Secret Symbols

The classic password has a long history and the terms, along with the times, are a-changing. At the end of the day, everyone still uses passwords, but the term passphrase, for example, describes a different way of creating and remembering them. After all, every attempt to access something starts with a secret that has to be resolved and handed over. One part of the puzzle is the username, which identifies the owner. Under normal circumstances, the owner should be the only person who has the key to access. When generating a password, the user faces two challenges: the need to generate a secure password, and the need to remember it.

Unrealistic Rulesets

Bill Burr wrote the official password guide for the U.S. National Institute of Standards and Technology (NIST). According to the guide, a password should comprise at least eight characters and be complex. It should contain upper- and lowercase letters, numbers, and nonstandard characters (i.e., three to four different types of characters ideally), and it should be changed regularly. Ideally, a password history will prevent previously used passwords being rehashed, or at least enforce a long wait before reuse.

Unfortunately, many things in this ruleset have been misinterpreted and, above all, users have found unplanned or unintended detours and shortcuts. When it comes to the length of the password, for example, the emphasis is on "at least" eight characters. This has led many users to view these eight characters as the maximum, and in many cases, IT departments fail to communicate the requirements clearly. Of course, a password can and should have more than eight characters.

In practice, passwords created according to the above-mentioned rules (e.g., dU7%9IL& ) that you are then forced to change every three months will quickly mutate to Summer25 , because it is complex according to the rules. Three out of four character types (check), eight characters (check) – the requirements are met. From this logic, you probably can guess which password will be used in three months' time. Users will make it as easy as possible for themselves, because they just want to work; what they definitely don't want is to be forced to type a complex password every 15 minutes when their device is locked by the screen saver or the inactivity limit.

The idea of using a keyword phrase or the first letters of a song lyric or refrain, perhaps including a letter swap (e.g., A becomes 4, E becomes 3, O becomes 0, 1 becomes !, etc.), makes the password even more complicated and does not make it any easier to handle. For example, the Robbie Williams refrain Hell is gone and heaven's here could become RW-H1gahh . It has upper- and lowercase letters, a nonstandard dash character, and the number 1 instead of the letter I. The password is complex and secure according to the known rules. The only problem is that you are unlikely to remember it and will need considerably more time to remember how the abbreviation worked.

The dilemma is that as soon as the process becomes a pain and requires energy, the human brain switches off and, thanks to evolution, looks for relief and a simpler construct. In the end, the passwords are discovered on Post-it notes or scraps of paper under the keyboard, or they end with something trivial, such as the season, an astronomical object, the current month, the current year, or another counter that simply increments (e.g., Michael01 , Michael02 , Michael03 , etc.).

Passphrases Make It Easy

The aim therefore must be to have a password that is easy to remember; although remembering it should not be difficult, the password should still be secure. This path arrives at passphrases, which comprise three, four, or five words that have no mutual associations. A separator character is easily added, and the question of whether or not to add a number is at the user's discretion – any worries about this construction is addressed later.

With the use of German word list 7776 from dys2p [1] (saved as a TXT file), I created a phrase with three or more words in a simple PowerShell custom passphrase generator:

$Count=Read-host "Number of words"
$Separator=Read-Host "Separator"
$Content=Get-Content -Path "$PSScriptRoot\Wordlist.txt"
$Phrase=Get-Random $Content -Count $Count
$Phrase -join $Separator

The result is phrases like Anprangern-Verknallen-Erkunden (denounce-crush-explore) or Jawort#Einwurf#Imbiss (consent#insertion#snack). At the end of the process, you have three simple words with a unique sound and an easy-to-remember sequence. Of course, you could also look around the room and use the names of things in your field of view, such as lamp-poster-window . The aim is always to make things as easy as possible for users.

Even Microsoft relies on the option of passphrases for the Local Administrator Password Solution (LAPS) in Windows Server 2025 [2]. Passphrases are easier to type, easier to picture in your mind, and definitely easier to remember; they are humanly readable, so you do not need to type them out painstakingly character by character, but just enter them easily word by word.

This ease of use makes a passphrase your first and most important line of defense before accessing a system. The password must not be trivially guessable. The code snippet above can be used in a website on the intranet published for your users. The practical thing about this solution is that it automatically fulfills the most important rule when dealing with passwords and code phrases: length.

Length Counts

The password length is crucial for attacks based on trial and error (brute force). The longer the password, the longer the compute time required to run through the list of passwords. At this point, you come back to the concerns mentioned above; however, length always beats complexity.

A nonstandard character automatically gives you a higher multiplier in the formula, whereas each additional character increases the power, which results in an incredible number of possibilities for each additional character. For example, denounce-crush-explore has 22 characters. From the current state of the art and calculations by Hive Systems [3], you must assume that all passwords with fewer than 16 characters are no longer secure.

The difficulty now is to sell this to the user in a psychologically effective way. If you send a message to staff with the header "Minimum 16-character passwords starting tomorrow," your users are guaranteed to be up in arms and asking management if they can have some of the stuff the people in IT smoke. If you choose instead a header such as "Simple passwords that you can keep forever, starting tomorrow" and then offer the passphrase generator as a web front end, users will not even realize you are getting them to do something they were terrified of doing.

The script could be modified to use two words, and you could include a minimum of x characters. The only important thing to users is a quick and easy way to create passwords. A long password can be memorized by repeatedly typing it and is likely to remain as a solid image in the users' minds given time. Mistyping, even with 25 characters or more, is becoming increasingly rare, all of which contributes toward burying the problem of trivial passwords and incremental counters.