Correct Horse .org

Passwords done right

Your Correct Horse password

Generate a new one by clicking the button

I want more options …

The password is generated from the following words:

Why is this a good password?

What makes a good password?

The password above contains 52 bits of entropy. This means, it is as random as the result of throwing 52 coins in a row. The reason for that is because every word has been randomly selected from a list of over 8192 distinct words—corresponding to an entropy of 13 bits.

That means, it is as random, as a completely random password of length 8 generated from uppercase letters, lowercase letters and numbers. However it is much more memorable than a complete random password of 8 characters. Or as Randal Munroe puts it:

This is taken from Randall Munroes famous carton XKCD (xkcd.com).

Why can I trust this page …

… with something such important as my passwort?

Short answer: You shouldn't. You shouldn't trust any website with that.

However, this page is made as simple as possible (from the code point of view). So you can convince yourself that

  • the password is generated completely random (as far as your browser implements Math.random()),
  • the password is not send to the server,
  • nothing else is done except for the password generation.

Because the password is never sent to any server, also nobody in between could have read the password above (except from the coworker standing behind you). In order to make sure, that also this web page has not been modified at all, you should check that you connected this website securely via https and the connection is using a trusted certificate.

By viewing the source of this website, you can see that the only code inserted (at the bottom of the page) is the snippet you can see below. There is no JS-Framework use, no ads are embedded, neither is google analyics, there is no facebook-botton, nothing. Feel free to share this page on facebook anyway! :) 

<script>
    function generatePassword() {
        var wordlist = document.getElementById("wordlist").value.split(" ");

        var password = "";
        for (var i = 0; i < 4; i++) {
            password += wordlist[Math.floor(Math.random() * wordlist.length)] + " ";
        }

        document.getElementById("password").value = password;
    }

    generatePassword();
</script>

Which words are used?

Can I download the wordlists?

The wordlists used can be downloaded here:

English: english.txt

8861 words

MD5: cdc20e6fe19c26fe44403d2e9f3c213c

SHA1: 4099869628b6b18ee52319db6588ec68f54d6a2b

Deutsch / German: german.txt

9353 words

MD5: 089a7f1d15f54bfd574b7c0e3e735a9d

SHA1: 5aadf36486bbb5156aa3d0980a7d2786fcdde8f2

Français / French: french.txt

8377 words

MD5: 6f14bcbf6d62619f9ce4e0ba027e545b

SHA1: 87d292a813353a93c54ed0a9a0658170a802c0a2

Nederlands / Netherlands: netherlands.txt

9192 words

MD5: b976733df4653155a506f07c9a54d6d6

SHA1: c5e60dbcc0dd51025418d8be3926c80d33f71226

These wordlists are taken from the Wortschatz project of the Leipzig university, Germany. They are licensed under CC-BY-NC according to the Wortschatz terms of usage. Words containing anything else but letters have been filtered out. Also, the lists have been converted to full lowercase.

You can use these files to generate your password locally. If you are using Linux, you can just invoke the following command (replacing <file> with the actual file): 

shuf -n 4 <file> | tr '\n' ' '