Kardix
Back to home

Passphrases

How to Build a Strong Passphrase

A practical guide to length, randomness, memorability, and safe storage

Written by Kardix · Published June 6, 2026 · Reviewed June 6, 2026

What makes a passphrase strong?

A strong passphrase is long, difficult to predict, and used only for one security system. Length matters because every additional unpredictable word greatly increases the number of guesses an attacker must try. A phrase made from several unrelated words is usually easier to remember than a short password filled with substitutions.

Do not build the phrase from a quotation, song lyric, keyboard pattern, birthday, pet name, address, or information visible on social media. Attackers test common phrases and personal patterns before attempting truly random guesses.

A practical method

  1. Choose at least five or six unrelated words using a trustworthy random method.
  2. Add natural spacing or punctuation only if you can reproduce it exactly.
  3. Keep the phrase private and never reuse it as a normal website password.
  4. Practice entering it correctly before depending on it.

An example structure could be “harbor-lantern-cactus-orbit-velvet-river”. Do not use that exact example because it is now public. Generate your own unrelated words.

Length versus complexity

A short password such as “P@ssw0rd!” looks complex but follows a famous pattern. A much longer random phrase is normally harder to guess and easier to type. Symbols and numbers can help when they are chosen unpredictably, but predictable substitutions such as replacing “a” with “@” add less protection than people expect.

For Kardix, the passphrase protects every credential derived from it. That makes passphrase quality especially important. A weak phrase could allow an attacker who understands the algorithm to test guesses offline without contacting each website.

Protect the passphrase itself

Enter it only on a trusted device and on the genuine Kardix address. Avoid public computers, unknown browser extensions, screen-sharing sessions, and devices that may contain malware. Never send the phrase through chat, email, screenshots, or QR codes.

If you keep an emergency copy, store it offline in a physically secure place. Do not store the passphrase beside a list of labels and recovery details where one theft reveals the complete system.

Common mistakes

  • Using a sentence that appears in books or online.
  • Reusing an email, banking, or device password.
  • Choosing only four common words by personal preference rather than randomly.
  • Changing capitalization or punctuation and then forgetting the exact form.
  • Assuming SHA-256 can compensate for a weak secret.

Before you rely on it

Test the phrase and label several times, close the page, reopen it, and confirm that the same credentials return. For important accounts, maintain an independent recovery method such as verified recovery codes stored securely. Kardix cannot reset a forgotten passphrase.

Related guidance

Read how offline guessing works, review the complete Kardix security guide, and learn why every account needs unique credentials.