Pass Phrase Generator

Many people find phrases in their mother tongue, even if complete nonsense, easier to remember and type than passwords consisting of arbitrary letters and numbers. Of course, since only a minority of sequences of letters are words in a given language, the information density or entropy of such keys is lower, and consequently a phrase must be substantially longer than a meaningless key to be equally difficult to guess.

Still, many people prefer pass phrases. This page generates them in the English language. Simply fill in the number of phrases (up to 100) you wish to generate, how many words to use in each (or the key length in bits equivalent to a given phrase length), then press Generate to fill the Pass Phrases box with phrases. By default, phrases are generated from a pseudorandom seed determined from the time of day and the time various events occurred after this page was loaded; this seed is shown in the Seed box when each set of phrases is generated. You can enter a new seed of your own choice, or press the New Seed button to create a new pseudorandom seed. The list of pass phrases is completely determined by the seed, and is consequently no more secure than the seed is--if it can be guessed, all of the pass phrases generated from it are compromised. Consequently, if you specify your own seed, be sure to use something as long and as random as the pass phrases you're generating from it.

Each phrase will be preceded by a number if Number is checked, and will use Upper case letters if that box is selected. If Include signatures is checked, the list of phrases will be followed by a list of their MD5 signatures; password validation programs may wish to use signatures rather than the actual phrases to save memory and reduce the risk of disclosure of the original phrases.

If you set Words to 2 and check Upper case, the results are excellent candidates for codenames for operational missions, for example, "LAMENTED BIGMOUTH", "CHROMIC TATTOO", "DRIZZLE INNUENDO", and "DRIBBLE HUMILITY".


 Text    Hexadecimal      

Pass Phrases


Phrases:    Words:    Bits: 
 Number    upper case    Include signatures

Words and Bits

The relationship between the number of words in a pass phrase and the equivalent number of bits in an encryption key is as follows. We must assume (since anybody, including adversaries, can download this page) that the dictionary from which we choose words is known. This dictionary contains 27489 (somewhat) common English words, so the information content of a word chosen randomly from the dictionary is simply its order in the dictionary, 0 to 27488, or log2(27489)≈14.75 bits per word. When you specify a number of Words, the Bits field shows the number of bits (rounded down) equivalent; when you request a key of a given number of Bits, the Words field is set to produce a key with information content of at least that number of bits, and the Bits field shows the precise bit equivalent (equal to or greater than the number of Bits you requested). To obtain the maximum security available from JavaScrypt encryption, you should use keys with information content of 256 bits or more. This is equivalent to 18 word phrases, which may prove unwieldy if you have to type them in.


If the Include signatures box is checked, the list of pass phrases will be followed by a table of their digital signatures, computed using the MD5 algorithm. If you're using the pass phrases for authentication in a computer application, you may wish to store only the signatures on the computer. The nature of the MD5 algorithm makes it extremely difficult, even if a signature is known, to construct an input which will reproduce that signature. If only the signatures are stored on the computer, even if the list of signatures were compromised, potential attackers would be faced with the formidable challenge of constructing pass phrases which matched the signatures.


Fourmilab Home Page

Valid XHTML 1.0
by John Walker
December, 2005
This document is in the public domain.