Xkcd Password Generator Creates Easy-To-Remember Passwords

Xkcd Password Generator Creates Easy-To-Remember Passwords

Web comic xkcd notes that “through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.” The comic above makes a compelling argument for password length over obscurity, and in response, one developer put together the xkcd password generator. It does what the comic suggests: strings together four random words to create a tough-to-guess password that’s easy to remember.

Of course you don’t need a generator to do this for you. You can just as easily pull four words out of the air to create your own lengthy but memorable password. Or you can go with one of our tried-and-true favourite methods and create an obscure and memorable password using the first letters of, for example, the lyrics to a song. (For example, a Jackson 5 lover might extract a password from the lyrics “Oh baby give me one more chance to show you that I love you” that looks like obgmomctsytily.) The benefit of the xkcd method is that the longer your password, the harder it is to crack — and that’s true even if you’re using common dictionary words (as long as you’re using several of them, preferably semi-randomly chosen.

If you do choose to go a similar route for your password, I’d still strongly recommend making said password the master password for a password manager like LastPass, KeePass or 1Password, then, for all the rest of your logins, use your password managers to spawn long, randomly generated passwords that are both hard for you to remember and hard for computers to guess. You should only need to remember one password, but you shouldn’t use the same password everywhere. That’s what password managers do for you: Let you memorise just one strong password and obscure the hell out of the rest. You only need to know the one password; your password manager will fill in your unmemorable passwords for you. Get one, set it up, and use it. We really like LastPass.

xkcd Password Generator [Password Strength at xkcd]


  • The only problem with this is that not many registration form out there that support extra long chars for password. Hotmail for example (i know, who’s still using this service?) only support up to 16 chars – must be really picky with those 4 words with 4 chars each.

    • Really? This amazes me.
      As long as they’re properly storing a hash of a password rather than the password in cleartext there’s no reason to ever put on a limit to password length (until you hit bandwith restricting levels).

      In any case the concept there can be very helpful in helping you generate a password even with a character limit, I just got ‘plastic changing element free’, if I just took the first 4 letters of each and captilised the first letters I’d get ‘PlasChanElemFree’ which is still pretty easy to remember but hard to guess.

      • My bank only supports alpha-numeric passwords 6-12 characters in length.

        And my superannuation online password is only a 6 digit pin number. Ridiculous 🙁

  • So, by examining the source.. there are 1949 words the script uses.. 14,429,369,557,201 (1949^4) different passwords (assuming repeats).. ~20 hrs to crack..?
    I’m not trying to complain or anything, but they should hide/encrypt the word list.. lol, though really who’s gonna know that you used this generator anyways.. it’s certainly gonna make passwords easier to remember..

    • That’s a known issue with passphrases. If you’re using regular words and the attacker knows that, it becomes far, far easier to crack.

      It’s a working option right now since so few people use passphrases, but you might want to add some letter subsitution and a few bits of punctuation just to be safe.

    • Jordan should check his math. He got 1949^4 correct, but to crack that in an average of 20 hours means (1949^4)/20/3600/2 = 100 million guesses per second. Even Google and Amazon don’t have enough servers for you to attempt 100 million logins per second, and you don’t have enough client computers and bandwidth to make that many attempts.

      A passphrase is the same as a password, but the password uses a alphabet of about 96 symbols and this passphrase generator uses an alphabet of 1949 symbols. Since the alphabet is 20 times larger, you get more combinations out of fewer symbols.

  • The comic is incorrect – trying to guess a password using a dictionary attack is much easier to perform than a brute force attack. Passwords like “correct horse battery staple” is pointless because each word can be found within seconds. A simple algorithm to add a space between each word before trying a password string of 3-6 words is relatively simple to make.

    The point they’re making is that long passwords are harder to guess than short passwords, and that extra entropy by adding additional characters is better than complicating your short password with symbols and numbers which are harder to remember.

    Ideally, what you should have is both a long password, and one that isn’t made up of dictionary words. Use KeePass or Lastpass, and have your password as “R$OH9&TI1 2IsL<MN7GvC gG&%5*- y-VhmVaZ" for example, for websites that allow it, and you'll be relatively secure. Not "correct horse battery staple."

    • Marcus, why not just take side cutters to your network cable? The KeePass or Lastpass style impossible to remember credentials are only as secure as your storage method – which means you either need to robustly secure your keepass/lastpass archive and workstation login with a password that is either easy to remember or again security compromised because you have it written on a post-it next to your monitor.

      Users should separate out to four easy to remember passwords, one high risk, low value information, one for email and communications (your ISP or phone accounts, etc), one for personal finances and one for business/work. Keeping those credentials siloed and not writing those passwords down on a post it note will do more to effectively secure your information than a million character password.

      If anyone you give your password too can email that password back to you – there’s no point in having a password – their security is so terrible it doesn’t deserve the name.

      If developers haven’t salted hashed passwords – they’re horrendously vulnerable to rainbow tables. If they don’t have a lock out policy and they haven’t salted their hash tables – ‘correct horse battery staple’ will be brute forced before the hacker finishes getting a soda from the fridge.

      And if you can enter the wrong password as many times as you want and nothing happens to slow down the process? You have to ask if your developer has any clue. A 5 second per single failure lock out is enough to make brute forcing impractical. A 1 minute lock on 3 failures, and double the lock out length after every 3 failures (2 minutes, 4, 8, 16, etc) scales out the time to brute force anything beyond any kind of practicality.

    • This is a common misunderstanding, but incorrect. You cannot crack the password one word at a time, the entire password must be guessed correctly at once or the login will fail.

      This is what makes passwords with multiple dictionary words very secure (although using just one dictionary word is not).

      For a four word password like ‘correct horse battery staple’ (and assuming a 2000 word dictionary) the number of possibilities is 2000^4 = 16,000 billion. Therefore, on average, a dictionary attack would take 8000 billion guesses, or 3 months at 1 million guesses per second. It is secure.

Show more comments

Log in to comment on this story!