9 comments

[ 4.7 ms ] story [ 36.2 ms ] thread
Passphrases are getting a lot more popular, and we can tell how good passwords are, so I wanted to build something similar for passphrases. Let me know what you think!
How come it doesn't recognize punctuated words like "don't"?
Hm. I've got "It's". Will investigate.
Great concept to add to that XKCD concept. It's interesting - when I type "Once Upon A Time", "Upon" becomes green, whereas "upon" was yellow. I suppose the takeaway is to not follow grammatical rules with your passwords?
Yup: the assumption is that it won't even semantically parse. The only way that "correct horse battery staple" even makes sense is with an image and a story!

Much as passwords work on the lexical level, and adding random punctuation ensures it's not a dictionary word, breaking syntax and semantics is the analogue for passphrases.

If you're having problems thinking of a good passphrase, there's https://www.xkpasswd.net, but if you're uncomfortable with doing that in-browser, there's a bash one-liner[0] and a Python program[1] that do the job well.

[0]: echo $(grep "^[^']\{3,5\}$" /usr/share/dict/words|shuf -n4) # Try different dictionary files if you want a less complex passphrase.

[1]: https://github.com/redacted/XKCD-password-generator

Though if you can use a less common language than English, you might get an even better passphrase. I know the Passphrase FAQ says using another language doesn't make your passphrase harder to guess[0], but having worked a bit with language tech, I'm pretty sure that's only true under certain "ideal conditions". Most lang. tech is extremely English-focused, if there's a new development, it always happens with English first. In non-English languages, OTOH, it can be a challenge simply to find a good dictionary, and finding the corpora to do the kind of rating done by lsb's algorithm is even harder.

Of course, if the "other language" is French/German/Spanish, sure, it's probably not much safer. But if you're lucky enough to know a more marginalised language, I'd say go with it.

[0]: http://www.iusmentis.com/security/passphrasefaq/practical/#W...