I audit web-based password generators as a hobby, and this one does well.<p>What it does well on:<p>The source code is open source licensed. Passwords are generated in the client, not on the server. The generator is random. The generator is cryptographically secure. The generator is unbiased. Mobile devices are supported. There are no JavaScript trackers loaded on the page. The site is not calling out to external resources without SRI.<p>Unfortunately, by only choosing 4 random words, the security margin of the passphrase is 52 bits (13 bits per word). This is practical for a hobbyist password cracker to exhaust in an offline attack. The security would be better if 6 random words were chosen instead.<p>Audit: <a href="https://docs.google.com/spreadsheets/d/1ucaqJ4U3X3nNEbAAa06igbBkITHaA98blftOwT8u0I4/edit?usp=sharing" rel="nofollow">https://docs.google.com/spreadsheets/d/1ucaqJ4U3X3nNEbAAa06i...</a>
Can someone explain to me why 1password doesn't have something like this built in? You can use words, or random/symbols, but not both. Which fails miserably every time you're faced with some sort of silly password requirement to have a symbol and a number and a capital or whatever.
While I would love to use something like this, almost every site I can think of enforces worthless password rules like "Must include number, letter, special character" etc which effectively blocks these types of passwords.
Problem with generators and this scheme, they allow regeneration. Most people not using the first version, they generate a new until they like it enough to stop, which is not that random anymore as they think.
Background: I liked the xkcd-style password generation scheme as it was easy to remember, but existing generators online (that I could find, at least) all use Math.random() or other cryptographically insecure random number generators. While an actual attack on the RNG seems far-fetched, the very idea doesn't sit well with my crypto nerd side. So I decided to create my own that uses a CSPRNG that I can trust. This was a while ago.<p>Recently, I decided to package it up with a nice domain name and publish it in hopes that it would be useful to others.
Nice work!<p>A passphrase, as opposed to a password, has spaces between each word.<p>If you added those it would be easier to read, especially for mobile, if you used a multiline textarea, because the generated content isn’t fully readable at a glance. (Or don’t use a form input field at all — just put the passphrase in a div so the word breaks flow normally.)
I have bookmarked this site for my own personal use. I also shared it with my co-workers in the IT dept.<p>I think your site works well on selling itself if you assume the audience is coming from HN. From what I have observed, your site does not market itself well to a typical corporate IT dept who are not all programmers.<p>I think if we want to promote wider adoption of this good password technique, we'll need a different approach.<p>This is not a criticism-- You've done a job I admire. I think I might fork it and make another version that is approachable to a wider audience. Thank you!
Reminds me of the perl module `hsxkpasswd`[0] which has more configure options, and also powers the online generator at <a href="https://xkpasswd.net/s/" rel="nofollow">https://xkpasswd.net/s/</a><p>[0]: <a href="https://github.com/bbusschots/hsxkpasswd" rel="nofollow">https://github.com/bbusschots/hsxkpasswd</a>
For passwords I might have to enter by hand, such as WiFi passwords, I liked the pronounceable password option that 1Password used to have. The passwords were several single syllables string together by a separator. An example: neg-pen-nau-eng-fri-dot. There were options to change the separator, and to toss in digits and upper case if I remember correctly. Syllables were 2 to 4 letters long, I believe.<p>At some point 1Password dropped that, replacing it something similar to "correct horse battery staple". It's words (3-10) separated by hyphen, space, period, comma, or underscore. E.g., "plasma.haggis.arrange.stultify".
I rely on the built in password generator of Passfindr <a href="https://passfindr.com" rel="nofollow">https://passfindr.com</a> using the same random number generator as mentioned in correcthorse.pw. When using a Password Manager, and one should, different passwords for every internet account is straight forward.
lower, upper and numbers = 62 options | wordlist = 10 000 options:<p><pre><code> 62^12 = 1e21
10 000^5 = 1e20
</code></pre>
The problem is you not using a word generator and instead relying in your invention, most of the people will use top 5000 words (5000^5 = 1e18), imagine you can even lock one of the words (a color maybe?).<p>So this way of thinking might be good if you know what you are doing and use uppers and lowers and symbols, if not, it is actually a bad advice.
If I may egregiously misuse the famous quote, "those who do not understand Unix are condemned to reinvent it, poorly."<p><pre><code> $ shuf --random-source=/dev/urandom -n6 /usr/share/dict/cracklib-small | paste -sd-
circulant-conjured-reigning-buzzed-awaiting-typifies</code></pre>
See also <a href="https://theworld.com/~reinhold/diceware.html" rel="nofollow">https://theworld.com/~reinhold/diceware.html</a> (the "original", as far as I know).<p>KeePassXC has a passphrase generator, although it doesn't use the Diceware list as far as I know. <a href="https://keepassxc.org/images/screenshots/linux/screen_006.png" rel="nofollow">https://keepassxc.org/images/screenshots/linux/screen_006.pn...</a><p>EDIT: Love the simplicity of <a href="https://correcthorse.pw/" rel="nofollow">https://correcthorse.pw/</a>, good work!
I tend to rely on <a href="https://www.rempe.us/diceware/#eff" rel="nofollow">https://www.rempe.us/diceware/#eff</a> for my typeable password needs.<p>80% of my passwords are just line noise, because they live in a keepass database. 20% (workstation account logins, etc) are diceware.