Secure passphrase basis generator


This form is intended to assist with generating easily memorable yet uncrackable passphrases. I am not a security expert, and I could be dead wrong about proferred "security" here. DO NOT blindly follow the "idea pattern" heuristic of generated passwords presented here: either make your own unique heuristic that breaks pattern (heuristic) analysis to allow for fewer "memory items" (read my policy), or extend the memory items given here. You may wish to examine the links under the reference section for articles that inform my policy (including things that make the "XKCD method" very insecure in some scenarios).


Number of words in generated passphrase:

Whatever this gives you, please make it your own. I suggest Mouseware might steer you toward some great, further entropy, or a better password base to begin with.

If you view the source of this page you will find that all functionality happens client-side (in your running browser), meaning no one can spy on your password (outside of your usual extreme espionage methods).

An ideal password is easily memorable but impossible for even an extremely vigorous program (with massive computing power at its disposal) to guess. The longer and the more unguessable (yet simple!) your rules for constructing the password, the better.

My password policy

Make a password from at least seven "memory items" from a very large idea space: a broad English word vocabulary mixed with "less common" or "special" ASCII characters. (Heuristic pass crackers become impractical past 6 items from some smaller idea spaces; make the idea space much larger and they'll FUGGETABOUTIT). Throwing in a lot of the printible Unicode characters would be awesome, but nobody is even allowing that). Fewer memory items are allowed if one of them is e.g. a word that isn't going to be in any common idea space (like a dictionary--for example if it is a gibberish word or very uncommon proper noun). The defaults of this generator follow this policy. I use a very large array of common words plus a collection of unusual words and "what the?!" names from the Utah Baby Namer, padded internally or externally with short and/or easy to remember repeated sequences of special characters. You should do something like this, but make it your own. Consider anything given by this form a "cracked" out of the box--or a starting point.

This free script was horked and adapted from a Public Domain post of some code somewhere.

On with the reference links.


Main takeaways of references

Bad guys essentially have AIs (Artificial Intelligences) at their disposal which can probably guess your password no matter what human-memorable method you use to construct it (including phrases that use english words), if your password has two few memory items (which includes words (especially common ones) and/or special characters). A longer chain of memory items (seven or more) from a very large set (english words and/or "rarer" ASCII characters) makes hueristic and brute-force craking infeasible. My password policy outlined above factors for these takeaways.

XKCD comic about passwords/passhprases.
Schneier on emergent insecurity of the XKCD method.
Some fellas with GPU clusters quickly find hashes of millions of passwords ostensibly more secure than the XKCD method would contrive. Caveat to implied claim that passphrase methods are defeated by this: the given attacks may be feasible only for offline hueristic attacks on weakly hashed passwords (although most password hashing schemes in use are weak; a data breach involving weak hashes can lead to your password being compromised). If provably secure hash functions are used (which they usually aren't), even offline cracking from data breaches becomes infeasible.
Article with suggestions on increasing XKCD password method entropy.
An analysis of the (lack of) soundness of the haystack entropy theory
A blog post of a fellow providing a mix of good security practice with bad--with practice that's elsewhere argued to be counterproductive.
Kozlowski, L. Shannon entropy calculator.
Wikipedia, Password strength#Bit strength threshold
Diceware passphrase generator
10,000 most common English words according to Google Books
Ten thousand (common?) words posted at
code example stemming therefrom
A' list of good mnemonic words


Use the algorithm from the...what was it machine? The software behind the Postmodern Thesis Generator, to create plausible, memorable sentences, then create the password from the first letters of that sentence, and display the sentence as a mnemonic? Throw in some Markov chain-generated gibberish words and/or psuedo-names--which are dynamically generated so as to not be in any dictionary, yet easy for a human to remember? Insert obsucre unicode char and number at random position instead of patterned.