[Cryptography] generated passphrases

Arnold Reinhold agr at me.com
Tue Aug 13 13:49:45 EDT 2019

On Tue, 13 Aug 2019 06:53 jamesd asked:  

> There are plenty of random phrase generators around, but I have not 
> found their algorithms and their word databases.
> I hope someone could direct me to some open source for random phrase 
> generation
> For the same entropy, it is easier to type an English language 
> passphrase than a random string of gibberish, even though the random 
> string has roughly three times the entropy per character, the longer 
> English phrase is easier to remember and to type.
> Trouble is that user generated passwords and  passphrases tend to have 
> low entropy.
> Logon passphrases do not need much entropy, because the server will lock 
> you out after a large number of failed guesses, but the trouble is that 
> pass phrases for crypto currency accounts require about a 128 bits of 
> entropy, which corresponds to about twenty three characters of random 
> gibberish, or about a twelve word passphrase.   It is hard to type in 
> twenty three characters of random gibberish.
> To prevent people from using low entropy passphrases, most crypto 
> currency wallets use a generated passphrase of twelve words randomly 
> selected from a list of two thousand words.
> Trouble is random words are hard to remember and type. Grammatically 
> correct nonsense passphrases are easier to remember and type.
> Jitsi uses a random passphrase generator which generates grammatically 
> correct nonsense phrases, but its passphrase generator only generates 
> four word phrases.
> Obviously, we would be better off using randomly generated grammatically 
> correct twelve word nonsense phrases than randomly generated strings of 
> words.

Please see my Diceware(tm) page (diceware.com) which has word lists in 27 languages and a simple random generation scheme using dice. The English word list emphasizes short words and abbreviations to keep generated passphrases as short as is reasonably possible. The Diceware word lists have 7776 words (6^5) for easy dice selection.  So each word adds 12.9 bits of entropy (log2(7776)) and 10 words are enough to provide 128 bits of entropy. Whether that many is needed for acceptable security depends, in part, on how much key stretching is used by the program that accepts the passphrase.  In general, the practice of taking a passphrase, putting it through a fast hash, such as the SHA series, and using the hash output as a cryptographic key is a very bad idea. Only resource intensive hashes should be used. For  crypto currency several seconds of hashing should be acceptable to unlock wallets, but others can comment on what is actually done in the various currencies.

A Diceware passphrase will not be grammatically correct in general. Passphrases that are grammatically correct will have significantly lower entropy, the sum of the binary logarithms of the number of words for each part of speech. A "randomly generated grammatically correct twelve word nonsense phrase” is unlikely to come close to 128 bit entropy. However, for randomly generated passphrases it is often possible to invent a story or thought image that makes them easier to remember. See the famous xkcd.com/936. 

I also have made a table that generates a grammatically correct sentence for any random string of 10 English letters: 


Two sentences worth (twenty random characters) provides 94 bits of entropy. A third shorter sentence with 7 letter can be added for 128 bit entropy. Just to be clear, the random letters are the password, the sentences are mnemonics for the user.  I do recommend writing passphrases down and keeping them somewhere safe.

Arnold Reinhold

More information about the cryptography mailing list