Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Increase example-seed-data.json list to 4096 words #14
This helps the user in two ways:
Using this word list, this is the amount of entropy you get in the passphrase as a result:
This word list is a sorted list of the most common 4,096 English words that are either 4, 5, or 6 characters in length. This will help minimize the number of characters in the passphrase, without compromising entropy.
Example 4-word passphrases:
Example 5-word passphrases:
Example 6-word passphrases:
First, thanks for taking the time to check out my project. I like the two suggestions and would like to incorporate them in different ways. I need to write more about the motivation for this project and what it is trying to provide (maybe this comment is the first step). What exists today is a basic web service that leans entirely on Dropbox's zxcvbn and a hash store to generate strong, unique passphrases based on a provided set of words at start time. Going forward, I want to provide more customization points so people can easily run their own instances.
The set of words included as an example are just CSS color names which is a short, familiar, easily-exhaustible list making it easy to develop with and peering over. I'd like to create a directory of example word lists and encourage people to provide more. Maybe one day people could select a few lists to mash together and launch a custom instance.
Passphrase length is high on my list to allow for customization. People who want more secure instances could set it on startup or even allow customization per request. At passplum.com, I'm still trying to convince people that
So a couple things come to mind. First is that zxcvbn is a blind entropy guess. It doesn't know what set you're pulling from when creating the password, so it uses a lot of mathematics and heuristics to try and figure it out as best as it can. However, when you know what site your set is, and what elements are part of it, then you can calculate the entropy yourself. You don't need zxcvbn to do that. The goal of zxcvbn is to provide a sort of strength meter for sites support account creation, and giving feedback to the user about the quality of their password.
So, when you know your set size is 4,096 elements, and you know you're grabbing from the set randomly, then you know you are getting 13-bits of entropy per word. You don't want to rely on zxcvbn when generating the passphrases. As some examples, each of these have exactly 78-bits of entropy, but zxcvbn thinks they each have (without spaces):
Further, making the word list public doesn't compromise security, when the default passphrase length is providing enough entropy. In this case, the attacker would need to generate 40966 = 4,722,366,482,869,645,213,696 passphrases, which is outside of the practical realm (as already initially posted).
Second, you don't need to mention anything about entropy to the front-end. Just give them the password. Users should only have to copy-paste it into the password manager, form field, text editor, etc.
I like relying on zxcvbn's "very unguessable" score and leveraging all that's gone into that project. Again, my goal is to get more people from
I'm open to adding additional strength measurement options as long as zxcvbn is left as the default.