Secure passphrase generator

2010-10-01 00:00:00 +0100

Simple GUI program to generate random passphrases out of dictionaries in various languages. These passphrases are both easier to remember and stronger than most classical passwords composed of alphanumeric and special characters. Sample screenshot:

Currently Polish and English dictionaries are included. They are built into the binary, so there is no installer, no configuration files etc. To use, just download and run.

Download Secure Passphrase Generator

The file is digitally signed (spg.exe.sig). The signature is in OpenPGP format and can be verified using my PGP public key.

Usage

In one run 20 passphrases are generated so that you can choose one that looks best for you. Random separators between words are used to further strengthen these passphrases against bruteforce attacks. Sample passphrases:

Selma-Gybe-Lane-Intake
Award!Lang!Gross!Lift
Castor=Harms=Wound=Yacc

Security

With passphrase lengths ranging from 19 to 27 characters classic bruteforce attacks are unfeasible. The only feasible attack is dictionary attack trying all combinations ($10^{17}$-$10^{18}$) of words from the dictionary, reversing the algorithm used to generate the passphrase. Complexity of this attack is still larger than in case of classical alphanumeric password of 8 characters ($10^{14}$). Expressed in information entropy, average entropy of each passphrase is 52-56 bits, depending on dictionary size, compared to around 48 of alphanumeric 8 characters password.

Read this article for a more in-depth analysis: Effect of Grammar on Security of Long Passwords (or more popular discussion Want Stronger Passwords? Try Bad Grammar).

Crypto details

This program fully relies on Windows Cryptographic API (CryptGenRandom) to generate passhprase. It does not implement any proprietary algorithms. On startup, it will try to load strongest cryptographic provider available in host operating system (and will accept only PROV_RSA_AES or PROV_RSA_FULL).

If you see an error similiar to this then your operating system is too old to provide enough high-quality pseudorandom data and the program simply won’t run:

CryptAcquireContext failed

After random number generator is initialised, random words are selected from dictionary. The program uses “simple discard method” from NIST SP800-90 (B.5.1.1) to convert random bits to an integer number used to index the dictionary.

Source code

Source code is now hosted on GitHub: kravietz/secure-passphrase-generator.

It should compile both with Visual C/C++ and MinGW and work flawlessly on most Windows XP, Vista and 7 systems.