Just use random words. Memorable passwords don’t have to be weak. Five random co...

sarciszewski · on Jan 10, 2015

https://github.com/resonantcore/lib/blob/master/js/diceware/...

https://github.com/resonantcore/lib/blob/master/demo/dicewar...

Run this locally, e.g.

    dw = new Diceware();
    dw.load("https://raw.githubusercontent.com/resonantcore/lib/master/js/diceware/diceware.wordlist.asc", function() {
        console.log("Diceware loaded!");
    });

    console.log(dw.getWords(8).join(' '));

__david__ · on Jan 10, 2015

If you're on linux you can usually just do:

    shuf -n 5 /usr/share/dict/words

On Mac OS X you need coreutils for shuf, which you can get from brew (it's called gshuf once installed).

eric_bullington · on Jan 10, 2015

I would be very cautious about using shuf for password generation, since it doesn't use a cryptographically-secure random number generator (I just checked the source).

Edit: I see that shuf permits the use of custom seeds, so you can do the following, and it will be secure:

    shuf -n 5 --random-source=/dev/urandom /usr/share/dict/words

_paulc · on Jan 10, 2015

Or:

  python -c 'import random;w=open("/usr/share/dict/words").readlines();print " ".join([random.choice(w).strip() for _ in range(5)])'

anonfunction · on Jan 10, 2015

To get rid of the newlines

    shuf -n 4 /usr/share/dict/words | xargs | sed 's/ //g'

__david__ · on Jan 11, 2015

Or slightly more simply:

    echo `shuf -n 5 /usr/share/dict/words`

sarciszewski · on Jan 11, 2015

Maybe add this to your .bashrc file?

    randword()
    {
      if [ -z $1 ]; then
        echo `shuf --random-source=/dev/urandom -n 5 /usr/share/dict/words`
      else
        echo `shuf --random-source=/dev/urandom -n $1 /usr/share/dict/words`
      fi
    }

Test output:

    kobra@stormforge blah $ randword 4
    crackpots fragmentation maximally Bradly's
    kobra@stormforge blah $ randword 6
    turnover's nonproliferation's bestowal's sulkier hillbilly Narmada
    kobra@stormforge blah $ randword
    Marciano fibulas roadwork mobilizations organics
    kobra@stormforge blah $ randword
    coins bronzed housemother's forefather supposing

bigbugbag · on Jan 11, 2015

Except this has stopped being strong a while ago, since it has been popularized by xkcd in 2011 cracker have incorporated this scheme in their password cracking routines.

Bruce Schneier blogged about this last year: https://www.schneier.com/blog/archives/2014/03/choosing_secu...

zokier · on Jan 11, 2015

Except Schneier is just plain wrong about this. The numbers presented in XKCD comic were already assuming that the attacker has full knowledge about how the passwords are generated, including the wordlist used. This has been discussed over and over in various places, including HN. Long story short, there is no shortcuts for attacker against true random bits of entropy.

subleq · on Jan 11, 2015

You can use https://www.fusionbox.com/mouseware/ to do this