Struggling to create passwords that you can both remember and trust to keep your accounts secure? You’re not alone. The good news is that using a word-based password generator helps you create a strong, memorable passphrase. But, should you use password generator words at all?
Generally, password generator words produce passphrases that are much more secure than most passwords. However, the words are vulnerable to dictionary attacks, especially in the English language. Character substitutions and increased entropy can help mitigate weaknesses.
But first, you’ll be surprised to know why it’s OK to create & use memorable passwords.
Understanding the Importance of Secure Yet Memorable Passwords
According to a study by Verizon, over 80% of data breaches involve weak or stolen passwords. This alarming statistic underscores the need for robust passwords that can withstand brute-force attacks and other hacking methods.
When it comes to passwords, you want to balance two key factors: length and entropy.
The length of your password holds the top spot, increasing its hack resistance. By using full words from a password generator, you’re satisfying the length criteria. Typically, the word selection is random enough to prevent users from receiving the same set of words as other users using the same generator.
The second criteria will be entropy or complexity. I have another article with a more in-depth description of password entropy, but the basic idea is that you want to include as many types of characters as possible in your passphrase, such as:
- Uppercase letters
- Lowercase letters
- Special symbols
- Accented or Unicode characters (👈 Pro Tip, but not all systems will accept these)
- …and YES spaces
Using the space character spaces is surprisingly well-supported and turns your password into a passphrase, which is arguably more secure than a password. But random password generator words have a flaw…they’re random.
Instead, let’s take these generator words and create a sentence that’s grammatically correct to boost the memorability.
Memorability matters (primarily for your password manager and computer login) because a password you can’t remember is as useless as a lock without a key. If you constantly have to reset your password, you’ll likely end up choosing simpler passwords for the sake of convenience, thereby compromising security.
Now that you understand the balancing act between security and memorability, here’s how to pick the best words for generating the ideal password.
How to Choose a Reliable Common Words For Passwords
When it comes to selecting words for your next password or passphrase, there are advantages and disadvantages when selecting from common dictionary words.
Advantages of Using Dictionary Words for a Passphrase
- Ease of Memorability: Words from the dictionary are usually easier to remember than random strings of characters, numbers, and symbols.
- Typing Speed: Using dictionary words often makes it quicker to type out the passphrase, especially on mobile devices.
- User-Friendly: Dictionary words are easier to communicate verbally or write down temporarily if needed.
- Reduced Errors: The likelihood of making a typo or mistake when entering the passphrase is typically lower.
Disadvantages of Using Dictionary Words for a Passphrase
- Vulnerability to Dictionary Attacks: Using plain dictionary words makes your passphrase susceptible to dictionary attacks, where an attacker uses a pre-compiled list of words to guess the passphrase.
- Lower Complexity: Passphrases made solely of dictionary words generally have lower entropy, making them less secure.
- Predictability: The use of common words or phrases might make it easier for someone who knows you to guess the passphrase.
- False Sense of Security: The ease of memorability might lead to overconfidence, neglecting other security practices like regular updates or using different passphrases for different accounts.
Fixing the Disadvantages
To mitigate the disadvantages of using dictionary words in passphrases, consider the following strategies:
- Add Special Characters or Numbers: Intersperse your passphrase with special characters or numbers to increase complexity and resist dictionary attacks. You’re already doing this in part with spaces which are tested less-frequently by attackers.
- Use a Mix of Cases: Capitalize random letters within the words to make the passphrase less predictable and more secure.
- Use Less Common Words: Choose words that are less likely to be in dictionary attack databases. Go beyond simple, everyday words.
- Employ Word Substitution: Use phonetic or creative spellings for words. For example, use ‘phish’ instead of ‘fish’.
- Include Non-Dictionary or Foreign Language Words: Add proper nouns, names, words from other languages, or even made-up words that only you would understand.
By implementing these strategies, you can maintain the benefits of using a memorable passphrase while significantly improving its security.
Now that you know how to select and use words, let’s look at generation some tools.
Online Tools for Generating Memorable Passwords
First, remember that using one of these tools to provide words for a passphrase is a good starting step.
It’s best if the generator is open source, providing the ability to audit the source code. But, if you use a tool that’s not open source, or you’re simply skeptical (like me), then reorder or swap out your own words in the generated list to thwart attacks.
Here’s a list of online generators that I’ve researched:
When it comes to using word-based password generators, there are usually several settings and options to consider.
For example, most tools will let you specify the length of the passphrase. You can also typically decide whether to include numbers, special characters, or both.
Some of the above generators even offer advanced options, like excluding similar-looking characters (like ‘1’ and ‘l’) to reduce confusion.
Best Practices for Using a Word-Based Password Generator
For paranoia’s sake, let’s consider that the author of a word-based password generator might try to tie your selected words to your IP address, browser fingerprint, device, etc.
Here’s how you can mitigate the risk:
- Use a VPN: Employing a VPN can obscure your real IP address, making it harder to trace the password generation back to you.
- Private Browsing: Use your browser’s private or incognito mode to minimize some browser fingerprinting methods.
- Local Execution: Opt for tools that perform all password generation locally on your device rather than sending data to a server. This ensures your chosen words aren’t stored or processed externally.
- Open Source or Third-Party Audits: Look for tools that publish their source code publicly or have been audited by a reputable third party to ensure they don’t store or transmit your data.
- Randomize Selections: After generating the passphrase, manually randomize the words or add extra characters to ensure the generated passphrase doesn’t exactly match the output of the online tool.
By taking these precautions, you reduce the risk of the tool’s author or any other third party associating your identity with the generated passphrase.
Other Questions You Might Have
What is a brute-force attack, and how does it relate to password security?
A brute-force attack is a hacking method in which an attacker tries every possible combination of characters to guess a password. The more complex and longer the password, the more resistant it is to such attacks.
Can biometric data like fingerprints replace traditional passwords?
Biometric data can be used as an additional security layer, but is generally not recommended as a complete replacement for passwords. This is because, unlike passwords, biometric data cannot be changed if compromised.
Is two-factor authentication worth enabling?
Two-factor authentication (2FA) adds an extra layer of security by requiring a second form of identification beyond just your password. It is mainly considered worth enabling for added protection against unauthorized access to accounts.
How often should I change my passwords?
It’s largely recommended to change passwords every 60 to 90 days, although this may vary depending on the nature of the account and its level of security required.
Why is it not advisable to use personal information in passwords?
Personal information like names, birthdates, and addresses are easily accessible through social engineering or data breaches. Using them in passwords weakens the level of security and makes the password easier to guess.