-
Notifications
You must be signed in to change notification settings - Fork 23
Home
I set out to create the most extensive password generator out there, covering every possible situation while providing a clean UX without a lot of options, knobs, and buttons to confuse the user, and make the passwords less secure.
This table shows the different properties each password has and where some passwords will work better than others.
| Generator | Obscure | Less obscure | Common | Multi-language | Verbally Unambiguous | Visually Unambiguous | Unicode | Avg. Length |
|---|---|---|---|---|---|---|---|---|
| Diceware (English) | ✔️ | 26-31 | ||||||
| Diceware (Beale) | ✔️ | 25-30 | ||||||
| Diceware (Other) | ✔️ | ✔️ | ✔️ | ✔ | varies | |||
| EFF (Short) | ✔️ | ✔ | 32-38 | |||||
| EFF (Long) | ✔️ | ✔ | 42-48 | |||||
| EFF (Distant) | ✔️ | ✔ | 52-58 | |||||
| Bitcoin | ✔ | ✔ | 38-44 | |||||
| Elvish | ✔ | ✔ | 32-38 | |||||
| Klingon | ✔ | 32-38 | ||||||
| PGP | ✔ | ✔ | 61-68 | |||||
| RockYou | ✔ | 43-47 | ||||||
| Simpsons | ✔ | 36-41 | ||||||
| Trump | ✔ | 40-45 | ||||||
| Bubble Babble | ✔ | ✔ | 39 | |||||
| Secret Ninja | ✔ | ✔ | 44 | |||||
| Cosby Bebop | ✔ | ✔ | 60 | |||||
| Korean K-pop | ✔ | ✔ | 46 | |||||
| Base-94 | ✔ | 12 | ||||||
| Base-64 | ✔ | 13 | ||||||
| Base-32 | ✔ | ✔ | 15 | |||||
| Base-16 | ✔ | ✔ | 19 | |||||
| Base-10 | ✔ | ✔ | 23 | |||||
| Emoji | ✔ | ✔ | 9 |
This generator supports all the official lists linked on diceware.com. Every word list is 7,776 entries meant to be used with 5 fair six-sided dice. Each word provides about 12.9248-bits of entropy. As of Aug 25, 2017, the support list is as follows:
- Basque (Euskara)
- Alan Beale
- Bulgarian (May contain errors- OCR scan from images in PDF)
- Catalan (UTF-8)
- Chinese (Non-Wubi list)
- Czech
- Danish
- Dutch
- English (the original list- Default)
- Esperanto
- Finnish
- French
- German
- Italian
- Japanese (Romaji)
- Maori
- Norwegian
- Polish
- Portuguese
- Russian
- Slovenian
- Spanish
- Swedish
- Turkish
In the middle of 2016, the Electronic Frontier Foundation created their own Diceware lists that use more frequently used English words that are easier to remember and type than the original Diceware word list.
They created three word lists:
- The long list- Mimics the Diceware word list with 7,776 entries to be used with 5 fair six-sided dice. The words average a length of around 7 characters per word. Each word provides about 12.9248-bits of entropy.
- The short list (Default)- A shorter word list with 1,296 entries to be used with 4 fair six-sided dice. Each word has a maximum length of 5 characters. Each word provides about 10.3399-bits of entropy.
- The distant list- Another short word list of 1,296 entries, but each word has a minimum edit distance of three. Each word provides about 10.3399-bits of entropy.
This is a personal collection of lists of miscellaneous word lists of varying size and purposes for each list. The current list is as follows:
The Bitcoin word list is designed to be a mnemonic code or sentence for generating deterministic Bitcoin wallets. The list provides 2,048 words which provides exactly 11-bits of entropy per word. As more languages are added to the proposal, some of which are not available in Diceware, I may consider making this its own generator box. The English word list has an edit distance of 4 characters, making it possible for automation systems to autocomplete the words after the first four characters have been typed. The words are also verbally unambiguous, making it desirable for passwords spoken in noisy environments, such as server rooms.
This generator is for entertainment value only. The word list consists of 7,776 words, making it suitable for Diceware, and provides about 12.9248-bits of entropy per word. However, because the generator is strictly electronic, and I haven't assigned dice roll values to each word, I may bump this up to 8,192 words providing exactly 13-bits of entropy per word. The word list was built from the Eldamo lexicon.
The is another generator that is strictly for entertainment value only. As I say that, I personally know two people who speak (fluent?) Klingon, so maybe this generator will be of value to them. This word list comes from the Klingon Pocket Dictionary, and my word list provides exactly 2,604 unique words from the 3,028 words in the Klingon language. Thus, each word provides about 11.3465-bits of entropy.
The PGP word list was created to make reading hexadecimal strings easier and phonetically unambiguous. It comprises of exactly 256 words providing exactly 8-bits of entropy per word. This generator works well in noisy environments, such as server rooms, where passwords need to be spoken from one person to another to enter into a physical terminal.
In 2009, the RockYou company experienced a data breach where over 32 million user accounts and passwords were leaked to the Internet. I took the top 7,776 most commonly used RockYou passwords from that data breach to compile a word list for passphrases. This list is used solely as an educational tool to show that even though the list is made up of exposed passwords, secure passphrases can still be created from it. Each word provides about 12.9248-bits of entropy.
This is a list of 5,000 words, providing about 12.2877-bits of entropy per word. The goal of this generator is also educational to show that any source of words can be used for a password generator, include a television series of episodes. However, because this list contains the most commonly spoken 5k words from the Simpson's episodes, a good balance of verbs, nouns, adjectives, etc. are supplied. As such, the generated passphrases seem to be easier to read, and less noun-heavy than the Diceware or EFF word lists. These passphrases may just be the easiest to recall.
This generator was initially built for entertainment purposes, but ended up having the advantage of providing a good balanced passphrase of nouns, verbs, adjectives, etc. much like the Simpson's generator. As such, these passphrases may be easier to recall, because they are more likely to read as valid sentences than the Diceware or EFF generators. This list is pulled from Donald J. Trump's Twitter account. The list is always growing, currently at 5,186 words providing about 12.3404-bits of entropy per word.
The pseudowords generator is a cross between unreadable/unpronounceable random strings and memorable passphrases. They are pronounceable, even if the words themselves are gibberish. They are generally shorter in practice than passphrases, and longer than pure random strings. The generators are here to show what you can do with random pronounceable strings.
Bubble Babble is a hexadecimal encoder, with builtin checksumming, initially created Antti Huima, and implemented in the original proprietary SSH tool (not the one by the OpenSSH developers). Part of the specification is that every encoded string begins and ends with "x". However, rather than encode data from the RNG, it is randomly generating 5-characters words in the syntax of "". As such, each 5-character word, except for the end points, provides 21521521=231,525 unique combinations, or about 17.8208-bits of entropy. The end points are in the syntax of "x" or "x, which is about 21521*5=11,025 unique combinations, or about 13.4285-bits of entropy.
This generator comes from a static character-to-string assignment that produces pronounceable Asian-styled words. As such, there are only 26 assignments, providing about 4.7004-bits of entropy per string. There are three strings concatenated together per hyphenated word.
I was watching this YouTube video with Bill Cosby and Stewie from Family Guy, and about half-way through the skit, Bill Cosby starts using made-up words as part of his routine. I've seen other skits by comedians where they use made-up words to characterize Bill Cosby, so I figured I would create a list of these words, and see how they fell out. There are 32 unique words, providing exactly 5-bits of entropy per word. Unlike the Bubble Babble and Secret Ninja generators, this generator uses both uppercase and lowercase Latin characters.
In following with the Bill Cosby Bebop generator, I created a Korean "K-pop" generator that used the 64-most common male and female Korean names, providing exactly 6-bits of entropy per name. I got the list of names from various sites listing common male and female Korean names.
These are random strings provided as a last resort for sites or accounting software that have very restrictive password requirements. These passwords will be some of the shortest generated while meeting the same minimum entropy requirement. Because these passwords are not memorable, they should be absolutely stored in a password manager (you should be using one anyway).
- Base-94- Uses all graphical U.S. ASCII characters (does not include horizontal space). Each character provides about 6.5546-bits of entropy. This password will contain ambiguous characters.
- Base-64- Uses all digits, lowercase and uppercase Latin characters, and the "+" and "/". Each character provides exactly 6-bits of entropy. This password will contain ambiguous characters.
- Base-32- Uses the characters defined in RFC 4648, which strives to use an unambiguous character set. Each character provides exactly 5-bits of entropy.
- Base-16- Uses all digits and lowercase characters "a" through "f". Each character provides exactly 4-bits of entropy. This password will contain fully unambiguous characters.
- Base-10- Uses strictly the digits "0" through "9". This is mostly useful for PINs or other applications where only digits are required. Each digits provides about 3.3219-bits of entropy. This password will contain fully unambiguous characters.
With the rise of Unicode and the UTF-8 standard, and the near ubiquitous popularity of smartphones and mobile devices, having access to non-Latin character sets is becoming easier and easier. As such, password forms are more likely supporting UTF-8 on input to allow Cyrillic, Coptic, Arabic, and East Asian ideographs. So, if Unicode is vastly becoming the norm, why not take advantage of it while having a little fun?
This generator uses the emoji character sets provided by Google's Noto Emoji fonts, as that makes it easy for me to support the font in CSS 3, allowing every browser that supports CSS 3 to take advantage of the font and render the glyphs in a standard fashion. The license is also open so that I can redistribute the font without paying royalties, and others can do the same.
I opted for the black-and-white font, as opposed to the color font, to stay consistent with the look and feel of the other generators. There are 881 emoji glyphs provided by that font, yielding about 9.7830-bits per glyph. One side-effect, is that even though there is a character count in the generator box, each glyph may be more than 1 byte, so some input forms may count that glyph as more than 1 character. Regardless, the minimum entropy is met, so the emoji password is still secure.