Passphrase Generator

Passphrases are considered easier to remember for humans and harder to crack for machines, famously explained in this comic:

The challenge then is to have a good word list to pick from. There are various measurements on how many words one person would use which could be as low as a thousand. Note there is a huge difference between recognize and use.

Passphrases and dices

In a recent Toot exchange ospalh pointed me to Diceware, a method to use dice rolls and a word list to determine a passphrase. Usually one uses the regular 6 sides dices and 5 dices, which lets you pick from a 7776 member word list. The EFF published a version using the 20-sided dice from Dungeon and Dragons as well as various word lists.

Wordlists

An attacker who doesn't know that they are dealing with a passphrase, using conventional cracking methods stands little chance to decipher the phrase. However as the defender you must assume, they know your word list, so it is imperative to keep it long, while maintaining the odds to remember (in any case you can use some extra brain). SOme of the word lists you can find online:

• Arnold Reinhold's Diceware list, 1995, 7776 entries
• EFF list from 2016, 2016, 7776 entries (introduced here)
• Fandom generated word lists by EFF for the 20 side dice
• Game of Thrones, 2018, 4000 entries
• Harry Potter, 2018, 4000 entries
• Star Track, 2018, 4000 entries
• Star Wars, 2018, 4000 entries

Math.random() to replace dices

Let's roll (pun intended) our own passphrase generator. To make it a little more fun these are our constrains:

• passphrase has 5 elements: 4 words and one 6 digit number
• the number appears at a random position
• elements are separated by a - (for readability, in active use you might just filter them out)

Generating the pin is easy, we only need to padd numbers to be 6 digits:

const sixDigits = () =>
  ('000000' + Math.floor(Math.random() * 1000000).toString()).slice(-6);

Implementing a fetch method to populate the word list is left to the reader. We just assume wordlist is an array with the word candidates. Implementing the "dice roll", just a few lines:

const numberPosition = Math.floor(Math.random() * 4);
const result = [];

for (let i = 0; i < 4; i++) {
  if (numberPosition === i) {
    result.push(sixDigits());
  }
  const randomIndex = Math.floor(Math.random() * wordlist.length);
  result.push(wordlist[randomIndex]);
}

console.log(result.join('-'));

Variations

• Concatenate available word lists to extend the size to choose from
• add a random one or two digit number to each word
• pick each word from a different word list (let the user choose or by random)
• use more words, 5 or 6.

Each variation might, actually will, negatively influence a human's ability to memorize, so prudenter agas

As usual YMMV