spass
spass is a simple passphrase generator that chooses random words from a dictionary. It was inspired by an XKCD strip which reminds us that hard-to-remember passwords are not necessarily hard for a computer to guess.
Prerequisites
spass assumes you have a dictionary file to use as its source of words. By
default, /usr/share/dict/words
is used, but you can pass your own dictionary
using the -f/--file
option.
Installation
spass is distributed as a gem, so just do:
$ gem install spass
Usage
When run without arguments, spass generates 10 passphrases, each 4 words long,
using words up to 8 characters long. You can configure this behavior by passing
command-line arguments; run spass -h
to see full usage notes.
Examples:
$ spass -w 3 # Generate 3-word phrases
$ spass -w 5 -n 20 # Generate twenty 5-word phrases
$ spass -c 6 # Limit words to 6 characters
$ spass -d # Append a digit to each word
$ spass -f mywords.txt # Get words from mywords.txt (one per line)
Samples:
$ spass -n 5
Read 36530 words up to 8 characters long from /usr/share/dict/words
clump gecko planters marksmen
cylinder croupier fonds craggier
lip scorned misspend knitting
triple assuaged wisdom flatbeds
journal wigs sultan danders
$ be bin/spass -n 5 -c 5
Read 7655 words up to 5 characters long from /usr/share/dict/words
babes annul elm gate
gains flaky mash gang
grim state yaps dado
kinds ms cults terms
ogles today taco guild
Disclaimer
spass makes absolutely no guarantee that its output results in secure passwords. If you use spass to protect your bank account or your porn collection, I cannot be held responsible if you lose your money or marriage. Check your password strength before using it for anything important. Passwords generated with spass are inherently vulnerable to a dictionary attack; the only thing that can make them resistant to such attacks is their length, so always use at least three (preferably more) words. Single-dictionary-word passwords are trivial for a computer to guess.
I'm not any kind of expert on password security, but a little math convinces me
that dictionary passwords can be quite strong. Using the default spass
settings, and a typical /usr/share/dict/words
, the dictionary of words 8
characters or fewer is about 35,000. In theory, if your passphrase consists of
4 words chosen from this dictionary, an attacker would have to exhaust
(35,000^4 / 2) possibilities on average before finding your passphrase (and
that's assuming the attacker knows that your passphrase consists of four
dictionary words). At 1 billion guesses per second, this would take about 24
years. Of course, if your four words were "a", "an", "i", and "eh", the
cracking time would be somewhat lessened.
If you're paranoid, use more words, and longer words. Toss in a few digits or symbols to make it even stronger, and/or to meet the password requirements of the system you're using. You might use CamelCase or snake_case or hyphenated-words, depending on what's easy for you to remember and type. spass can't choose your password for you; it only gives some randomized suggestions that will help you construct a password that is both memorable and hard to guess.
Future plans
- Optional inclusion of uppercase and symbols
- Avoid possible word repetition
MIT License
spass is licensed under the MIT License.
Copyright (c) 2011 Eric Pierce
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.