From the previous HN thread on this:<p><i>To have fun on April Fools' Day we wanted to build something useful and funny: we created a new XKCD-like password generator that can use different languages dictionaries and show a picture for each generated term by searching Google Images. We had a lot of laughs playing around with Italian and English passwords and we hope you'll have as fun with this as we did!</i>
<a href="https://news.ycombinator.com/item?id=9304688" rel="nofollow">https://news.ycombinator.com/item?id=9304688</a><p>It should be just for fun and education, anyone foolish enough to use these generated passwords as real passwords is well ... foolish enough. Flaw #1: no HTTPS.
<a href="https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html" rel="nofollow">https://www.schneier.com/blog/archives/2014/03/choosing_secu...</a><p>> This is why the oft-cited XKCD scheme for generating passwords -- string together individual words like "correcthorsebatterystaple" -- is no longer good advice. The password crackers are on to this trick.
- It would be good to document the entropy evaluation for readers to check if the assumptions are correct.<p>- Which random number generator is involved? Optimally, the user should be able to put his plain entropy in the locally run "nice password" maker for which he also checked the source code. Anything else, IMHO, isn't more than the game inspired by the real problem.<p>Edit:
itcrowd clears it up: it's made for April 1st, that explains the problems.<p>- Worth knowing, a simple solution to real user-generated entropy:<p><a href="http://world.std.com/~reinhold/diceware.html" rel="nofollow">http://world.std.com/~reinhold/diceware.html</a><p>The page could be actually useful if it would run fully locally (e.g. on an air gaped computer) and take the input of the values of the user thrown dices.
Nice, but I think I'll be sticking with Preshing's version. I even have my mom using it plus KeePass.<p>My usage is to generate four words, replace a/e/I/o in one of them with 4/3/1/0, capitalize, and throw on some punctuation that makes sense.<p>Sites with forced password limits and those that don't accept special characters are still a pain, but using dashes, capitalization, or three of the four words usually helps.<p><a href="http://preshing.com/20110811/xkcd-password-generator/" rel="nofollow">http://preshing.com/20110811/xkcd-password-generator/</a>
Unless the test will be performed using dictionary words only. Starting with 1 word 1st capital letter followed by 1st lower case. I think the calculation time would drop significantly.
For me, at least, I'd rather use a line of poetry that is clearly already memorised. An old router password was "It profits little an idle king, <i>etc</i>". (Thanks Frasier). I imagine the real winners would be older work with non-current English, or perhaps some good nonsense?<p>Obviously when someone knows that's my thing it's easier to crack though... I shouldn't have said anything :(
Serving password and copying over HTTP is actually a very bad idea.<p>Moreover, for my language I have some non-latin symbols. I'm not sure if every service can be trusted to treat non-latin alphabet password. And this tool generates words with umlauts that we don't even have in Latvian. Some words are already translited, some not - that doesn't help.
This site <a href="http://correcthorsebatterystaple.net" rel="nofollow">http://correcthorsebatterystaple.net</a> takes it's inspiration from the same XKCD cartoon<p>It lacks the language choice but other options are more useful to me. Also the domain is easily memorable.
A good password could be created by using a sentences with > 14 words. And than you should use the first letters in their plain form i.e. This is a sunny day will be: Tias, now you should change any s/S to a $ and any a/A to a @ after that you should add the last two bits of your birth year in fron of the sentences and the first two bits at the end of your sentences.<p>So now you would have something like:
57Ti@$19