FAQ: How do I choose a good password or phrase?
ANS: Shocking nonsense makes the most sense. (9)
There are a number of methods for generating passwords and passphrases. In this article, we’ll modify a method known as Diceware (10). This method consists of a numbered word list and five dice. Each word is assigned a 5-digit number, with only numbers 1-6 at each position, and covering every combination of numbers. The five dice are rolled, and the numbers are read from each face to form a 5-digit number. This number is cross-referenced with a word in the word list, which is then the first word in the passphrase. This process is repeated until the requisite length or number of words has been reached. Diceware has been around for a while, and the International PGP Homepage (12) recommends Diceware as one method to generate your private key.
Instead of rolling dice, we’ll use pseudo-random number generators to simulate dice rolls. To make cross referencing easier, we’ll use a wordlist converted to XML format (which is available in the source code download). This wordlist has also been edited slightly to remove some words not suitable for corporate use (this does not assure that you will not generate offensive combinations, and you may need to further edit the word list to suit your own needs). The original wordlist is also included in the download. We’ll use a few simple methods of seeding the random number generators, which will work in many lower-security cases. If you need more complex random number generation, one source to review is RFC 4086: Randomness Requirements for Security. (11)