Strong Passwords and Passphrases
What makes a password actually hard to crack?
- Explain why long passwords beat complex short ones
- Craft passphrases using the diceware/four-word method
- Use a password manager conceptually
Overview
Attackers rarely guess passwords by hand. They run programs that try billions of guesses per second, working from leaked password lists and dictionaries. Under that kind of attack, length matters far more than symbols. A 16-character passphrase of ordinary words is stronger than a random 8-character mess — and much easier to remember.
Why Length Wins
Each extra character multiplies the number of possibilities. A 16-character passphrase can take centuries to brute-force even at billions of guesses per second.
The Passphrase Method
Pick four unrelated words at random ('correct horse battery staple'), add one number and one symbol, and use different phrases on different sites. Never re-use passwords across accounts.
Password Managers
Tools like Bitwarden or 1Password generate and store unique passwords for every site. You only need to remember one master passphrase.
Craft and Test
- Each student writes 3 passphrases (never their real ones).
- Test each on a password-strength tool provided by the teacher.
- Discuss why some scored higher than others.
- Why is a 20-character passphrase usually safer than an 8-character random password?
Reveal answer
The number of possible combinations grows exponentially with length.
- What is the main risk of re-using passwords?
Reveal answer
One leaked site exposes every other account that shares the password.
- How does a password manager help security?
Reveal answer
It generates and stores unique long passwords so users only remember one.
Write 5 passphrases (not your real ones). Rank them by strength and explain why.