Hacker Timesnew | past | comments | ask | show | jobs | submitlogin
Show HN: How secure is your passphrase? (leebutterman.com)
9 points by lsb on Sept 24, 2012 | hide | past | favorite | 9 comments


If you're having problems thinking of a good passphrase, there's https://www.xkpasswd.net, but if you're uncomfortable with doing that in-browser, there's a bash one-liner[0] and a Python program[1] that do the job well.

[0]: echo $(grep "^[^']\{3,5\}$" /usr/share/dict/words|shuf -n4) # Try different dictionary files if you want a less complex passphrase.

[1]: https://github.com/redacted/XKCD-password-generator


Though if you can use a less common language than English, you might get an even better passphrase. I know the Passphrase FAQ says using another language doesn't make your passphrase harder to guess[0], but having worked a bit with language tech, I'm pretty sure that's only true under certain "ideal conditions". Most lang. tech is extremely English-focused, if there's a new development, it always happens with English first. In non-English languages, OTOH, it can be a challenge simply to find a good dictionary, and finding the corpora to do the kind of rating done by lsb's algorithm is even harder.

Of course, if the "other language" is French/German/Spanish, sure, it's probably not much safer. But if you're lucky enough to know a more marginalised language, I'd say go with it.

[0]: http://www.iusmentis.com/security/passphrasefaq/practical/#W...


Passphrases are getting a lot more popular, and we can tell how good passwords are, so I wanted to build something similar for passphrases. Let me know what you think!


Great concept to add to that XKCD concept. It's interesting - when I type "Once Upon A Time", "Upon" becomes green, whereas "upon" was yellow. I suppose the takeaway is to not follow grammatical rules with your passwords?


Yup: the assumption is that it won't even semantically parse. The only way that "correct horse battery staple" even makes sense is with an image and a story!

Much as passwords work on the lexical level, and adding random punctuation ensures it's not a dictionary word, breaking syntax and semantics is the analogue for passphrases.


http://ismycreditcardstolen.com/


Ah, but it's all local, with something like a compressed bloom filter doing lookups. So nothing goes across the wire!


How come it doesn't recognize punctuated words like "don't"?


Hm. I've got "It's". Will investigate.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: