Xkcd Password Generator

I find the discussion surrounding the XKCD strip alarming for the superstition it reveals about password generation. The particular theme I am alarmed by is that people seem to think that if a password <i>looks</i> alien, or was difficult for <i>them</i> to come up with, it will be hard for a machine to guess.<p>Look, we're working with big numbers here. You need to do the math.<p>In this thread alone, I've seen suggestions to use a common dictionary word translated into another language, or written in l33tsp34k with some permutations. From a probabilistic perspective, <i>these are still dictionary words</i>, even though they look like gibberish. The same is true of the common method of typing a word with ones fingers displaced on the keyboard.<p>Conversely, I see a lot of argument that these XKCD passphrases would be easy to guess because they are made up of dictionary words. This misunderstands the math behind the situation. Even if an attacker knows that your password was generated via this method, and <i>even if they know the word list you used</i>, the password is still hard to guess. The difficulty grows exponentially with each word in the phrase, and that's pretty fast.<p>The key with passwords is not to create something that <i>looks</i> random -- something that if you showed it to another human being, they'd have a hard time deciphering. It's to create something that <i>is</i> random; literally a result of a throw of the dice for every new password.<p>Human beings are really bad at creating randomness. There's a demonstration done in an early statistics class in which the professor divides the class into two groups. He tells one to toss a coin a hundred times and record the sequence of heads and tails, while the others are to write down a sequence they think is random using their imagination. The papers are completed and mixed and then -- magically! -- he is able to sort them into the two types, easily and with high accuracy.<p>The lesson is this: even when you think you're being random, you probably aren't. You're probably using the same tricks everyone else is, and making the same mistakes.<p>I would trust passwords that come out of a script like this to be <i>far</i> more secure than passwords anyone (myself included) made up, no matter how random they're trying to be.

A lot of comments here seem to be missing the point.<p>The main point is to use passwords that give you the most "bang for the buck" in the sense of adding the most bits of entropy for the least difficulty of remembering. Adding an extra number, or punctuation, or certain numbers of repetitions generally adds only a little bit of entropy for a significant cost in additional challenge to your memory.<p>Our minds are well suited to remembering combinations of common words, and by stringing a few such words together, you can generate a larger search space than using a single word with a few substitutions. Even if the attacker knows the scheme you're using, he still must search through the space of combinations of common words, which XKCD is pointing out is quite large.

I've been using phrases and sentences as passwords for a while, and I've found that there are 2 main problems;<p>1) A lot of sites, still in this day and age, have max password lengths, so I still have a lot of short passwords. Usually this is bank sites and the like.<p>2) Password entry fields are often very short visually, and with a long password getting lost is much easier. I find I have to type them over A LOT.<p>The second is actually the more annoying problem.

How about (NOT SECURE YET, IT NEEDS MORE ENTROPY):<p><pre><code> from nltk.corpus import wordnet as wn all_animals = set() def add_to_set(animal): all_animals.add(animal.name.split('.')[0].replace('_',' ')) for child in animal.hyponyms(): add_to_set(child) add_to_set(wn.synset('animal.n.01')) all_animals = list(all_animals) actions = ['ate','chased','killed','fought','kissed', 'talked to','hated','loved','ambushed','fled'] # can add more def make_password(): import random random = random.SystemRandom() # is this secure? choice = random.choice return 'the %s %s the %s'%(choice(all_animals), choice(actions), choice(all_animals)) </code></pre> If you pruned out 90% of the animals (i.e. the obscure, hard to spell, or scientific names), this is still about 20 bits. And the passwords are kind of memorable (I've gotten such gems as "the dodo chased the guppy" or "the tigress killed the king charles spanial").<p>You could also add a humorous adjective ("rabid", "talking", "magic", "invisible", "evil" ...) or adverb ("roughly", "quickly", "quietly", "secretly" ...).<p>You could also add a place name.

One slight addition to the xkcd password scheme that would add another order of magnitude of security would be to have your own personal "salt" that you add to all your passphrases. In this case, the salt would be a short, traditional, hard to remember password that you re-use with every xkcd style password. It would be hard to remember, but you'd only need to memorize it once.<p>So if your personal salt is "@T#23a" you would use "@T#23a correct horse battery staple" on one website and "@T#23a giant bug transistor leech" on another website.

Careful! This is only using `Math.random` and does not attempt to use `window.crypto.random` (though most browsers do not support it yet: <a href="http://jsfiddle.net/alanhogan/trUYu/" rel="nofollow">http://jsfiddle.net/alanhogan/trUYu/</a>) or anything that would attempt to bring real entropy into the process.<p>I don’t mean to fault the creator of this page, but at the same time, I would not trust this generator for important passwords, simply because you cannot know if others are getting the same 'random' results as you are.<p>More info on SO: <a href="http://stackoverflow.com/questions/5651789/is-math-random-cryptographically-secure" rel="nofollow">http://stackoverflow.com/questions/5651789/is-math-random-cr...</a><p>PDF on the topic: <a href="http://www.trusteer.com/sites/default/files/Temporary_User_Tracking_in_Major_Browsers.pdf" rel="nofollow">http://www.trusteer.com/sites/default/files/Temporary_User_T...</a><p>&#62; <i>In the Javascript engines of IE (Trident), Firefox (Gecko), Safari (WebKit) and Chrome (V8), the output of Math.random() can be used to reconstruct the random seed, and thus provide both this seed and the current “JS mileage” (i.e. the number of times Math.random() was invoked).</i>

Put this in your .bashrc:<p><pre><code> function rpass() { strings /dev/urandom | grep -o '[[:alnum:]\/!@#$%^&#38;*()&#60;&#62;,.,{}]' | head -n $1 | tr -d '\n'; echo } </code></pre> Then run $ rpass 16 and get a 16 character random password with a fairly high entropy. Then just use a service like LastPass or a solution like KeePassX or even a single GPG-encrypted file to store your passwords. Problem solved.<p>Passwords are evil. Most of them should be treated the way you'd treat your private SSH or SSL key. Whenever you can eliminate a password and get the user to authenticate using a third-party identity provider, you are doing them a favor.<p>Edit: with 80 possible characters, you get 80^16 possible passwords: 10^19 years at 1000 guesses/second.

I prefer using a program like Password Safe (<a href="http://passwordsafe.sourceforge.net/" rel="nofollow">http://passwordsafe.sourceforge.net/</a>), and use a safe password that's a long sentence (with punctuation). Then I can use arbitrarily long and complex passwords for all my accounts, and not have to worry about memorizing them individually. The password safe can even be synced across computers using Dropbox.

I can't help but think that this is a solution to the wrong problem. The big problem with password security in the modern world really isn't that they're easy to break, but that they're pervasively reused between sites. So breaking them (for example, by reading them in plain text out of a dumb database!) in one place opens up attacks on higher value accounts.<p>The fix, of course, is to get users to stop re-using passwords between sites.<p>How does making passwords <i>more</i> memorable fix this? If anything, forcing users to use random base64 strings strikes me as more secure as they will be forced into some sort of password locker implementation by their inability to remember them.

The link posted on the article merits a submission by itself:<p>"The science of password selection" (a breakdown of common passwords by selection practices, as taken from public leaks)<p><a href="http://www.troyhunt.com/2011/07/science-of-password-selection.html" rel="nofollow">http://www.troyhunt.com/2011/07/science-of-password-selectio...</a><p>In short, passwords are chosen from:<p><i>People names: this includes a list of about 26,000 common first and last names.</i><p><i>Place names: this is everything from towns to states to countries and includes about 32,000 entries.</i><p><i>English dictionary</i><p>The most common passwords by group:<p>Name:<p><pre><code> 1. maggie 2. michael 3. jennifer </code></pre> Place:<p><pre><code> 1. dallas 2. canada 3. boston </code></pre> Dictionary Words:<p><pre><code> 1. password (oh dear) 2. monkey 3. dragon </code></pre> Numbers:<p><pre><code> 1. 123456 2. 12345678 3. 123456789</code></pre>

"For those of us pedantic enough to want a rule, here it is: The preferred form is "xkcd", all lower-case. In formal contexts where a lowercase word shouldn't start a sentence, 'XKCD' is an okay alternative. 'Xkcd' is frowned upon."

Note that 44 bits of entropy is still nothing if you want protection from off-line attacks on password hashes. A couple of GPUs together can calculate a billion hashes per second, which eats through 2^44 possible passwords in only a few hours.<p>This was recently demonstrated when the mtgox password database was compromised.<p><i></i>edit<i></i>: but this shouldn't be a problem if the password is properly hashed with bcrypt or some other scheme with a work factor.

Example generated phrase: "married greatly snake battle"<p>These phrases would be easier to remember if they made grammatical sense. Like Chomsky's famous "colorless green ideas sleep furiously" - the words relate to each other grammatically, even though it makes no sense.<p>Imagine memorizing "married greatly snake battle" vs "married snakes battle greatly." I think the latter is easier.

I would actually advise going against this advice. While it isn't a best practice, password sharing can and does happen, as does shoulder-surfing. It would take a LOT of effort to memorise my password, but a simple four word password will probably be remembered by accident. In a year's time if I piss a friend off, I don't want my Facebook password to be readily accessible in their memory.<p>I think more people need to learn to remember arbitrary strings. There really is no way around that problem if you want a decently secure password, and it's rare someone has a "good memory" - in most cases they've just learnt how to remember things well.<p>(Note: This doesn't really apply to me or most of us here in most cases, but for example my WiFi password is of the form "Mycatsname9" and yet my neighbour still has to ask me for it whenever her phone forgets it)

This might come in handy:<p>shuf -n4 /usr/share/dict/words | tr '\n' ' '

You could probably get a few more bits of entropy kind of easily if you use words from other languages. This doesn't help the monolingual among us but it's great for me.

What a great article! I'm changing all my passwords to "correct horse battery staple" today!

He he, reminds me of the password generator I made concatenating 3 words from the list of the "500 most common passwords": <a href="http://www.mrspeaker.net/2009/01/09/make-secure-passwords/" rel="nofollow">http://www.mrspeaker.net/2009/01/09/make-secure-passwords/</a><p>The top 500 list has an awful lot of naughty words - so the phrases are pretty easy to remember ;)

Isn't this discussion premised on a server configured to allow fast password guessing indefinitely?<p>This is 2011, shouldn't every server be configured to allow a guess every two seconds for 20 guesses, then every 10 minutes, or something similar?<p>I'm not familiar with common practices in this area, but why wouldn't all such services be configured to limit the incorrect guesses?

I've been doing this for years on sites that allow long passwords - "pass sentences" - but I also throw in a number or two.

"It's a novel idea."<p>No, I posted about my own generator in 2005: <a href="http://darius.livejournal.com/38591.html" rel="nofollow">http://darius.livejournal.com/38591.html</a> (getting the words from Beowulf). Then Zooko or Kragen pointed out some even older system in response (I forget the name).

Such a password scheme provides much less than 44 "bits" of entropy. Considering the use of 4 randomly chosen words from the c.170000 english words in general use, means we can guess the paraphrase in around 2^22 tries - even less than "Tr0ub4d0r3&#38;".<p>EDIT: I'm totally wrong, it's more like 2*10^22 ... oops!

The beauty of this discussion is not just "How to create memorable but hard to break password?" but "How much deep insight can a 4-6 frame cartoon contain?"<p>The signal to noise ratio of xkcd is fantastic! They've again zipped a great discussion in just a few frames.

What about sites that don't allow spaces?<p>I know hotukdeals.com only allows [a-zA-Z0-9] which sucks.

I still sense a problem. While these passwords ARE easier to remember, there is still the security flaw that most people reuse passwords. A key-logger or shoulder-surfer could snag this (or a website could store your password in plaintext and be compromised) and then it's game over. Password managers are the future. They can memorize unique passwords of any length and complexity for every website you use, and they can store the passwords with very strong encryption with 1 key that is memorized. That key is where a password like 'correcthorsebatterstaple' could be effectively used.

I remember wanting to sign up on a website that had the worst password "feature" ever : you typed your password in a plain textfield, and once you clicked away it was changed to a password field. Seeing as how this "feature" was on the main page I decided never to use this service and sent the website an e-mail saying that their password field is not clever but instead is a big fat counter-security measure.<p>Edit : I managed to find back what website it was : <a href="http://www.advirtus.com/" rel="nofollow">http://www.advirtus.com/</a> when you register it shows the password as you type it

Personally I think password entry should be done in madlib form. Each user would have a unique madlib prompt like:<p>Username: ___________<p>Password: Twelve ___(pl. noun)___ jumped over a ___(adjective)___ ___(noun)___ named ___(proper noun)___.

Reminds me of this previous discussion: <a href="http://news.ycombinator.com/item?id=2450972" rel="nofollow">http://news.ycombinator.com/item?id=2450972</a><p>Maybe Randall was inspired by that post.

Sorry, but this isn't novel. I can't find it now, but I read a blog post that described this technique recently (~6 months ago).<p>Edit: y0ghur7_xxx (<a href="http://news.ycombinator.com/item?id=2872827" rel="nofollow">http://news.ycombinator.com/item?id=2872827</a>) found it: <a href="http://www.baekdal.com/tips/password-security-usability" rel="nofollow">http://www.baekdal.com/tips/password-security-usability</a>

Does anyone else here not really remember their main password? Mine's all in muscle memory and I can't write it out unless I imagine a keyboard.

Four English words selected randomly from a large dictionary is certainly secure. But it's unwieldy to type 20+ character passwords. I prefer 10-digit random alpha-numeric passwords, although these are hard to remember and type. Best compromise in my opinion is to use a hashing function with a moderately difficult passphrase, e.g., Site_Password = Hash( Domain_Name || Passphrase).

This still creates a false sense of security since it seems (and I stress seems) to implicitly suggest you can use the same password on every site (I assume this since the argument for its use is the ease of remembering). If one site you visit handles passwords in plain text and it has your email, upon a breach all your accounts are effectively compromised.

as embarrassing as it may seem, although having read the good part of this thread, i still don't understand why a four word password, can be more random than something i would get like this:<p><pre><code> ~$ pwgen -s 8 C0olz5KM </code></pre> Would anybody care to explain this to me, or at least point me to a good place where i can read up on this?

If you're bi-lingual in a non-european language, transliterating obscure phrases from the other language could work well. For example, the poetic title திரிகூடராசப்பகவிராயர் would transliterate to thirikUdarAsappaKavirAyar. Add some subs &#38; punctuations and I'm done - very rememberable (at least for me) :).

Watch out for sites that only use the first 8 characters of your password (no matter how long it is).

I just hate sites that won't accept spaces and restrict how long a password can be (usually to something relatively short like 8 or 12 characters). Also, many require you to use mixed case and/or numbers or "special" characters. I usually just use complete sentences.

Funny comic as usual, but the 20 years thing is probably invalid. How long would cracking tr0ub4dor&#38;3 on a 486 take? Also I remember some systems didn't allow pass phrases back then. Windows NT in particular had a max password limit of 14 characters, iirc.

I always thought using two password fields with simple words would be much harder to break than one field only (which can be used to really strange passwords but also for simples ones as we all know). Someone care to calculate how much it would take to break it?

I tried to generate all possible permutations of 4 of the 2000 most popular words in the English language.<p>My computer failed miserable after about 2000000 permutations and considering there is 10^13, i wont be making a rainbow table for this new type of password.

I generally use gpw to generate long random but pronounceable passwords. Something like 'armsdaynistoppo' is fairly entropic, easy enough to remember, and when I'm used to it I can type it much faster than 4 random words.

Amazon has implemented this. It's called payPhrase: <a href="https://www.amazon.com/gp/payphrase/claim/select-phrase.html" rel="nofollow">https://www.amazon.com/gp/payphrase/claim/select-phrase.html</a>

Don't forget to add "correcthorsebatterystaple" to your dictionaries kids!

I have just created a spanish version, that is easier to fork to other languajes. <a href="http://dl.dropbox.com/u/1990697/pw_gen.html" rel="nofollow">http://dl.dropbox.com/u/1990697/pw_gen.html</a>

This article is math true, however, hackers no longer use brute force attacks and the most popular method is to attack a weak website like for example a not very popular blog, then if they succesfully broke it they have a password and a email account from you and if they are very lucky you have the same password for the email account, so, they got you. Therefore, nowadays it is safer to have different passwords for every site. Personally, I love to use lastpasss for my personal use and keepass for the office to store and manage passwords. Obviously, the weakest link of the chain is my password for the password manager application. Any of you use a different password manager?

This is how I come up with passwords; I find a phrase that I can remember without too much trouble then I use the first letter of each word to make a password.<p>Phrase: Three Rings for the Elven-kings under the sky, Seven for the Dwarf-lords in their halls of stone<p>Password: 3RftE-kuts,7ftD-lithos<p>Easy to remember and highly secure. I have been using this method for years.<p>Bonus example: Four score and seven years ago our fathers brought forth on this continent, a new nation, conceived in Liberty<p>4sasyaofbfotc,ann,ciL<p>Less secure then the last example but still strong. Especially if you use uncommon strings like the words to a song by a local band or a phrase from the newspaper or an unpopular book. That way even an attack targeting this method will take a long long time.

Assuming that this method for generating passwords gets popular enough, brute force tools will begin to create an optimized attack for these passwords.<p>As there are so little words available, if I were to write a brute-forcing tool, I would try combinations of four words in my wordlist once I failed with my one-word-dictionary attack before I start trying out all characters.<p>But all is not lost: Either use more words or vary the amount of spaces you put between words. This way the dumb optimization "try four words delimited by space" wouldn't work on your password and they would have to go over to plain old brute forcing at which point, I agree, the longer, the better.

This kind of misses the point.<p>A password doesn't necessarily need to be something that is easy to remember. It just needs to be a unique token that is easy for you personally to present when needed.<p>I currently use a keepass file stored in my dropbox folder. I am not certain what the silver bullet to online authentication will look like. However I suspect it may not require you to remember more than one secure password, perhaps not even that.<p>Trust online is hard though, looking at the problems establishing trust online reminds me how clever human beings are, we sometimes make mistakes but we are pretty good at evaluating trustworthiness in the real world.

How does one calculate password entropy? I deduced this one:<p>entropy = log2(symbols^chars)<p>But using 63 symbols ([a-zA-Z0-9&#38;]) I get 65 bits for Tr0ub4d0r&#38;3, not 28.

The XKCD comic is only partially correct. Depending on what source you believe English text has about 0.6 to 2.3 bits of entropy per character. This means you need somewhere between 4.7 and 18.3 characters in each word to reach 11 bits of entropy per word. Assuming entropy is closer to 2 bits per character this is a realistic situation. However, when you assume entropy is closer to 1 bit per character the words have to be too long to be realistic.

I blogged on the same issue almost 2 months back: <a href="http://goo.gl/4Sxf6" rel="nofollow">http://goo.gl/4Sxf6</a>

It's a good idea, and would work well, if only websites would let me choose passwords longer than 12 characters!

Great so now we soon would find a <i>xkcd-brute-force-attempt-list.txt</i>

If you look at the source, their word list contains around 1600 words. That is just no where near enough. Using this would give you a very easy to crack password. You need to make up your own passwords with words you come up with.

Original xkcd link: <a href="http://xkcd.com/936/" rel="nofollow">http://xkcd.com/936/</a><p>Oh and there are unfortunately way too many systems limiting your password to only 6 or 8 characters still in use today.

as a bash alias:<p><pre><code> word_pass() { cat /usr/share/dict/words | awk 'BEGIN{srand();}{print rand()"\t"$0}' | sort -k1 -n | cut -f2 | head -n 4 | tr "\\n" " " &#38;&#38; echo } </code></pre> then:<p><pre><code> $ word_pass corticifugally tetraploidy democrat vibrionic </code></pre> (if you notice how this works, you can see that it isn't super-efficient, but it works)

Once hackers realise people are using ~4 random words for a password the entropy will decrease hugely.

When picking a password, you don't just care about the entropy. You also care how far down the password guessing order it is.<p>People who want to guess a password don't just brute force at random. They use a guessing order that goes through more common classes of password first. So if <i>correct horse battery staple</i> becomes a popular password scheme, these will end up attacked before other password schemes. (See <a href="http://www.schneier.com/essay-148.html" rel="nofollow">http://www.schneier.com/essay-148.html</a>)<p>Unless you're going to use a password safe full of nasty passwords, you should pick your passwords using an unpopular method.

This scheme could be easily guessed by a dictionary attack that simply ran through combinations of dictionary words instead of individual characters.<p>If this became a popular scheme, the whole entropy argument goes out the door. It only has more entropy if we compare the two schemes on a character-by-character basis (~10 vs. ~25). Of course the longer string will appear to have more entropy.<p>But if a password guesser expects the <i>pattern</i> of the "four common words" scheme, as they might if it became popular, it's not nearly as entropic. A better comparison would be to consider each word as a single "character" from a 180,000 sized alphabet (for an English dictionary).<p>Calculate the entropy of that and you'll find it's in the same ballpark.

I find the idea incredibly stupid. If I know someone who used that precise generator to produce his password. Then I know that the generator has less than 2000 words in the dictionnary. It then takes me only a few minutes to guess his password, rather than 550 years.<p>Conclusion: Don't ever use this password generator, write you own, and tell no-one about it.

Not a good idea, sadly. In fact I'd go so far to say this is a <i>really bad suggestion</i>; because it gives a false sense of security.<p>There is potentially a lot less entropy in this password than "Tr0ub4d0r&#38;3", assuming the hacker is smart enough to realise he can trivially test combinations of dictionary words in very short amount of time.<p>(EDIT: I'm way out of touch with this; it's not as trivial as perhaps I figured. See lower in the thread)<p>However; it is in the right direction - introducing some sort of extra entropy can invalidate that form of attack and make this as secure as XKCD suggests.<p>What do I currently do? I take a reasonable length common word, do a string/number replacement as so:<p>H4ck3r N3ws<p>And then repeat it 3 or 4 times:<p>H4ck3r N3ws H4ck3r N3ws H4ck3r N3ws H4ck3r N3ws<p>For extra entropy mix it up:<p>H4ck3r N3ws H4ck3r News H4cker News Hacker News<p>That's a simple example - so long as you have a reasonably random scheme then it is not easy to test against, but is fairly simple to remember.<p>Bingo :)<p>(EDIT: for the down voter(s) note: XKCD specifically says <i>random common words</i> - obscure words are another matter)