Frequently Asked Questions

OK, this is really a big list of statements and assumptions. Read here to find out more of the details behind how passwords are generated.

What Password and Passphrase Styles are Supported?

See here for details. Or click across the different options across the top of the page to try different styles out.

What Usage Limits Apply?

To make sure this site is available to as many people as possible, usage limits are applied based on your IP address. Because you don't need large numbers of passwords in bulk, the limits are designed such that they should never be accidently reached, while still allowing plenty of scope for experimentation and testing.

The limit is: 150 passwords generated or quality ratings per each IP address per 2 hour time period.

Once the limit is exceeded, any requests from your IP address will be denied. Every 2 hours the limits are reset, so you will need up wait, at most, hours before you can generate more passwords.

What Security Precautions Does This Site Take

Before I list the precautions and ways you can double check everything is above board, let me be very honest: no matter what I say here, you will need to trust me (and my hosting provider).

That is, despite every box I tick, and every precaution I take, there's no way you can be 100% sure either I, my hosting provider or the NSA aren't secretly recording each password you generate. To be 100% sure, grab a copy of the source code and generate passwords in your own controlled environment.

OK, with that out of the way, here's the list:

Where is This Site Hosted

As of January 2015, I host it myself! The web site runs on my do-everything server (which was originally my home theatre PC, and still serves in that role).

From a security point of view, I'm much more confident about who has access to my server. So it's even less likely someone will be snooping on any passwords generated.

For the 12 month prior to January 2015, it was hosted by WinHost. They provided a more than adequate service, but I realised I could save a few dollar by hosting it myself. And I figured, if I work in IT deploying other people's web sites, I should be able to host one myself!

How Easy are the Passwords to Guess?

The generated passwords and passphrase are entirely random. So, without any pattern to work with, any attacker would need to try every combination in turn. Which means the longer password you can memorise, the harder it is for the bad guys to guess.

To give some concrete numbers to work with, here's a worked example:

A 5 word passphrase has 1,463,822,570,892,920,000,000 total combinations (and is rated as Strong).

An attacker could invest about $10k (in Australia) to attempt up to 81 million unique passwords per second using Hashcat (based on figures from early 2014).

At that rate, it would take about 550 years to try every combination.

Add one more word to make a 6 word passphrase (rated as Fantastic) and it would take over 9 million years!
With a 4 word passphrase (rated as Adequate) it would take just 13 days.

Most attackers will give up after a week or two of trying. So even the 4 word passphrase isn't bad (although I wouldn't be comfortable with it).

This is all based on the assumption you don't change the generated password.

Is Source Code Available?

Yes. You can see all the internals of the site at BitBucket

Are the Dictionaries Used Available?

Yes.

The passphrase dictionary is a plain text file with one word per line.

The readable passphrase dictionary is an XML file which marks words according to their English parts of speach.

The PIN blacklist is a plain text file with one PIN per line. It was derived from work by Data Genetics.

Are there Non-English Dictionaries Available?

No. Sorry, I don't speak any other languages.

Can I Change a Generated Password?

Maybe. For best results, please don't.

OK, you can pretty safely add to the password without any problem. Adding does not decrease the number of combinations (and may even increase them, although password crackers are very good at guessing common additions).

I commonly add a number and a symbol to a passphrase to meet my employer's password quality requirements, but leave the rest of the passphrase exactly as is.

On the other hand, all bets are off if you change a word or character within a password to, say, something you like better. Or changing the letter o to a number 0. Or capitalising a letter.

Quite simply, I don't know how your change will affect the total combinations. Some change you think looks totally random may actually be a common modification known by crackers and add very little to the password. It's always best to rely on randomness and length rather than funky modifications.

Why is the Readable Passphrase Quality a Range?

The readable passphrases have considerably more complex structure than any other style. As any student of languages knows all too well, natural language is, well, complicated. Even slight differences in phrase structure, for example an imperative verb rather than present tense, can dramatically change the number of combinations. And the different phrase length options each imply different phrase templates.

As with other styles, I want to capture the quality of generated phrases, but a single number simply doesn't work with the complexity of the templates used. So, rather than showing the maxium or minimum combinations, the range represents both.

The minimum represents the smallest number of combinations possible (assuming the worst case for everything). Maximum is the largest number of combinations (assume best case). And the average, which is used as the headline, is a middle ground of the two. The average is a good "working estimate" for comparing with other styles, but be aware you can occassionally get much easier or harder to guess phrases.

There are some graphs of different phrase strengths to give you an idea of different complexities and strengths. And the same page lists all the phrase templates which correspond to each length.

What do the Readable Passphrase Length Options Mean?

The readable passphrases have considerably more complex structure than any other style. Rather than a simple number of words to control the phrase length, the readable passphrase is based on templates (eg: noun verb adjective noun). Longer phrases use more complex templates. And most templates contain at least one optional word (eg: the adjective in the previous example is optional in most templates).

There are some graphs of different phrase strengths to give you an idea of different complexities and strengths. And the same page lists all the phrase templates which correspond to each length.

What are Mutators? What do they do?

Mutators are a fancy way of changing your passphrase after it is created. Primarily, they are a way to add some upper case letters and numbers to your passphrase to meet complexity requirements (eg: must have an upper case and a number). But you can also use them to make a passphrase without spaces easier to read (by making all the first letters upper case).

Only 4 options are available on the web interface. But, if you use the API directly, you can control precicely where the numbers and upper case letter are added. And exactly how many are added.

Why are PIN Quality Ratings Different?

PINs are fundementally insecure to be used as normal passwords. There are simply too few combinations in a 4 number PIN to stop someone trying every combination. They rely on the fact that you can only enter them a few times before your phone is locked or your ATM card is shredded.

To take into account the limited number of times you can enter a PIN before something horrible happens, the quality ratings are lowered.

Important PINs are not usable as normal passwords. Never use a PIN as a computer login or website password.

Why are Some PINs Excluded?

There are some very commonly used PINs, such as 1234 or 1111. Because such PINs could quite easily be guessed, the most common are blacklisted and will never be generated.

You can download the list of blacklisted PINs. It was derived from work by Data Genetics.

The blacklist applies to PINs from 4 to 10 digits long.

Should I Use the Example Passwords?

No. Never use the passwords or passphrases used as examples.

Passwords are supposed to be kept secret. And the example passwords are anything but secret.

Are there More Technical Questions?

For security professionals, programmers and other people interested in the technical implementation of the site, there are more details available on the technical FAQ.

What are Password Managers?

Password managers are computer programs which securely store your passwords. They make it easy to generate and remember a unique password for every website you visit.

They are the electronic equivelent of a notepad to write all your passwords down on. Along with a combination safe to store them in. And a set of dice to make new passwords. And a link to your browsers and other programs to type them easily.

A password manager means you'll only need to remember a handful of passwords, but every website you use can have a strong and unique password. Essential for best security on the Internet.

What Password Managers do you Recommend?

There are several different password managers available. As always, there are pluses and minuses for each of them and you should do your research before choosing one. But using any of them is a million times better than simply using the same password on every website.

If you're really looking for a recommendation, I use KeePass. Although I'd recommend 1Password for anyone non-technical.

Why Have a Unique Password for Every Website?

So your banking account can't be accessed because some website random you registered on 5 years ago got hacked.

Websites get hacked on a daily basis from small mum-and-pop stores to high profile sites like LinkedIn or Adobe. If you use the same password for your internet banking as LinkedIn, there's a very high chance the bad hackers know your password and could easily access your bank accounts.

There are websites which list comprimised or hacked sites. Others let you check if your email or password has been disclosed. And still others are dedicated to analysing, cracking and publishing the leaked passwords. The most highly prized lists are leaked passwords traded privately between hackers; you'll never know if your password are on those lists.

The take home message is: using the same password on multiple sites is risky. Like unsafe sex risky: if you use the same password on enough site, eventually you'll get bitten.

Why Include (or Exclude) Asian Characters?

Unicode passwords are generated based on code points (each being a single character or letter). Code points each are categorised. Only code points from a limited number of categories (listed in the technical details) are used.

Most East Asian characters are categorised as OtherLetter. Checking the Include Asian Characters option adds that one category to the allowed list.

Unfortunately, there are alot of East Asian Characters. Around 49 thousand of them (they are the red and light red in this picture). And they tend to swamp all other characters out.

So including them means at least three quarters of your password will appear as East Asian characters. Although it will significantly increase the number of combinations for your passwords.

In the end, it's a personal choice to make. But, because I can't read East Asian characters and they have no meaning to me, I prefer to exclude them.

What's a Basic Multilingual Plane and Why Should I Exclude it?

Summary: only use the Basic Multilingual Plane, as you get little benefit when using all of Unicode but my server has to work 1000 times harder.

To understand why that is the case, there's some history and technical details about Unicode. And then some maths.

The Basic Multilingual Plane (or BMP) is a part of the Unicode standard which allows a little under 65 thousand different code points or characters. It was all that was considered when Unicode was originally designed. Unfortunately, people realised there are more than 65k different characters in all the different languages in the world. So, as is the usual case with computers and technology, some smart people designed a clever (but ugly) way to allow more characters. The original 65k (which was originally everything) was renamed to the Basic Multilingual Plane (plane zero), as it contained letters and characters for most major languages. And an additional 16 new "planes" were added (numbered 1 through to 16), each with 65k characters, to allow for a grand total of 1,114,112 (65k times 17 planes). Of that, Unicode in early 2014 (version 6.3) has allocated 110,187 different code points or characters - a little under 10%.

But, in terms of generating passwords, including the entire Unicode code point space is not very useful. Most of Unicode outside the BMP is actually unallocated (only about 10% of the total space, the BMP is 85% allocated for public use). So, my algorithm to generate passwords has to do more work to locate useful code points (ie: my server has to look much harder). But, because there's only an extra 60% or so extra characters to choose from, all that work does not translate into better passwords. A doubling of characters would be nice, but we barely get half way there.

If the entire Unicode code point space was allocated, then this problem would largely go away. My server wouldn't need to look so hard, and we'd have 10 times the number of characters which would make for even more insanely hard to guess passwords!

So, to repeat the summary: it's not really worth allowing more than the BMP when generating Unicode passwords. Just leave that check box unticked.

Does This Site Remember My Settings?

Yes. The site uses a web browser feature called Local Storage to store settings for each style of password, and the home page.

As long as you visit the site in the same web browser, your settings will be remembered. Different web browsers like Chrome or Firefox or Internet Explorer on the same computer won't remember your settings.

There is no Save button, however. Any time you change your a setting, your web browser just remembers.