

Ask HN: Dictionary based password generator source code – useful or useless? - simbolo

I&#x27;ve written a Chrome App that generates &#x27;random&#x27; phrases based on a hard-coded dictionary of several thousand words.<p>For example, it creates &#x27;312Hesitent-Boxes&#x27;, &#x27;646Nifty.Brains!&#x27;.<p>These passwords are sufficient for many websites requirements, but more-over, they are easyier to spell and type.<p>The issue is, since a Chrome App is basically just a zipped up JavaScript&#x2F;HTML folder, it&#x27;s trivial to get the list of words and then generate every possible combination of numbers+punctuation+words - that&#x27;s still a lot of words, but nothing that couldn&#x27;t be generated into a table with that much effort.<p>Question is, does the ability to predict every password easily make such a tool useless?  Or are we more common sense based and know that we could use these passwords on sites that lock&#x2F;restrict accounts when they hit incorrect passwords, have two-factor, IP locks, non-predictable usernames etc...
======
geoah
I would suggest allowing users to supply their own wordlists, supply them with
custom transliterated languages or help them create words from texts, logs,
pdfs etc.

Transliterating words to latin characters from a user's foreign language is a
great way to add words not usually found in dictionaries. (eg If you speak
Greek, French or Japanese, take a couple of books and transliterate them,
remove 10% most and less common words, remove any words between 1-3 and 8+
chars and you should be gold.) You can create or find dictionaries like this
for different languages and provide them for users to choose/download from.

Open sourcing your app would be a great way to get help and ideas from others.

------
zokier
Yours is essentially a variation of the correct horse battery stable/diceware
method. It is quite secure way to generate/encode passwords, but I'd recommend
using more words, at least three but preferably four. The punctuation, numbers
and capitalization might help to get through some onerous password
requirements of some sites, but they do not contribute as much as the words to
the security of the password.

edit: Just a reminder: check your randomness source for security!

~~~
sarciszewski
[https://github.com/jvdl/CorrectHorseBatteryStaple/pull/2/fil...](https://github.com/jvdl/CorrectHorseBatteryStaple/pull/2/files)

Agreed.

------
velox_io
I'd say you're good. Some quick maths:-

Even if you only use a relatively small dictionary (of 32,000 words). Just
picking two words at random is a billion combinations. Throw in some different
punctuation symbols, plus a 3 digit number and that's over a trillion password
combinations.

Any password throttling only helps, but you cannot rely on every website using
it.

------
arh68
Useless? No. Diceware's not useless, and it's just a wordlist.

