Passphrase Generator

(image source Woodcabin Padlock, Creative Commons int)

Passwords are the greatest vulnerability in cyber security. We reuse with other websites, we do not alter, and in many cases we do these things because to remember a password that passes the strength test is hard enough to remember, much less all the other accounts we use.

Passphrases are typically better than passwords simply because of length. A passphrase is simply multiple words strung together and can be easier to memorize than a heavily altered word (that computers can still guess easily), shown well in an XKCD comic. If you continue with the instructable I will show you my word list source, show the combinations of the word list, show how to enhance entropy, and finally put it in a spreadsheet to get it done sooner.

5 Dice/Program

Wordlist

I used the Electronic Frontier Foundation long word list (here). This list was written to be used to create a passphrase, each word has an average of 7 characters in length, is memorable, not a homophone, non vulgar, and relatively easy to spell.

To use, roll 5 dice, read each face of the die, and concatenate the die, and lookup the word on the list. EG, if I roll a 1,5,2,1,and 6 I would look up word 15216 and come up with "catchy". I then repeat to however many words I want.

(image source, GNU license)

How secure is it if the word list is known?

True, less secure; but still secure.

The EFF long word list is 7,776 words long. If we use three words that would be 7,776 raised (to the power) of 3 or 7,776^3= 470,184,984,576 combinations! This grows exponentially

4 words= 3.66x10^15

5 words= 2.84x10^19

6 words= 2.21x10^23

10 words= 8.08x10^38

Passwords/passphrases are measured in entropy. Character variance and length are the best ways to enhance password/passphrase security.

Rather than substituting letters for other characters or choosing random letters to capitalize I like to make mine into a pattern. But within that pattern there is room for randomness. For example, word one, four digits, word 2, special character, word 3, first letter capitalize. For longer passphrases I like to just extend that pattern out, two words, then 2 characters, then 2 words first word capitalize. It has a pattern, but it makes it so that having just the word list alone is not enough to (eventually) break the password.

Try adding length and variation in characters and see the significant difference (entropy, password tester).

Rolling dice is fun for the first word.

But then we need to get a lot more words for security. I created a spreadsheet that uses the long word list and will roll dice, creating a line of up to ten words. Then next to that I add special characters and capital letters increasing the entropy.

I did NOT add macros so that you don't need to worry about invasive code. Just refresh in your preferred program and it will generate new passphrases. Note about spreadsheet, I use VLOOKUP to a second sheet that only has the wordlist. I then string the words together.

Note, the numbers are created pseudorandomly. A computer can only create a mostly random list. Computers run algorithms (as simple as that). We, humans, are not very good at creating random information either (source).

Finally, random characters will be more secure than a passphrase, but also harder to type correctly and harder to remember.

The DIY spreadsheet

I downloaded the list (provide earlier) and then imported in a spreadsheet in two columns.

I created another tab to be the front end of the program.

Using the randbetween function I specified =randbetween(1,6)

• I use 1-6 because that is the faces of the die, as related to the list
  • If we do randbetween(1,7776) there will be numbers we cannot use
• I then concatenate these by using the & symbol to "roll 5 die at a time"
  • randbetween(1,6)&randbetween(1,6)&randbetween(1,6)&randbetween(1,6)&randbetween(1,6)
• I then do that on 10 lines

I then use VLOOKUP so that I can still see the numbers and the words instead of one or the other. The VLOOKUP, "looks up" the word that the 5 dice roll creates.

• VLOOKUP([rand string], [spreadsheet with wordlist], [column 2], false [for exact match])
  • do not type what is in the brackets [ ], this is to illustrate what to go for on your sheet

I then use concatenate to created words into a string.

• [vlookup-ed word]&[vlookup-ed word] etc

I then add next to the string the same string but inserted with special charactors

• Proper() command will make anything inside the () in "proper" capitalization, first letter capitalized
  • proper(apple)=Apple
• Randbetween(1,9999) will create a probably and possibly less, 4 digit number
  • You could also do randbetween(1,999999) or randbetween(1,9)&randbetween(0,9) etc.
• ASCII is the characters of the computer, some of the special characters [ !@#$%^&*() ] (etc) are numbered 33-47. Using randbetween you can insert between words using the char
  • char(randbetween(33,47))

Use any and all of these to your own pleasure