How do you remember long passphrases?

Passwords are so last century ... there are two main replacements that you should consider instead, “passphrases” that are intended for you to remember and type in manually, and “password manager passwords”, which you will never type in yourself, instead relying on a specialist password manager application to copy/paste for you.

Password managers are great at coming up with high-entropy sequences of characters that you might be able to manually enter, but you're really not supposed to do so. dXD2cwb%xRm^3W^Qz2Sby3k!FhYZ^GX9 is a fantastic password (well, not now I've published it!) but you're not going to be able to remember it or type it reliably. If you can rely on a password manager application to be around whenever you want to use this, it's a great method to use.

But some things you just have to remember and type for yourself. The passphrase you use to open the password manager itself, for example. Perhaps you have another authentication action you perform a few times a day – sudo perhaps for the unix users. The login to your computer that you need to use on the screen lock whenever you leave the desk for a coffee ... a limited set of these are great candidates for being typed in by hand, and that sort of gibberish above just isn't going to work.

So instead we have passphrases – sequences of words, not sentences. Not lyrics to your favourite songs, not quotations from books, not the names of the players in the football team you support ... but a random sequence of unrelated words that were created by your password manager for you!

Here the number of words that you choose to use is the important factor, not the overall length of the thing. 6 or 7 words seems to be the current (2021) recommendation, but for things that you deem to be more critical or especially long-lived, 9 is a sensible max. Ideally this is something that you're going to be using several times per week, too.

But how easy is it to remember 9 unrelated words? This is what a few examples look like :-

How are you going to remember all that?

Well, to start with, some unexpected advice ... as long as you don't work in a maximum security environment ...

Writing the phrase down on a small piece of paper that you store somewhere secure (like with your credit cards), while you're getting used to using it and remembering it, is a good idea! Just remember to securely destroy it when you don't need it any more, and of course don't write any other identifying information on there.

But there's another way to store a reminder for a passphrase too – turn the words into a series of icons or pictures, and use those to remind yourself of what the actual words are. The advantage here is that any given image that you choose could represent dozens of different words, depending on how they're interpreted, and no-one will be able to work out the actual passphrase directly. Have you ever played Pictionary?

This means that the reminder image could be somewhere less secure than your wallet – and therefore somewhere a little more useable. If you use a paper notebook, perhaps inside the front cover ... it's still somewhere relatively secure.

A great source of simple icons is https://thenounprojectcom/ but honestly any images you get from a search engine would work well too.

So let's take a new passphrase, only 5 words this time for brevity, and see what we can come up with ...

That's not a bad selection of icons! You can probably hand-draw a version of these onto a notebook quite quickly, and when you look at them later they help to remind you of the passphrase ...

Let's try another longer one ... can you work out what this set of images is for?

Some of the words in that passphrase didn't provide a direct search result, so I substituted some other related words in order to get a useable image. This is pretty much the point – these images are a reminder to me because I'm the one that did the work to choose them. If you want to hand-draw them, even if you're no artist like me, it'll still be effective, and you can change details to suit what makes sense to you ...

If you pick your own images to use for the words in your passphrase, you'll find them to be a very effective and reasonably safe reminder to use!