XKPasswd Generates Secure Pass-Phrases



Apart from “correct horse battery staple,” the most secure passwords aren’t words, they’re phrases. You don’t even need crazy symbols or hard-to-determine numerals (is that an l or a 1, a 0 or an O?) – just a good, longish phrase made out of words.

And now you don’t even have to make one up. Using the XKPasswd generator, based on but not associated with Randall Munroe’s amazing comic strip XKCD, you can generate secure pass phrases easily.

The idea behind Munroe’s comic is that pass phrases are easy for humans to remember and hard for computers to crack – the opposite of the kind of gibberish passwords we usually use.

And the idea behind XKPasswd is that pass phrases are fine, but sometimes you’re forced to add symbols and numbers. So you get a few options (password length limit, WPA2 Wi-Fi-compatible, digits and substitutions) to set before generating a pass phrase.

And that’s it. Of course, the whole point of pass phrases is that they’re easy to remember, but given the fact that this week you’ll be changing all of your passwords thanks to the Heartbleed security rupture, a little help is always welcome.

Source: XKPasswd

  • nad8e

    Now, if sites would support long passwords and passwords with out a capital, number and special character!

  • John

    This is not really correct. The problem is there are lists out there of lots and lots of passwords, which make it easier to create scripts that check those and variations on them. Further, one of the most common brute force techniques is to use lists of words. These go beyond the dictionary. They include off the beaten track words, including proper nouns and technical vocabulary. So the password with four words in a row is not really that secure, because it’s trivial to create a script that uses dictionary words first. Dictionary words are easy to brute force precisely because they are not random. The normal substitutions (e.g., “0” for “O,” etc.) do not work at all because the brute force scripts already take this into account. Realistically, a long string of random alphanumeric digits, including symbols, is best. Counter the difficulty in remembering using a good password manager.

    Edit: Oh and 1,000 guesses/second is laughably small. In reality, you can do millions per second.

  • Do you even wordlist, bro?