Lock icon by Michelleatsynthesio - kisspng

Passphrase Generator

Generate a passphrase or test your password's strength (these are not stored or transmitted):

Approximate crack-time:   No of characters:

Purpose

This passphrase generator was built based on the NIST Special Publication 800-63B guidelines, especially: Appendix a - Strength of Memorized Secrets (NIST, 2017). This generator hopes to aspire people and organizations alike to switch to memorable passphrases to increase password security and reduce password fatigue.

Disclaimer: This site is not officially endorsed by or does not have any affiliation with NIST.

Usage

By default, four-word lowercase passphrases are generated because they are secure and memorable. But most password policies require the inclusion of LUDS (Lowercase and Uppercase letters, Digits and Symbols). In which case, selecting 'Sentence case' and ticking 'Digits' and then generating passphrases would satisfy the requirements (since spaces are symbols as well).

The approximate crack time is based on the assumption of an offline attack which involves multiple attackers, proper user-unique salting and a slow hash function with moderate work factor, such as bcrypt, scrypt or PBKDF2 and assumes 10,000 guesses per second. Namely, it uses 'offline_slow_hashing_1e4_per_second' of zxcvbn. If you want to know more about the usage, check out the official zxcvbn usage documentation.

Why should I use a random passphrase?

Because most of us are terrible at creating secure passwords and the complex password policies that are supposed to make passwords more secure tend to do more harm than good. The xkcd comic got it right: we have been trained to use hard-to-remember passwords that are easy for computers to guess.

Random because it makes it harder to guess. Try as we might, humans usually end up using a few predictable patterns when creating passwords. We base them on things we can remember, such as names, locations, dates or just common English words. Then, we add some spice with a capital letter, some numbers or a symbol.

Here are some bad password patterns:

Bad Password Patterns Is It Memorable? Time To Crack
Names (example: Batman) Yep. 8 milliseconds
An easily-typed spatial word (example: aaaaaaaa) Yep. 9 milliseconds
A common word (example: common) Yep. 34 milliseconds
A word with trivial letter→number substitutions (example: k4mik4ze) Kind of, but you may forget which letters are substituted for numbers. 388 milliseconds
An important number, such as a birth of date or zip code (example: 09/11/2001) Totally. 2 seconds

If your password resembles any of these examples, it is instantly crackable. Even a mix of these patterns, such as [common word]+[number] will be straightforward to crack.

Compare those to a passphrase:

Password Pattern Is It Memorable? Time To Crack
Four or more randomly chosen words (example: aldus premiums market causes) Type it a few times, and you'll have it committed to memory. 32,286,015 centuries.

"Secrets that are randomly chosen (in most cases by the verifier or CSP) and are uniformly distributed will be more difficult to guess or brute-force attack than user-chosen secrets meeting the same length and complexity requirements." - NIST, 2017.

Why should I use a random passphrase instead of a password?

Because random passphrases provide the best combination of memorability and security.

For example, here is a random password and a random passphrase with similar crackability:

Password/Passphrase Time to crack
4Yw_IpX^[]{Q1 /Awq} Approximately 317,097 centuries
refuses fez involve manuals Approximately 292,719 centuries

Which would you rather remember?

How are passwords cracked?

There are several methods to crack passwords:

  1. Hackers usually start with a bunch of wordlists such as the top 10,000 passwords, all English dictionary words, all names, dates and so on.
  2. After exhausting those wordlists, they will try rule-based attacks. These can be a combination of all of those words again but with certain rules applied such as with common substitutions: capitalizing the first letter (passphrase → Passphrase), making common letter-for-number swaps (passphrase → p4ssphr4se) and can range from other simple to complex rules.
  3. Rainbow tables contain pre-computed hashes of possible password combinations for a specific hashing algorithm. High processing power is required to compute and store thousands and millions of hashes, but once complete they can save a lot of time for hackers. Salts are used to render rainbow tables useless by adding random characters to its password ahead of hashing the algorithm.
  4. Guessing - Unless passwords are chosen randomly, they can be guessed based on the predictability of the user: personal info and preferences.
  5. Spidering - Same as above, except this one is based on the workplace: corporate literature, website sales material and even the websites of competitors and listed customers can be part of a password.
  6. If the above fail, then brute force, a.k.a. try every combination of characters. Try a, then b, then c, ... eventually 920ECF10, 920ECF11 and so on.

    Thing is hackers don't need to 'crack' your passwords. More often they might use one of these methods to find out your passwords.

  7. Phishing - A phishing email leads the unsuspecting user to a fake log in page that looks legit, requesting the user to put right some terrible problem with their security which prompts the user to enter their password. The page then skims their password when the user enters it. Phishing is a sub-type of social engineering and there are several other forms of social engineering which can be used to elicit passwords from users as well.
  8. Malware - A keylogger or screen scraper can be installed by malware which records everything you type or takes screenshots during a login process, and then forwards a copy of this file to hackers. Some malware will look for the existence of a web browser client password file and copy this which, unless properly encrypted, will contain easily accessible saved passwords from the user's browsing history.
  9. Shoulder surfing - The oldest trick in the history book. Not just by monitoring what users are typing, but by surfing around and finding all those passwords on post-it-notes.

Depending on how well-protected a website keeps your password, modern computers can make somewhere between 10,000 and 350 billion guesses per second.

Your best defence is using a truly random passphrase generator (like this site).

No security measure is 100% foolproof, but these are as good as they get.

1. Use a different random passphrase for each and every account.

sullivan shows attacks dam
comedy pact belongs wordstar
thanks removed trick lawsuits
handled rains latter once
wang gunfire latest hampered

And so on.

2. Use a password manager or single sign-on (SSO).

No matter how memorable these passphrases are, ultimately you won't be able to remember all of them. Which is why eventually you would have to resort to password managers/SSO. Most browsers have built in password managers but these are not recommended due to their vulnerabilities. LastPass, Dashlane and Roboform are some of the most popular password managers among others and while they can be mostly reliable, they are susceptible to attacks as well as witnessed in the past.

3. Use a strong master password for your password manager or SSO account.

This is when a passphrase would be especially useful.

4. Follow cyber-security best practices.

You know like,

Why should I trust this generator?

Firstly, because it it makes zero external calls. Check your browser's network tab to verify. The passphrases are all generated by code contained in this page and they are never stored or transmitted.

Secondly, this page is designed to run entirely offline: save this page to your hard drive (or right click and click 'Save as'), disconnect from the internet and open it in a browser. This way, you can be assured regarding the security of the website.

While the passphrases generated are secure, the same cannot be said for whatever you type into the box purely based on what the approximate crack time displayed is. Why? Because no personal/corporate info or preferences are considered in the estimation and most of the names/words considered in the estimation are only English.

For example, my name is Mahesan Thanursan. The approximate crack time for my name is 292 centuries. But I would never use it as my password since obviously it's my name and any skilled hacker would definitely try that as a password. Which is why your best bet is sticking with random passphrases.

Share the word, not the phrase!

Link It Share It Text It Tweet It Fork It

Credits:

Passphrase Generator by Mahesan Thanursan.

The passphrase strength algorithm uses zxcvbn.js, which was created by Dropboxer Dan Wheeler.

Legal & Tech:

For more information on how the estimation of passphrase strength works, checkout Dan Wheeler's original Dropblox blog post. The 'zxcvbn' algorithm was chosen as the underlying algorithm to measure passphrase strength in terms of approximate cracking time, since it was one of the highest scoring password meters in the study, ‘On the Accuracy of Password Strength Meters’ (Golla & Dürmuth, 2018) and because it was open-source.

All passwords regardless of their length or strength are susceptible to attacks such as phishing, social engineering, malware such as keyloggers and screen-scrapers, shoulder-surfing, spidering and guessing based on users and their preferences. These are not considered in estimating the strength of the passphrase.

While I assure you that passphrases generated by this site are secure, I assume no responsibility if you use a passphrase from this site and are hacked subsequently.