Wordpass is a English words-based password generator.
Wordpass is inspired by xkcd Password Strength, project vault, and many more.
The core concept is to generate word-based password from a master password and service name, so that the password is both unguessable, typeable and rememberable (at least for a short time).
Typeable is important, especially on Android devices. It is risky to copy password to clipboard, and even more risky if the you or the system have turned on clipboard keeping. So keep security in mind when copying password.
According to zxcvbn, password marked anton fibre
takes 1014.2 guesses to crack, getting score 4 (very unguessable: strong protection from offline slow-hash scenario), while simply marked anton
takes 108.2 guesses to crack, getting score 3 (moderate protection from offline slow-hash scenario). Not to mention you can even make the password longer.
However, it's a slightly different story if the cracker knows the word list. For example, if you are using a word list with 5k words, using 4 words in generated password, then in a simplified model, it takes 50004 / 2 guesses to crack, that is 1014.5, very unguessable.
Wordpass uses scrypt algorithm in the background. Although scrypt is typically used to store password in hash, it can also be used to generate passwords. The core concept is the salt. In wordpass, salt = <custom prefix> + <service name> + <a pre-generated, random suffix>
. Salt protects the password from rainbow table attack to some extent.
Imaging a bad guy knows one of your passwords. If you followed a bad practice, using the same password for every service, or having a strong relationship between passwords (e.g. MyPussw0rd4Google
and MyPussw0rd4Apple
), then your other accounts are risky. However if the bad guy knows one of your password generated by wordpass, even if he knows that you use wordpass, he cannot guess your another password, thanks for hashing. Alright, even if he generated a rainbow table just for wordpass, he still cannot guess your master password or password generated for other services without knowing your custom salt. Thus I highly recommend that you should set custom salt prefix.
However, as MIT license says, wordpass comes without warranty or liability. So take your own risk using it!
Some services has stupid restrictions on passwords. wordpass offers a few ways o customize the result.
capitalize
separator
$random$
to use random symbol separatorappendSymbol
appendNumber
Either check to capitalize each word, or set custom
If you cannot remember all these configurations, set to resonable values and write them down.
export interface WordpassGeneratorOptions {
/** scrypt CPU / memory cost parameter */
N?: number
/** scrypt block size parameter */
r?: number
/** scrypt parallelization parameter */
p?: number
/** password strength, how amny words to generate */
strength?: number
/** prefix to scrypt salt */
saltPrefix?: string
/** separator to join words. `$random$` to use random symbol separator */
separator?: string
/** capitalize each word */
capitalize?: boolean
/** append a random symbol to password */
appendSymbol?: boolean
/** append a random number to password */
appendNumber?: boolean
}
export interface WordpassAppOptions extends WordpassGeneratorOptions {
/** save config when click generate */
saveConfig?: boolean
/** word list URL */
wordList?: string,
/** check the phrase and options are previously known
*
* There are time when the user is not confident with their inputed
* phrase or options. This option enables the app to store password
* generated with the phrase and option, setting service to WordPass.
* If the generated pwassword does not match previously stored one,
* an alert is triggerd.
*/
checkTrace?: boolean
}
Wordpass comes with two word lists. And you can also use another word list, even in another language, just by pasting the word list json URL.
From https://passwordcreator.org/
URL: words/password-creator-9806.json
Contains 9806 common English words, 3 - 7 characters.
From https://github.com/first20hours/google-10000-english
URL: words/google-10k-medium-5459.json
Contains 5459 common English words, 5 - 8 characters.
MIT