Inspired by xkcd #936 (reproduced above, credit to xkcd), I threw together a quick python script to generate correct horse battery staple style passwords.
#!/usr/bin/python3 import os,random,sys dictfile=open('wordlist') dictlist= numword=0 for a_line in dictfile: dictlist.append(a_line) numword+=1 for x in range(int(sys.argv)): random.seed(os.urandom(512)) #reseed the RNG each time to ensure cryptographically secure random numbers print(dictlist[random.randrange(numword)].strip(),end=" ") print("")
The name comes from the unix pwgen utility, but -h because it generates “human readable” passwords.
It needs to be fed a file “wordlist” containing one word per line for it to choose from. You can use mine (roughly the 5000 most common english words) or your own. It’s then invoked as pwgen-h num_of_words
Example invocations and outputs:
$ ./pwgen-h 6 starting give progress limit accommodate code ./pwgen-h 4 gravity Latin convenience exclude
The wordlist I used is about 5000 words, so a resulting 6-word password has an entropy of bits. That means that there are around possibilities to brute force. At a million guesses per second, it would take in the order of a billion years to check every possibility.
This has the caveat though that you have to take the first password it offers you* for the working above to be valid. If you keep trying it until you see a password which you like, you’re reducing your entropy in a difficult to quantify way.
*Or rather, don’t decide based on the output whether to use it. Of course, you can play around with it as much as you like, but you should decide which password you’re going to use before it’s generated for maximum security.