[gioi]

Don't seriously use this tool.

"People shouldn't use passwords that have been generated by a remote service unless they have very very good reasons to trust the tool and the transmission of the data." [0]

Passphrases are generated server-side, and this mines at the heart the security of the system. Are password saved? Yes? No? Who knows?

And you can trust a pair of dice more than an unknown website. Look up diceware on the web and see what I mean.

--

[0] http://discussions.agilebits.com/discussion/10684/password-w...

[fennecfoxen]

I also thought that particular XKCD comic was obsolete and debunked at this point. Modern password-crackers aren't ASCII-character-at-a-time and know about dictionary words (and all your 1337sp33k substitutions and trailing numbers).

[ephemeralgomi]

Link to where the XKCD comic was debunked or shown obsolete? Most of the responses I've seen to it were of the form "well, yeah, but you're not gonna remember a hundred different passphrases, it's much better to use a password manager."

[fennecfoxen]

"The oft-cited XKCD scheme for generating passwords -- string together individual words like "correcthorsebatterystaple" -- is no longer good advice. The password crackers are on to this trick." -- Bruce.

https://www.schneier.com/blog/archives/2014/03/choosing_secu...

[zokier]

I'm surprised that Schneier would make such a comment. Entropy is entropy, the "difficulty" estimates already except that attackers are fully aware of the method and the dictionary used.

[dvanduzer]

Schneier is wrong if you are doing Diceware correctly. Schneier is more particularly wrong if you consider the point of the XKCD comic in the first place. What normal human anywhere is doing anything other than incrementing the required integer character (if they are even forced to rotate passwords in the first place)?

[opejn]

I think Schneier was assuming here that the user chooses the words himself rather than using a random generator. It's a fair assumption, given that most people won't actively seek out tools to help them make up passwords.

[nikcub]

> Passphrases are generated server-side

That was a strange decision to me. There is nothing that can't be done with Javascript on the client, storing the dictionary in the local cache and making the app useful.

If you stripped out the jQuery and everything else and put the randomizing function Javascript right there in the source for everybody to see the page size wouldn't change much either.

[markhemmings]

I agree with and applaud the use of seriously here ;)