There are various approaches to creating a good passphrase for your wallet. You can go with something that is quick to type but not so easy to remember, such as “5Xai1WhSYu”, or you can opt for a sentence that is easy to remember but takes longer to enter into your Trezor, such as “Buying a Trezor was the wisest choice I ever made.”

Another option is to make up a sequence of random words like “correct horse battery staple”. This all depends on what is easiest for you to memorize and how often you enter the passphrase. In this blog post we would like to give you a better idea of how strong your passphrase is, depending on the method and length you use.

Option 1: A random sequence of words

The first method for creating a passphrase is to choose several words from a list of words, at random. You can take a dictionary, open it on a random page, and select a word by placing your finger on the page, eyes closed, and repeat this several times to get a four or five word passphrase.

However, humans are not very good at making random choices, so a better method might be to select words by rolling some dice and using the result to select a word from a word list.

A popular choice is Arnold Reinhold’s Diceware list [Rei95], first published in 1995. The list contains 7,776 words, which is equal to the number of possible ordered rolls of five six-sided dice (7776 = 6⁵). Joseph Bonneau recently made enhancements to this list [Bon16], eliminating words which are uncommon or difficult to spell and also introduced a shortened version with only 1,296 words.

You roll only four dice to select words from the Short Diceware list (1296 = 6⁴). The list works like a dictionary. Each word in the list is prefixed by a unique four digit number. These four digits indicate the word you should choose when you roll these four numbers on the dice. So for example if you roll:

Then you should choose the word which has the number 4216, and that is the word “move”:

…

4215 mouth

4216 move

4221 movie

…

If you use the Short Diceware wordlist to generate your passphrase, then compared with the Long Diceware list you will need more words to achieve the same level of security, but the words in the Short Diceware list are shorter. As a result, a four-word passphrase from the Long Diceware list will have 28.0 letters on average, whereas a five-word passphrase from the Short Diceware list will have only 22.7 letters on average. To give an example, the following passphrases provide the same level of security:

Using Short Diceware: “float volt limes rhyme nest”

Using Long Diceware: “freeway oppose spinout managing”

Option 2: A random-character passphrase

Another method of creating a passphrase is to use the same rules that you are often asked to follow for creating a password. Choose a random sequence of characters with uppercase and lowercase letters, numbers, punctuation and special characters like #!@+ etc.

If you don’t like using special characters, for example, you don’t necessarily have to use them, but then you need to make your passphrase longer to achieve the same level of security. Similarly, if you find it difficult to remember whether a letter in your password is lowercase or uppercase, you can resort to using only lowercase letters in your passphrase, but again you have to make the passphrase longer to compensate.

Here are some examples:

Option 3: A valid English sentence

Using a valid English sentence or a poem as a passphrase is also an option. It will be easy to remember, but it needs to be long enough and random enough to provide a sufficient level of security.

The right length depends on the amount of entropy (randomness) per word. The estimates for a grammatically correct and semantically valid English sentence vary. A conservative estimate is 5.7 bits per word given in [Mon11], which is what we use in our calculations below.

The greatest problem with this option remains: humans are not very good at making random choices. You certainly cannot use your favorite quote from a book or a movie, as these would be at the top of an attacker’s list of passphrases to check. Similarly you cannot use a published poem, but rather a poem you make up yourself.

Passphrase length and security

Assume an attacker steals your BIP-0039 recovery seed and attempts to guess the correct passphrase in order to access your wallet. They can do a brute-force / dictionary attack to search through possible passphrases you might have used. If you chose your passphrase well, then that will take them a lot of time and computing power.

One way they can do this is to rent out an NVIDIA Tesla V100 GPU from Amazon AWS, which can compute 2160 million SHA-512 hashes per second (see hashcat benchmarks) at $3.06 per hour (see Amazon EC2 Pricing).

With the recovery seed in hand, checking one passphrase requires 2048 HMAC computations, the derivation of some public keys, and checking whether any of them appear on the blockchain. That amounts to over 4096 SHA-512 computations plus additional work checking the blockchain. Thus the attacker could check no more than 620 million passphrases for $1.

This might seem like a huge number, but if you use a random passphrase of 12 lowercase letters, then the attacker would have to check about 48,000,000,000,000,000 passphrases on average, before hitting the right one. That translates to $77 million in today’s prices! If you add uppercase letters and numbers to the mix, you need only 9 or 10 random letters to achieve the same level of security.

One needs to take into account that the price of computing power will decrease in the future, making this attack cheaper. When choosing the passphrase length, you should make sure it remains secure for the next few years.

According to Moore’s law, the cost of any fixed attack effort drops by a factor of 2 every 18 months [Len05]. This means that in 10 years time the cost of an attack could drop to one hundredth of today’s costs. In the example above that translates to around $750,000, which probably won’t be worth it for an attacker, unless they know you are storing over $1,000,000 of cryptoassets on your Trezor.

Finally, the table you have been waiting for. This table shows how much it would cost to break your passphrase today and in 2030, depending on the length and method you use: