xkcd password strength comic

Inspired by xkcd #936 (reproduced above, credit to xkcd), I threw together a quick python script to generate correct horse battery staple style passwords.


import secrets,sys
for a_line in dictfile:
for x in range(int(sys.argv[1])):
print(secrets.choice(dictlist).strip(),end=" ")

(edit: I’ve updated this as of Jan 2022: when I first wrote this, I used the python “random” module, which isn’t secure. Since then, the “secrets” module has been added to python from 3.6, which generates secure randomness, so I’ve updated it to use that)

The name comes from the unix pwgen utility, but -h because it generates “human readable” passwords.

It needs to be fed a file “wordlist” containing one word per line for it to choose from. You can use mine (roughly the 5000 most common english words) or your own. It’s then invoked as pwgen-h num_of_words

Example invocations and outputs:

$ ./pwgen-h 6
starting give progress limit accommodate code
./pwgen-h 4
gravity Latin convenience exclude

The wordlist I used is about 5000 words, so a resulting 6-word password has an entropy of 6 \times log_2{5000}=73.7 bits. That means that there are around 10^{22} possibilities to brute force. At a million guesses per second, it would take in the order of a billion years to check every possibility.

This has the caveat though that you have to take the first password it offers you* for the working above to be valid. If you keep trying it until you see a password which you like, you’re reducing your entropy in a difficult to quantify way.

*Or rather, don’t decide based on the output whether to use it. Of course, you can play around with it as much as you like, but you should decide which password you’re going to use before it’s generated for maximum security.