One creative solution that I see many people have about passwords and passphrases is to use non-English words and characters.
The thinking is that mixing English words and characters with other languages will make the password harder to crack, and thus it’s more secure.
But is this true?
When you boil it down to the simplest of terms, then yes, adding non-English words and characters to your passwords and passphrases will make them more secure.
It could also be making you less secure and, overall, it’s not the most important factor you should be worrying about.
Why Using Other Languages Can Make Your Passwords More Secure?
The strength of your password comes from its entropy. We get entropy from how many characters and/or words you use, the more you use, the more entropy and the harder to guess your password.
If you combine these two numbers, you would have 264,476 words to pick from for your password/passphrase. It’s a larger number than either one, so you would have greater entropy and thus your password/passphrase would be stronger.
There are several problems with this, though:
- People are predictable.
- You’re trying to be clever.
- We must assume the attacker knows how we made our password.
Let’s explain each point in more detail and why using multiple languages for passwords and passphrase might not be ideal.
People Are Predictable
I can’t argue against using multiple languages will result in more entropy for your password, but I can argue that people are naturally lazy and overall predictable.
In every language, there is always the top 100, 1,000, and 10,000 most common words.
People naturally, no matter what language they speak, will most often pick the most common words for their passwords and passphrases.
An attacker can (and have) easily compile a list of the top 1,000 words for every language and have them on the ready for cracking. It’s a one-time thing they need to set up, with many others having already done the work for you. That link is from 2012, so rest assured there are plenty of updated word list now. Also, with huge lists from Collection 1 to 5 there are already many passwords in many different languages that have been cracked, you’re not doing anything special or different.
Attackers already know the tricks and have their list always being updated.
You’re trying to be clever, and it’s not going to work. Being clever distracts you from what you should be doing instead.
Stop Trying To Be Clever
Instead of trying to be clever with your passwords, you need to trust the math.
Math is rigid, while being clever can backfire.
The passphrase “cat gato chatte macska” is clever, but you are only saying “cat” in four different languages. This would be an incredibly easy password to guess.
Instead, you must rely on the math. To rely on the math, passwords must be picked at random. You can’t pick the words or characters, you need dice or a random computer generator to pick them for you, or else you may use something predictable.
The English diceware list has 7,776 words that you randomly pick from. There is even diceware word list in other languages too. You could combine them to increase your entropy, but sticking to one word list and then adding one more word would be more beneficial.
For example:
4 word passphrase from the 7,776 English Diceware list has an entropy of 51.70 bits.
If we double that word list to 15,552, 4 words from that larger list would have an entropy of 55.70 bits.
If we instead just added one more word to our passphrase from the smaller list of 7,776 we would have an entropy of 64.62 bits.
The higher the bits of entropy, the better. As we can see, having more words in our list wasn’t as helpful as adding just one more word to our passphrase.
The time you spend trying to be more clever by using different languages will make things more complicated without being more impactful. Time is better spent adding one more word than trying to complicate things further.
The last thing you want is to be so clever that the only person you keep out is yourself with the extra complexity you’re adding. Sometimes it’s better to keep things easy and simple.
Assume The Attacker Knows!
When it comes to passwords, it’s best to assume they know how you made your password.
I know, assuming is not a good for most things, but it’s a safe bet when it comes to passwords.
Working under the assumption that the attacker knows how you made your password would mean they know you used different languages to make your passwords/passphrases. So all that effort is wasted, and the attacker knows to adjust for the cracking station.
It’s even more worrying when you consider that people are predicable and try to be clever, this lowers the entropy and makes guessing the passwords easier.
This is why it’s more important to trust the math.
Let the random password generator do the math and create the password for you. Don’t overthink it and try to find shortcuts, if it’s a shortcut for you, then it’s a shortcut for the attacker too!
What Passwords Should You Use?
You should stick with your native language for most situations.
Instead of being clever, you need to trust the math and be random with a password generator. The easiest way to do this is with a password manager. Let the password manager generate and store all the passwords and passphrases for you.
You’ll still need to have a master password for your password manager, and this is where a passphrase come in. We go over how to make a master password here.
As for when should you use a password over a passphrase, it’s simple, use a passphrase for anything you may have to manually type in and passwords for everything else. Your master password, email password, or even passwords you have to enter by TV remote are great options for passphrases.
The best password and passphrase you can use is one you did not create. Avoid trying to be clever and trust the math. The last thing you want is a password or phrase so complex that the only person it keeps out is yourself, this is especially true for your master password. Keep it simple, trust the math and don’t overthink it.
What You Shouldn’t Do!
When it comes to passwords or passphrases, you should avoid using single words, no matter the language.
If your password is simply “dragon” that is not secure at all, nor is adding numbers or special characters.
It’s okay to use dictionary words in your passwords, as long as it’s multiple random words.
Let a password manager or a password generator create the passwords for you. Then store those passwords in a password manager or password book.