12.1. How to choose a good passphrase

The passphrase is the last line of defence to your private key, should your key pair fall in enemy hands. This might happen more easily than you think, by means of someone stealing your laptop, a malware uploading your private documents from your infected machine to a rogue server, or simply by your momentary thoughtlessness when you distribute your whole key pair instead of your public key.
With your secret key and your passphrase, anyone can impersonate you by signing messages on your behalf, and decrypt messages that were intended for your eyes only.

Luckily, the passphrase provides a quite good protection, since it encrypts the private key with a strong cipher. It is important that you choose a strong passphrase that could not be easily cracked by password guessing or brute-force programs. In this section we illustrate some criteria to do so.

GnuPG/Enigmail also allow you to not set a passphrase on your key pair. This is absolutely not recommended, and should be done only in exceptional circumstances, for instance when non-interactive processing is needed.

Do not use the following as your passphrase:
Your name, address, age, date or place of birth, car license plate, the name of your spouse, children, parents, pets, or any other information related to you;
Words in any language/dialect, past or present, real or imaginary, e.g. French, Cockney, Latin, Elven, and Klingon;
Names of real or fictitious people or places;
Names of movies, songs, music bands, groups, and such;
Obvious sequences of letters and/or numbers e.g. abc123, qwertyu,YYYYYYYY
Numerical constants e.g. 2.718281828459 (it's the mathematical constant e)
Any of the above written in all uppercase, all lowercase, or with alternated case e.g. CaLiFoRnIa
Any of the above prefixed or suffixed by a single character e.g.+California, California3
Any of the above with obvious replacements e.g. C4l1f0rn14
Anything that's less than 8 characters long (Enigmail will not even let you choose a passphrase that's shorter than that)
A password that you already use (e.g. on web sites or for your email account)
Instead, use these criteria to create a passphrase:
Use always a mix of at least 3 of the following characters in your passphrase: uppercase letters, lowercase letters, numbers, symbols like # * ! ? + - ( & /
Insert two characters or more inside a word or name e.g. Ch7op8in, Debus!Z*sy
Join two words or names by two or more characters e.g. Bach#+Strauss
Nest one word or name inside another e.g. BeLudwigethoven
Condense a proverb, a quote, a verse from a poem, a phrase from a movie, or any sentence you could have fixed in your mind:

      Iw20yat/SPttbtp/thbgiaoos/btagtras.

This might seem impossible to remember but is in fact quite easy, once you think about the lyrics of Sgt. Pepper's Lonely Hearts Club Band by Lennon/McCartney:

“It was twenty years ago today
Sgt. Pepper taught the band to play
They've been going in and out of style
But they're guaranteed to raise a smile.”

Each letter of the passphrase is the first letter of each word. In the first line, the number is written in figures instead of being spelt out. In the second line, the name of the protagonist of the song is in uppercase letters. Each verse is separated by a slash, and a final dot is added.
You can make up the rules as you prefer.
Another possible passphrase would be

      HwmyrsmtBeyuclhm?

This one comes from Bob Dylan's Blowin' In The Wind, and is derived from the first and last letter of each word, considering only the first four of each verse:

“How many roads must a man walk down
Before you call him a man?”

These are the strongest passphrases, as they look like random sequences of letters.
You can use an existing quote, and make up the rules to transform it in a passphrase; should you ever forget the quote, a quick look on a book will solve the problem. You may also invent your own quote, although in this case forgetting it would be fatal.