How it Works

Why use Passphrases?

User Authentication is a critical aspect of Cybersecurity. It has evolved from methods like simple passwords to two step verifications, physical key, biometrics, etc.

Passwords are still the most popular even though they can also be the least safe since hacking tools like John the Ripper can brute force a simple password in a few seconds. Therefore, passwords must be hard to crack. A way to achive this is to include elements like numbers, symbols and capital letters.

Passwords Generators online can create an extremely hard to crack password like: 54vHMW1!, generated in LastPass.com. But a random generated password is not practical, because a random combination of characters is almost impossible to remember.

The only practical way to use random generated passwords is by also using a Password Manager. However, these are still susceptible to attacks and usually are not free to use software.

This is where Passphrases come in, they are a sequence of words that are easy to remember but hard to crack. While a passphrase can be any combination of words, the most secure ones are those that are generated randomly. We can use the DiceWare Algorithm for this.

How the Diceware Algorithm works?

A password or passhprase that is predictable is very easy to crack. We need to use random passwords that hard to guess, but humans are terrible at randomness.

This is where the DiceWare algorithm comes in, it generates a completely random passphrase that is easy to remember and hard to crack.

It is called DiceWare because it uses dice to generate random numbers, which are then used to select words from a wordlist. Using a valid DiceWare wordlist and one dice you can generate a passphrase on your own, you just need to throw the dice a number of times and then match the resulting number with the list.

For example, let's say you throw the dice 5 times and get the following numbers.

Look up the number 12345 in the wordlist and find the corresponding word. Inside the default wordlist provided with this project, the word corresponding to the number 12345 is "array". This is the first word of the passphrase. We just repeat the process until we have the number of words we desire.

How the Passphrase Generator works?

The program generates a random number between 1 and 6, simulating a dice throw. The number of times the dice is thrown to find each word depends on the Wordlist you are using. The default Wordlists provided with this project use 5 dice throws.

The number is cryptographically random, generated by the Web Crypto API, which is a JavaScript API for performing core cryptographic operations in web applications.

The results of the dice throws form a number, which the program looks up in the Wordlist to find the corresponding word. This process is repeated until the passphrase has the number of words you specified.

How the Acronym Passphrase Generator Works

It takes a word as input from the user, and generates a passphrase with random words that start with each of the characters that make up the word you entered. It uses the same process as the DiceWare Algorithm, it keeps generating random number until it finds a word that starts with the character it needs, and so on.

The result is a passphrase with as many words as the number of characters in the input word. Since the words selected are not 100% random the generated passphrase has less entropy, which means it is less secure.

You are trading security for memorability, because of this a longer input word is recommended. Furthermore, adding symbols, capitalization and numbers can also increase how secure the acronym passphrase is. It is up to you to decide whether the trade off is worth it.

What is entropy?

Entropy is a measure of randomness or unpredictability. It is a key concept in Cybersecurity, for password strength entropy shows the unpredictability of a password and therefore how hard it is to break. The more random a password is the higher its entropy and the harder it is to crack.

Passwords with low entropy can be cracked easily with brute force attacks. These attacks check every possible combination of characters until they find the correct one.

A password with high entropy is more resistant to brute force attacks, because it has more possible combinations. The entropy of a password can be calculated using the following formula:

E = log₂(N^L)

Where:

N is the number of possible characters.
L is the length of the password.