Ask HN: Dictionary based password generator source code – useful or useless?

7 points by simbolo ↗ HN
I've written a Chrome App that generates 'random' phrases based on a hard-coded dictionary of several thousand words.

For example, it creates '312Hesitent-Boxes', '646Nifty.Brains!'.

These passwords are sufficient for many websites requirements, but more-over, they are easyier to spell and type.

The issue is, since a Chrome App is basically just a zipped up JavaScript/HTML folder, it's trivial to get the list of words and then generate every possible combination of numbers+punctuation+words - that's still a lot of words, but nothing that couldn't be generated into a table with that much effort.

Question is, does the ability to predict every password easily make such a tool useless? Or are we more common sense based and know that we could use these passwords on sites that lock/restrict accounts when they hit incorrect passwords, have two-factor, IP locks, non-predictable usernames etc...

6 comments

[ 3.2 ms ] story [ 27.9 ms ] thread
I'd say you're good. Some quick maths:-

Even if you only use a relatively small dictionary (of 32,000 words). Just picking two words at random is a billion combinations. Throw in some different punctuation symbols, plus a 3 digit number and that's over a trillion password combinations.

Any password throttling only helps, but you cannot rely on every website using it.

Useless? No. Diceware's not useless, and it's just a wordlist.
Yours is essentially a variation of the correct horse battery stable/diceware method. It is quite secure way to generate/encode passwords, but I'd recommend using more words, at least three but preferably four. The punctuation, numbers and capitalization might help to get through some onerous password requirements of some sites, but they do not contribute as much as the words to the security of the password.

edit: Just a reminder: check your randomness source for security!

> edit: Just a reminder: check your randomness source for security!

This should be your first thought when doing ANYTHING security-related.

I would suggest allowing users to supply their own wordlists, supply them with custom transliterated languages or help them create words from texts, logs, pdfs etc.

Transliterating words to latin characters from a user's foreign language is a great way to add words not usually found in dictionaries. (eg If you speak Greek, French or Japanese, take a couple of books and transliterate them, remove 10% most and less common words, remove any words between 1-3 and 8+ chars and you should be gold.) You can create or find dictionaries like this for different languages and provide them for users to choose/download from.

Open sourcing your app would be a great way to get help and ideas from others.