e" by "3", "o" by "0", "i" by 1 and "g" by "9". But if this too obvious, why not replacing one every two such character? Our passphrase becomes:

Count1ng d0ts on l@dybirds 1n a f1eld w1th Son1a

If such a rule is still too obvious you can add another one, like capitalize every last letter of every word. Our example becomes:

Count1nG d0tS oN l@dybirdS 1N a f1elD w1tH Son1A

...which looks like a pretty good passphrase to me by now.

Practice your rules

The idea is that you create secret filtering rules that you will apply to any clear text passphrase that you will come up with. I find these rules easier to remember than the actual phrase because it involves an action, "dot this, then do that", in a way it is less abstract than the phrase itself. The key here is to establish simple rules that you can apply with simple mental work. Once you have established these rules (2 or 3 in my experience will suffice) try to practise them a bit on dummy phrases to get the hand on them. The advantages of such rules is that if your passphrase is compromised and you need a quick replacement (and if you don't have a second one prepared) you can pick any dumb phrase you would remember and encode it with these rules so that it is still difficult to guess. For instance the famous "May the force be with you" becomes "MaY th3 forc3 bE w1tH yoU" with the above rules.

If you ever forget your passphrase, go back to your initial phrase or get your hint to remember it and apply the rules one after another to recover the abstract string of letter of your passphrase.

A few hint on how to choose good rules:

  • Try to use rules that can be applied as you type and do not require to come back on what you have written as usually the text is blanked out or hidden unders asterisks.
  • In the same idea, do not use rules that require to think backward, like "remove the second letter from the end of the word" as it is impractical.
  • Rules do not need to be very abstract, it could be like " replace every "a" by the character at the end of the keyboard row (in that case it is "#"). That way you can include those character that greatly increases the complexity of passphrase but that you never remember like $ % ^ & * or ( .
  • For the sake of simplicity, avoid having to apply several rule to the same character, for instance if every "a" is "b" and then you apply a rule of capitalisation, then the "b" should be spared the treatment. That way, when substituting a character as you type you know that you do not have to go back to it.

Prepare a back up passphrase

There is nothing more annoying, security wise, than to come up with a beautifully crafted passphrase that complies with all your requirements and to be forced to find a new one in 10 seconds because it had been blown. So, once you are fluent with your established filtering rules, prepare a back up passphrase {with an hint) that you would not use anywhere untill you actually need it.


Normal people can remember very complex sequences provided they rehearse them often enough. Chances are that you will know your passphrase so well after ten days that you will forget the corresponding filtering rules. So you need to practice your rules every now and then to keep them fresh in your mind.

As usual with security related material, especially in an computerised environment, if you are serious about it you should contact a proper security consultant or you should already know better.

Log in or register to write something here or to contact authors.