

Show HN: How secure is your passphrase? - lsb
http://www.leebutterman.com/passphrase-safety/

======
Mithrandir
If you're having problems thinking of a good passphrase, there's
<https://www.xkpasswd.net>, but if you're uncomfortable with doing that in-
browser, there's a bash one-liner[0] and a Python program[1] that do the job
well.

[0]: echo $(grep "^[^']\\{3,5\\}$" /usr/share/dict/words|shuf -n4) # Try
different dictionary files if you want a less complex passphrase.

[1]: <https://github.com/redacted/XKCD-password-generator>

~~~
unhammer
Though if you can use a less common language than English, you might get an
even better passphrase. I know the Passphrase FAQ says using another language
doesn't make your passphrase harder to guess[0], but having worked a bit with
language tech, I'm pretty sure that's only true under certain "ideal
conditions". Most lang. tech is extremely English-focused, if there's a new
development, it always happens with English first. In non-English languages,
OTOH, it can be a challenge simply to find a good dictionary, and finding the
corpora to do the kind of rating done by lsb's algorithm is even harder.

Of course, if the "other language" is French/German/Spanish, sure, it's
probably not much safer. But if you're lucky enough to know a more
marginalised language, I'd say go with it.

[0]:
[http://www.iusmentis.com/security/passphrasefaq/practical/#W...](http://www.iusmentis.com/security/passphrasefaq/practical/#WhatifIuseanotherlanguage)

------
lsb
Passphrases are getting a lot more popular, and we can tell how good passwords
are, so I wanted to build something similar for passphrases. Let me know what
you think!

------
alook
Great concept to add to that XKCD concept. It's interesting - when I type
"Once Upon A Time", "Upon" becomes green, whereas "upon" was yellow. I suppose
the takeaway is to not follow grammatical rules with your passwords?

~~~
lsb
Yup: the assumption is that it won't even semantically parse. The only way
that "correct horse battery staple" even makes sense is with an _image_ and a
story!

Much as passwords work on the lexical level, and adding random punctuation
ensures it's not a dictionary word, breaking syntax and semantics is the
analogue for passphrases.

------
ansman
<http://ismycreditcardstolen.com/>

~~~
lsb
Ah, but it's all local, with something like a compressed bloom filter doing
lookups. So nothing goes across the wire!

------
seldo
How come it doesn't recognize punctuated words like "don't"?

~~~
lsb
Hm. I've got "It's". Will investigate.

