
Show HN: Correct Horse Battery Staple password generator - quantum5
https://correcthorse.pw/
======
atoponce
I audit web-based password generators as a hobby, and this one does well.

What it does well on:

The source code is open source licensed. Passwords are generated in the
client, not on the server. The generator is random. The generator is
cryptographically secure. The generator is unbiased. Mobile devices are
supported. There are no JavaScript trackers loaded on the page. The site is
not calling out to external resources without SRI.

Unfortunately, by only choosing 4 random words, the security margin of the
passphrase is 52 bits (13 bits per word). This is practical for a hobbyist
password cracker to exhaust in an offline attack. The security would be better
if 6 random words were chosen instead.

Audit:
[https://docs.google.com/spreadsheets/d/1ucaqJ4U3X3nNEbAAa06i...](https://docs.google.com/spreadsheets/d/1ucaqJ4U3X3nNEbAAa06igbBkITHaA98blftOwT8u0I4/edit?usp=sharing)

~~~
quantum5
Thank you for the audit!

The default was chosen as 4 words due to usability concerns with longer
passwords or more obscure words, but it is adjustable. The strength meter is
yellow at 4 words to indicate the less-than-optimal entropy, but I felt it was
better than turning a new user off by making it too hard to remember. But
that's a decision I plan on revisiting.

If you are security conscious, you can save a more secure default for yourself
(in local storage, nothing is ever transmitted to a server).

~~~
atoponce
No problem. I dig the project. Very cool.

I would recommend the default be 6 words, and let people choose down to 4, but
not lower. At last that way, users know what a "secure default" looks like.
Granted, it breaks the four-word "correct horse battery staple" XKCD format,
but Randall was in some error with that comic anyway.

------
CPLX
Can someone explain to me why 1password doesn't have something like this built
in? You can use words, or random/symbols, but not both. Which fails miserably
every time you're faced with some sort of silly password requirement to have a
symbol and a number and a capital or whatever.

~~~
daveoc64
Passphrases are easy for people to remember, but if you have a password
manager, you're better off getting it to generate a 50+ character random
password (including uppercase, lowercase, numbers and symbols).

That should meet pretty much any password requirement, be virtually impossible
to guess or brute force, and you won't have trouble remembering it (because
you don't have to!).

~~~
asdkhadsj
> you're better off getting it to generate a 50+ character random password
> (including uppercase, lowercase, numbers and symbols).

Lol I wish. Almost all of the important sites I use, like various bills and
loans, use terrible password schemes. One even, until recently, enforced an 8
character limit! I think they raised it to 16 iirc. Oy.

Hell, even the company I work for frequently fails my password generator
settings. The arbitrary character requirements of my ~20 character password
would sometimes not be satisfied when I was creating accounts in our dev
system/etc. Which is annoying as hell, but I can't convince management,
because our users _(older)_ tend to use some of the worst passwords out
there.. so I can understand where it's coming from.

Security & UX is hard.

------
staplers
While I would love to use something like this, almost every site I can think
of enforces worthless password rules like "Must include number, letter,
special character" etc which effectively blocks these types of passwords.

~~~
brewdad
Much like /u/hprotagonist above, I tend to use passwords like this for my pw
manager, full disk encryption, PGP, etc. where I get to set the rules. Web
sites or other uses outside my control get a randomly generated string of
varying length.

It doesn't have to be all or nothing and is probably better if it isn't.

------
mlaci
Problem with generators and this scheme, they allow regeneration. Most people
not using the first version, they generate a new until they like it enough to
stop, which is not that random anymore as they think.

~~~
pkhamre
So you're saying that generating a new password looses entropy?

~~~
setr
_Choosing_ is the problem here -- it's now only as random as your preference

Eg the scheme doesn't do its job well if you don't know the word, so the
dictionary can be reduced by that much

~~~
ResidentSleeper
On the other hand, I'd wager that the set of words that you can recognize is
vastly larger than the set of words that you're likely to come up with on the
spot. Hence, using a generator would still result in higher entropy then
trying to come up with a password yourself.

Random numbers picked by humans are notoriously biased. I'm guessing it's even
worse when you ask them to come up with random words.

------
quantum5
Background: I liked the xkcd-style password generation scheme as it was easy
to remember, but existing generators online (that I could find, at least) all
use Math.random() or other cryptographically insecure random number
generators. While an actual attack on the RNG seems far-fetched, the very idea
doesn't sit well with my crypto nerd side. So I decided to create my own that
uses a CSPRNG that I can trust. This was a while ago.

Recently, I decided to package it up with a nice domain name and publish it in
hopes that it would be useful to others.

~~~
perl4ever
What about [https://www.random.org/](https://www.random.org/)? Why even use a
PRNG if you can have the real thing?

~~~
quantum5
Because instead of just trusting your system, you'd also have to trust an
external service to remain honest. CSPRNG is widely deemed acceptable for use
as key material (unlike standard PRNGs), so there is no reason to add an
external dependency.

~~~
atoponce
Further, sufficiently seeded cryptographically secure RNGs are
indistinguishable from true random white noise, so from a practical
perspective, there is no point to require "true random".

------
beardedwizard
So we are really getting passwords from remote hosted websites? Are people
really about to copy, paste and use these right out of the browser?

~~~
daveoc64
What is the risk exactly?

Even if the site knew for certain that you had used one of the passwords, they
would have no idea where you used the password, and they wouldn't know your
username or other credentials.

They might not even have any way of accessing the system you're putting the
password into.

I'm sure a lot of people will use these sorts of sites to generate a whole
bunch of passwords, and not even use any of them.

~~~
asdkhadsj
I'd imagine the risk is pretty great, for the same reason I wouldn't paste a
password here that I use. Sure, you may not know who I am, but if you were the
site itself you get a ton of information on me.. which is more than I'd like
you to know if you _also_ know one of my passwords.

I agree, the risk is minimal. Nevertheless.. security, heh.

~~~
mlyle
The site doesn't know the password, though-- it's generated clientside.

~~~
beardedwizard
Will you be inspecting the code every single time it loads to ensure that has
not changed? You are receiving this code from an untrusted 3rd party every
time you visit. There is a big difference to trusting a known entity like
lastpass, 1password, etc, all of whom are vulnerable to supply chain attacks.
It is another thing entirely to trust a random website on hackernews.

Payload decoders and password generators are some of the biggest honeypots out
there. Combining this with an attack taking advantage of hidden form autofill,
you could gain quite a bit of information to go along with that password.

~~~
mlyle
If I were to use it, I'd probably just pull my own copy off github.

If I were to recommend novices to use it-- I'd tell them to use a password
manager locally, and something like that to generate a secure password to get
into their own machine locally / get into their password manager-- which
mitigates most of the risk if it turns rogue.

~~~
beardedwizard
well then you wouldn't be using this or any other website, and this entire
conversation would be moot :).

------
shaggyfrog
Nice work!

A passphrase, as opposed to a password, has spaces between each word.

If you added those it would be easier to read, especially for mobile, if you
used a multiline textarea, because the generated content isn’t fully readable
at a glance. (Or don’t use a form input field at all — just put the passphrase
in a div so the word breaks flow normally.)

~~~
james-skemp
Yup. With the ability to add a separator (like a space, -, .) I'd switch over
to this.

Currently I use and recommend [https://preshing.com/20110811/xkcd-password-
generator/](https://preshing.com/20110811/xkcd-password-generator/)

~~~
quantum5
Good idea, just added separators to the website.

~~~
pkhamre
You could(/should) add space and make it the default separator :)

~~~
quantum5
Space support is included. You can save it as the default option if you want.

------
chaoticmass
I have bookmarked this site for my own personal use. I also shared it with my
co-workers in the IT dept.

I think your site works well on selling itself if you assume the audience is
coming from HN. From what I have observed, your site does not market itself
well to a typical corporate IT dept who are not all programmers.

I think if we want to promote wider adoption of this good password technique,
we'll need a different approach.

This is not a criticism-- You've done a job I admire. I think I might fork it
and make another version that is approachable to a wider audience. Thank you!

------
lozf
Reminds me of the perl module `hsxkpasswd`[0] which has more configure
options, and also powers the online generator at
[https://xkpasswd.net/s/](https://xkpasswd.net/s/)

[0]:
[https://github.com/bbusschots/hsxkpasswd](https://github.com/bbusschots/hsxkpasswd)

------
tzs
For passwords I might have to enter by hand, such as WiFi passwords, I liked
the pronounceable password option that 1Password used to have. The passwords
were several single syllables string together by a separator. An example: neg-
pen-nau-eng-fri-dot. There were options to change the separator, and to toss
in digits and upper case if I remember correctly. Syllables were 2 to 4
letters long, I believe.

At some point 1Password dropped that, replacing it something similar to
"correct horse battery staple". It's words (3-10) separated by hyphen, space,
period, comma, or underscore. E.g., "plasma.haggis.arrange.stultify".

~~~
pkulak
Me too. I actually built my "ideal" password generator because nothing else
was really cutting it for me. And an online generator is a no go. Because of
security, of course, but I also just want to pipe my password straight into my
clipboard, for example.

[https://github.com/pkulak/pgen](https://github.com/pkulak/pgen)

------
chrisbai
I rely on the built in password generator of Passfindr
[https://passfindr.com](https://passfindr.com) using the same random number
generator as mentioned in correcthorse.pw. When using a Password Manager, and
one should, different passwords for every internet account is straight
forward.

------
arbirk
You forgot the translate to Finnish step

------
ThA0x2
You can achieve this with a one-liner:

shuf -n 4 /usr/share/dict/words

~~~
1e-9
This may not be cryptographically secure. Shuf can default to using a small
amount of entropy.[1,2,3] To be certain, you can add the --random-source
option:

shuf --random-source=/dev/urandom -n 4 /usr/share/dict/words

[1]
[https://www.gnu.org/software/coreutils/manual/html_node/Rand...](https://www.gnu.org/software/coreutils/manual/html_node/Random-
sources.html)

[2]
[https://github.com/coreutils/coreutils/blob/v8.5/gl/lib/rand...](https://github.com/coreutils/coreutils/blob/v8.5/gl/lib/randread.c)

[3]
[https://github.com/coreutils/coreutils/blob/v8.32/gl/lib/ran...](https://github.com/coreutils/coreutils/blob/v8.32/gl/lib/randread.c)

Edit: As ThA0x2 points out in a reply, the latest version of shuf uses
/dev/urandom to generate a default nonce, which vastly improves upon older
versions. As long as your version of coreutils is at least 8.6 or later and
your OS has /dev/urandom, the default should be fine. If you don't have
/dev/urandom, even the latest version of shuf (version 8.32, as of June 15,
2020) will still default to an insecure nonce.

~~~
dllthomas
I'm curious how practical an RNG attack actually is here (which absolutely
isn't meant to serve as criticism of your surfacing the issue!).

In any case, I expect it's much harder than a random "free password gen!"
website saving results on the sly (... which is meant to be mild criticism of
your framing, but not your recommendation :-p).

~~~
ThA0x2
shuf uses randint(), which defaults to /dev/urandom as the nonce source:

[https://github.com/coreutils/coreutils/blob/v8.31/gl/lib/ran...](https://github.com/coreutils/coreutils/blob/v8.31/gl/lib/randread.c)

It's going to be as practical to attack as anything that uses /dev/urandom.

~~~
dllthomas
For sufficiently recent versions of shuf. It looks (... at a skim of the
history, I could be confused) like older versions use pid, ppid, uid, gid, and
time. In that case that's likely to be more practical than brute force if
you've generated a password with notionally more than ~40 bits of entropy.

That said, I suspect most people are indeed on a platform with a sufficiently
recent version of shuf.

(And a sufficiently old version may lack the random-source option.)

~~~
ThA0x2
RHEL 6 will be EOLd this November. That's the last supported version of RHEL
that has this issue. Ubuntu 13.04, RHEL 7 and later don't suffer from this
issue.

I'd say almost everyone reading these comments is on a platform that does not
suffer from this issue.

------
professorTuring
lower, upper and numbers = 62 options | wordlist = 10 000 options:

    
    
        62^12     = 1e21
        10 000^5  = 1e20
    
    

The problem is you not using a word generator and instead relying in your
invention, most of the people will use top 5000 words (5000^5 = 1e18), imagine
you can even lock one of the words (a color maybe?).

So this way of thinking might be good if you know what you are doing and use
uppers and lowers and symbols, if not, it is actually a bad advice.

------
throwaway8941
If I may egregiously misuse the famous quote, "those who do not understand
Unix are condemned to reinvent it, poorly."

    
    
        $ shuf --random-source=/dev/urandom -n6 /usr/share/dict/cracklib-small | paste -sd-
        circulant-conjured-reigning-buzzed-awaiting-typifies

------
nlawalker
See also
[https://theworld.com/~reinhold/diceware.html](https://theworld.com/~reinhold/diceware.html)
(the "original", as far as I know).

KeePassXC has a passphrase generator, although it doesn't use the Diceware
list as far as I know.
[https://keepassxc.org/images/screenshots/linux/screen_006.pn...](https://keepassxc.org/images/screenshots/linux/screen_006.png)

EDIT: Love the simplicity of
[https://correcthorse.pw/](https://correcthorse.pw/), good work!

------
hprotagonist
I tend to rely on
[https://www.rempe.us/diceware/#eff](https://www.rempe.us/diceware/#eff) for
my typeable password needs.

80% of my passwords are just line noise, because they live in a keepass
database. 20% (workstation account logins, etc) are diceware.

~~~
bagacrap
you type "glove blinks abruptly avatar salvaging marbled" every time you need
to unlock your screen?

~~~
tomlagier
Mine's a more meaningful sentence, but about the same length, yes.

It doesn't take long to type a wholly-memorized sentence.

~~~
Jaruzel
Based on the typically strict Corporate 5-minute auto-lock you find on work
computers, that would get tiresome REALLY quickly :(

~~~
tomlagier
Honestly, it's not any worse than a more typical number and symbol stew. You'd
be surprised how quickly you can type a 40 character sentence, especially one
that you've developed a bit of muscle memory for. I think it's likely as fast,
if not faster than the more "typical" 12-16 character special-symbol fest.

------
NickBusey
Shout out to the open source Bitwarden project which includes this out of the
box. Check out bitwarden_rs for a good sefhosted option.

------
matmann2001
I know XKCD made a comic and everything, but isn't this type of password
exactly why dictionary attacks exist?

~~~
loa_in_
In the original comic it is shown that entropy of these passwords is still
higher than the method with random words and substitutions. That means more
combinations even with full knowledge of used dictionary

