Your browser needs help generating entropy. Mouse or tap randomly across the window until you fill the progress bar below.

About Joel's Password Generator

What is this?

Inspired by the xkcd Password Strength comic, this application provides you with ten relatively complex, yet easy to remember passwords. Optionally, you can include numbers or symbols for additional complexity (or to satisfy certain password requirements), and adjust the number of words.

Why should I use passwords like these?

Using common words in your password aids memorability.

Using multiple words ensures sufficient complexity to prevent guessing of the password.

Most people's brains can only hold about seven pieces of information in the short term. Contrasting a seven letter password to a seven word password, a seven word password has 2 quadrillion times more complexity, or combinations. Exploit your brain's ability to memorize sequences of words with ease, and you will be rewarded with a more memorable-secure password.

Tips

Internally repeating the password helps to extend the memory into long term memory.

To further strengthen the memory, it might help to form a mental picture of the word relationships (as illustrated in the comic).

Caveat

Certain websites may have a password length limit of about 20 characters. Take note of such limits to ensure your password is not being truncated.

How are these passwords secure?

The dictionary used contains approximately 3,500 commonly used English words. Each word is chosen at random using a pseudorandom number generator. As an additional security measure, version 2.0+ of this application now generates passwords using JavaScript (on the client side)—in other words, the passwords are never sent across the web.

To demonstrate how these passwords are secure, let's consider how someone might guess your password.

Best case scenario: guesser uses a dictionary attack

If the guesser is privy to you using word sequences as your passwords, they can guess your password much faster than a standard brute-force attack. Still, there are about 150 trillion combinations of four word passwords (as generated by this website); that would take a long time even for a computer to guess.

More likely scenario: guesser uses a brute-force attack

More likely, the guesser would use a brute-force password attack—trying every combination of characters for passwords in the range of 8–20 characters. The guesser would make rudimentary assumptions about your character set (whether you use uppercase, numbers, or symbols). For example, if the guesser assumes your password character set includes uppercase and lowercase letters only, then a 25 character password has 52^25 (7.9 × 10^42) possible combinations. This would take something on the order of several octillion years to guess with a desktop PC.

Free yourself from remembering passwords

Unique password for every account: it's difficult

If you are using unique passwords for every account you've created—which you definitely should be—you will probably find it difficult, if not impossible, to remember all of those passwords. It's just the nature of your brain.

Password managers: a must have

I personally recommend using a password manager such as 1Password, KeePass, LastPass, etc., to free yourself from the burden of remembering all of your various account passwords.

Once you start using a password manager, you can use longer, more complex passwords, without worrying about having to remember them. Then, you only need to remember a handful of passwords in your everyday life, such as your computer passwords, email password, or other passwords you can't or don't want to depend on your password manager for.

Author

Created by Joel Walters © 2013.

CHANGELOG

v3.9.0 (2014-11-30)

Adjusted font size to compensate for change in Google Chrome extensions' default font styles.

Developer Notes Updated Gemfile (dependencies) Added bower.json Attempt to use SemVer version numbering



v3.8 (2013-10-11)

Updated jQuery library to 1.10.2

Updated to a more recent version of the Stanford Javascript Crypto Library (specified as 1.0.0 in package.json)

v3.7 and lower

No changelog existed prior to v3.8; however you can view changes on GitHub.