Generate a passphrase or test your password's strength (we don't store or transmit these):
Approximate Crack Time: 0 seconds
I did fork this repo for my own personal convenience, mainly to expand its dictionary.
Feel free to use it, but not to complain.
Because humans are terrible at creating secure passwords. The famous xkcd comic got it right: humans have been trained to use hard-to-remember passwords that are easy for computers to guess.
Try as we might, humans usually end up using one of a few predictable patterns when creating passwords. We base them on things we can remember, such as names, locations, dates or just common English words. Then, we add some spice with a capital letter, some numbers, or a symbol.
Does your password fall into this group?
Bad Password Patterns | Is It Memorable? | Time To Crack |
---|---|---|
A common word (example: december ) |
Yes. | 18 milliseconds (Seriously. Try it in the box at the top.) |
An easily-typed spatial word (example: qwerty or aaaaaaaa ) |
Very much so. | 10 milliseconds |
The family dog (example: rusty ) |
Yep. | 27 milliseconds |
An important number, such as a date or zip code (example: 03261981 ) |
It's memorable to you, certainly. | 2.213 seconds |
A word with trivial letter→number substitutions (example: S4nfr4n ) |
Sort of memorable, but you may forget which letters are substituted for numbers. | 639 milliseconds |
If your password resembles any of these examples, it is instantly crackable. Even a mix of these patterns, such as [common word]+[number]
will be straightforward to crack.
Compare those to a passphrase:
Password Pattern | Is It Memorable? | Time To Crack |
---|---|---|
Four or more randomly chosen words (example: mergers decade labeled manager ) |
Type it a few times, and you'll have it committed to memory. | 6,000,126 centuries. Give or take. |
The method for cracking usually looks something like this:
december
→ December
), making common letter-for-number swaps (december
→ d3cemb3r
), and other common password variations.doug3251983
). Name + [separator] + date (doug.3251983
).a
, then b
, then c
... eventually aa
, ab
, ac
... eventually 6j2b#hi8
, 6j2b#hi9
, 6j2b#hi0
, et cetera.If your password is based on any kind of pattern, using some combination of the above steps, it will eventually be cracked. Depending on how well-protected a website keeps your password, modern computers can make somewhere between 10,000 and 350 billion guesses per second.
Your best defense is using a truly random password generator (like this site).
ipz2!az8k%0h
?There are dozens of random password generators out there that will happily put together a bunch of random characters for you to use as a password. These random passwords are secure, but they're a huge pain to actually remember.
Random passphrases provide the best combination of memorability and security.
By way of example, here are two passwords with similar crackability:
Password | Time to crack |
---|---|
p%9y#k&yFm? |
Approximately 90,182,663 centuries |
logic finite eager ratio |
Approximately 189,658,722 centuries |
Which would you rather remember?
The recipe for perfect password management is straightforward.
Modern operating systems all have built in password managers. But if you plan to use your passwords across devices, without throwing 'em into the clouds and then seeing them fall like rain, you probably should use one of these:
This is when a passphrase would be especially useful.
belief romanian bridge profit
arts started bundle disease
delay gradual asset centers
keating post warburg johnson
efforts denying billed buy
whose category fonts mutual
easing autonomy weight five
And so on.
Honestly? Probably not. But in this page's defense, it makes zero external calls (no images, no javascript). Check your browser's network tab to verify. The passwords are all created by code contained in this page, and they are never stored.
For extra security, this page is designed to run entirely offline: save this page to your hard drive, disconnect from the internet, and open it in a browser. This way you can assure that the passwords are not being transmitted anywhere.
And for the truly paranoid, I recommend something called diceware, which is a completely offline, non-computer based method of creating passphrases. It involves six dice, and a printed wordlist. The author also recommends you close your blinds while doing it.