Generates cryptographically secure passphrases and passwords
Passphrase is a tool to generate cryptographically secure passphrases and passwords. A passphrase is a list of words usually separated by a blank space. This tool acts like a diceware generator (more about this in EFF’s website).
Who is this tool for: Passphrase is a library and a CLI tool, thus its intended audience are developers and advanced users that love to use the terminal :)
A secure passphrase must be of at least 6 words, but 7 is better, and maybe you can add a random number to the list. If you need a password, make it bigger than 8 characters (NIST’s latest recommendation), and prefer more than 12 (I recommend 16 or more). Passwords are comprised of digits, upper and lowercase letters and punctuation symbols - more specifically: ascii_lowercase, ascii_uppercase, digits and punctuation from Lib/string -.
Those settings mentioned are specifically for the EFF’s Large Wordlist. If you specify a different wordlist, the minimum amount of words for a passphrase to be secure changes: for shorter lists, the amount increases. The minimum secure amount of words (for a passphrase) or characters (for a password) are calculated by Passphrase and a warning is shown if the chosen number is too low (when used as a script), by calculating the list’s entropy.
Important note: the quality and security of generated passphrases rely on:
- the OS-specific randomness source, and
- the quality of the wordlist.
If you are not sure which wordlist to use, just use the one provided by Passphrase (it is used by default when running as a script) or one of the EFF’s wordlists (check at about the middle of this blog post).
- Python 3.5+.
How to use it
You can also use `pip <https://pypi.python.org/pypi/hc-passphrase>`__ but I discourage it, given that there’s no cryptographic verification of signatures nor hashes at all.
As a package
Check the developers guide.
As a script
Once downloaded and verified, you can install it with setup.py install or make package-install but I recommend you do make install for system-wide installation or make altinstall for user-wide installation, as it will create a single executable zip file plus install the man page.
To uninstall, run respectively make package-uninstall, make uninstall or make altuninstall.
Another option is to run pip install --user hc-passphrase (for user-wide installation) or pip install hc-passphrase (for system-wide installation), but I advise against this way given that pip doesn’t do any cryptographic verification of signatures nor hashes at all.
Examples of use
Check the man page for more information.
Generally, you should rely on Passphrase’s entropy calculation instead of fixing a desired amount, unless you specifically need some length/word amount. The default entropy is 77 bits, and using over 128 bits is a wiser choice on the long term.
Generate a passphrase of 6 words (default settings)
:~$ passphrase trophy affiliate clobber vivacious aspect thickness
Generate a passphrase of 128 bits of entropy
:~$ passphrase -e 128 shorty collie prison reopen barge morally flavoring shifter scarcity perfume
Generate a passphrase of 6 words and a number (minimum recommended)
:~$ passphrase -w 6 -n 1 jasmine identity chemo suave clerk copartner 853727
Generate a passphrase of 6 words with 5 characters uppercase
:~$ passphrase -w 6 --use-uppercase 5 LiTmus cocoa littEr equation uNwrapped sibliNg
Generate a passphrase of 6 words with 5 characters lowercase
:~$ passphrase -w 6 --use-lowercase 5 MOrTUARY SIesTa MAKEOVER CURABLE JET MARSHy
Generate a password of 16 characters (minimum recommended)
:~$ passphrase -p 16 E`31nDL0^$oYu5='
Generate a password of 8 alphanumeric characters only
:~$ passphrase -p 8 --use-lowercase --use-uppercase --use-digits Warning: Insecure password length chosen! Should be bigger than or equal to 13 7wmivbmR :~$ passphrase -p 8 --use-alphanumeric Warning: Insecure password length chosen! Should be bigger than or equal to 13 ipLdqmGU
Generate a secure password of lowercase characters only
:~$ passphrase -p --use-lowercase yafwodlcbfumtfsbb :~$ passphrase -p --use-lowercase -e 128 fbwzekpmmridyapdouvejmlzlrjn
Use an external wordlist to generate a passphrase
:~$ passphrase -i eff_short_wordlist_1_1column.txt wimp broke dash pasta zebra viral outer clasp :~$ passphrase -d -i eff_short_wordlist_1.txt mouse trend coach stain shut rhyme baggy scale
Save the output to a file
:~$ passphrase -o pass.txt :~$ passphrase > pass.txt
Generate a passphrase and use it with GPG
:~$ sha256sum somefile.txt 589ed823e9a84c56feb95ac58e7cf384626b9cbf4fda2a907bc36e103de1bad2 somefile.txt :~$ passphrase --no-newline -o pass.txt | gpg --symmetric --batch --passphrase-fd 0 somefile.txt :~$ cat pass.txt | gpg --decrypt --batch --passphrase-fd 0 somefile.txt.gpg | sha256sum - gpg: AES256 encrypted data gpg: encrypted with 1 passphrase 589ed823e9a84c56feb95ac58e7cf384626b9cbf4fda2a907bc36e103de1bad2 -
Generate a passphrase avoiding shoulder surfing
:~$ passphrase -m -o pass.txt
Is this really secure?
The algorithms are very straight forward, easy to understand and verify. Boring crypto is the best crypto.
Let’s analyze some possible attack scenarios and its mitigations. If you want to add something or you see a mistake, please write an issue.
Attacker is root
TL;DR: game over.
An attacker that is root can do whatever it wants, so it’s out of the scope of this analysis.
Attacker can modify source code or wordlist
If it can modify the source code somehow, or the default wordlist, it’s also game over since a software that succesfully checks itself doesn’t exist yet. However, it could be mitigated by placing the files under the ownership of some privileged user (root).
Attacker can modify external libraries
Passphrase doesn’t require any external library, just Python 3 core.
Attacker can perform a timing attack
I realize at some point that the library was taking waaay longer to work than before (I solved it in 2c0eb8b), so I decided to measure each version runtime from now on. So here’s the runtime table for each tag:
|Version (tag)||Runtime (ms)||Relative Runtime||Runtime Change Between Versions|
- newer than v0.4.5, run: make timeit.
- older than v0.4.5, run python3 -m timeit -n 100 -r 10 -s 'import os' 'os.system("python3 -m passphrase -w6 -q")'.
- older than v0.4, run: python3 -m timeit -n 100 -r 10 -s 'import os' 'os.system("python3 src/passphrase.py -w6 -q")'.
Copyright (C) 2017 HacKan (https://hackan.net) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
|Filename, size||File type||Python version||Upload date||Hashes|
|Filename, size hc_passphrase-1.1.2-py3-none-any.whl (56.2 kB)||File type Wheel||Python version py3||Upload date||Hashes View|
|Filename, size hc-passphrase-1.1.2.tar.gz (66.0 kB)||File type Source||Python version None||Upload date||Hashes View|
Hashes for hc_passphrase-1.1.2-py3-none-any.whl