TL;DR

A command line tool to generate passwords: pass4me.

All our efforts of selecting words, expanding, compressing again etc. culminated in a JSON file containing groups of words.

Surely this file can be enhanced. There are words that we might not want to use, like swearwords. Still, it’s a good starting place.

Program pass4me uses it to generate passwords. It’s fully configurable, but by default…

• generates 4 words, each with the following algorithm:
  • select a random group, uniformly
  • get one random word within that group, taking into account length constraints
  • remove the group from the possible choices of other words in this run
• generates one digit
• shuffles the words and the digit, making sure that the first item is always a word
• separates each item with the . character.

Let’s do some entropy calculation.

There are about $1200$ groups, so even considering the removal after the selection each group contributes at least 10 bits of entropy.

The groups are arranged so that each of them contains at least 4 words with a length that is deemed good by default. This means an additional minimum 2 bits, so each word is worth 12 bits or more.

With the four words default, we start from a base of 48 bits.

One single digit drawn randomly is slightly more than 3 bit.

The digit might be put in one of four places, so the position adds 2 more bits.

Overall, we end up with minimum 53 bits of entropy, increasing at least 12 more bits for each additional word.

I’m planning on adding some more groups to reach $1296 = 6^4$ total groups. This would allow using a similar approach to Diceware.

I hope you will enjoy, stay safe!