alternative dictionary

[wrought]

got some surprising passwords generated using this library... might want to check the terms that are inside it.

Here are some alternatives: https://en.wiktionary.org/wiki/Wiktionary:Public_domain_sources

[fardog]

surprising in what way? the included word list is Grady Ward's Moby II, which was chosen because it has a very large number of words.

note that when using xkcd-password you can pass the path to a newline-delimited list of words (with -f or --wordFile) and it'll use that list instead. you can also provide your own word list when using the library programatically (by using instance.initWithWordList)

[fardog]

oh also, thanks for the link! this is a good resource to have available.

[zopf]

Following up on this - the current dictionary contains numerous curse words... for example, "fuck", "shit", etc. Probably not acceptable for a general-usage password generation library.

I just had a user complain about an inappropriate password. I'm adding filtering to our app, but would prefer that the word database be cleaned of inappropriate words, or a different dictionary be used. I'll submit a PR with a somewhat-cleaned db eventually, unless you have plans to change the word db anyway...

[fardog]

@zopf I don't have any plans to change the current dictionary; however, you can instantiate the library to use any wordlist you'd like, so you can control the list you'd like it to use:

var xkcdPassword = require('xkcd-password')

var wordList = ['my', 'list', 'of', 'words']
var pw = new xkcdPassword().initWithWordList(wordList)

The included word list (Grady Ward's Moby II) was chosen because it has a very large number of words available; i didn't want to use a smaller list for the default set. Filtering it could easily lead to bikeshedding (the list of words that your users consider offensive isn't necessarily the list of words that another set of users might consider offensive; there's a lot of things far more offensive to me than "fuck" and "shit", that's for sure), so I just used a preset, and allowed anyone that wanted to filter it to provide their own list.

However: the docs absolutely need improvement; it's not at all clear that this is an option in the API.

You can also use initWithWordFile if you'd like to maintain a newline-separated text file separately (but the load performance will be slower):

var xkcdPassword = require('xkcd-password')

var wordList = ['my', 'list', 'of', 'words']
var pw = new xkcdPassword().initWithWordFile('/path/to/some/file.txt')

That's not so say I wouldn't turn down a PR that used a different list; the grady ward list is deficient in other ways, but I'd like it to be a public-domain and unfiltered list; something that can be downloaded and dropped in, doesn't require any work to maintain, and that has a license which allows its inclusion.

[ZaneHannanAU]

@zopf I've created a fork-ish of this project at https://github.com/ZaneHannanAU/xkcd-z-password

It includes a filter function (where you can filter badwords) but it is a little limited compared to @fardog's implementation.

@zopf @wrought https://gist.github.com/ZaneHannanAU/e9c89a44ebc3cd4b4a58e0a8a9ad06cf includes a simple filter which should remove some of the included badwords.

[ZaneHannanAU]

@zopf @wrought ZaneHannanAU/xkcd-z-password-nobad extends the previous xkcd-z-password 👍

https://github.com/ZaneHannanAU/xkcd-z-password-nobad
https://www.npmjs.com/package/xkcd-z-password-nobadwords