xkcdpass

Generate one passphrase with the default options

$ xkcdpass

$ xkcdpass [[-a|--acrostic]] [acrostic]

$ xkcdpass [[-i|--interactive]]

xkcdpass [options]

-h, --help
    Displays the help message and exits.

-v, --version
    Shows the program's version number and exits.

-w FILE, --wordfile=FILE
    Specifies an alternative word list FILE to use instead of the default system word list.

-l NUM, --length=NUM
    Generates a passphrase composed of NUM words. The default is 4.

-s CHAR, --separator=CHAR
    Uses CHAR as the separator between words in the passphrase. The default is a space.

-c, --capitalize
    Capitalizes the first letter of each word in the passphrase.

-n NUM, --numwords=NUM
    A synonym for --length, specifying the number of words.

-u, --upper
    (Deprecated) Forces at least one uppercase letter in the passphrase. It is recommended to use --capitalize instead.

-d, --digits
    Ensures that the generated passphrase includes at least one digit.

-p, --symbols
    Ensures that the generated passphrase includes at least one symbol.

-o NUM, --output-count=NUM
    Generates NUM passphrases. The default is 1.

-m MIN_LENGTH, --min-length=MIN_LENGTH
    Filters the word list to only include words with a minimum length of MIN_LENGTH characters. Default is 5.

-M MAX_LENGTH, --max-length=MAX_LENGTH
    Filters the word list to only include words with a maximum length of MAX_LENGTH characters. Default is 9.

-f, --valid-chars
    Filters the internal word list to only include words containing letters [a-z], digits [0-9], hyphens, and apostrophes.

--no-strict-symbols
    Allows words containing non-alphanumeric symbols to be included in the word list.

--no-acronyms
    Excludes acronyms (all-uppercase words) from the word list.

--no-proper-nouns
    Excludes proper nouns (capitalized words) from the word list.

--no-special-chars
    Excludes words containing special characters (like apostrophes or hyphens) from the word list.

--keep-symbols
    Retains symbols (e.g., apostrophes, hyphens) within words from the word list. By default, they are stripped.

--alt-caps
    Randomly capitalizes letters within words of the generated passphrase, rather than just the first letter.

--alt-nums
    Randomly inserts numbers into words of the generated passphrase.

--alt-symbols
    Randomly inserts symbols into words of the generated passphrase.

--prune
    Prunes the word list to remove words that reduce entropy (e.g., common or too similar words). This can significantly improve passphrase strength and requires gdbm or db support.

--unprune
    Unprunes a previously pruned word list, restoring it to its original state.

--stdin
    Reads words from standard input (stdin) instead of a file.

--store-blacklist
    Stores generated passphrases in a blacklist to prevent their re-use.

--no-blacklist
    Disables the use of the default blacklist.

--lang=LANG
    Selects a specific language word list (e.g., 'en', 'es', 'fr', 'de'). Requires language-specific word lists to be installed.

xkcdpass generates strong passphrases composed of multiple random words, directly inspired by the popular xkcd comic #936 "Password Strength".

The core idea is to create passwords that are both difficult for computers to guess due to their length and high entropy, and relatively easy for humans to remember due to their use of common, pronounceable words. It offers extensive customization options, allowing users to control the number of words, the word list source, separators between words, and the inclusion of capitalization, digits, or symbols to enhance security while maintaining memorability.

The security of passphrases generated by xkcdpass heavily depends on the quality, size, and randomness of the word list used. Default system word lists may contain common words, which could reduce entropy. Using the --prune option or a custom, large, and diverse word list is recommended for maximum security. The --prune option also requires specific database libraries (gdbm or db) to be installed.

By default, xkcdpass generates a single passphrase consisting of four random words, separated by spaces, chosen from the system's default word list (e.g., /usr/share/dict/words). No capitalization, digits, or symbols are added by default, prioritizing pure word-based memorability.

The command adheres to the principle that length is paramount for password strength. Rather than relying on a mix of uppercase letters, numbers, and symbols in a short string (which is often hard to remember), xkcdpass focuses on combining multiple common words. This approach significantly increases the entropy and thus the time required for a brute-force attack, while making the passphrase far more memorable for the user.

xkcdpass was created by 'redacted' and first committed to GitHub in 2011. Its primary inspiration is the popular webcomic xkcd #936 "Password Strength" (published August 14, 2009), which famously illustrated that a long, multi-word passphrase can be far more secure and memorable than a complex, short string of random characters. The tool was developed to provide a practical implementation of this concept, focusing on generating passphrases that are robust against brute-force attacks while remaining easy for humans to recall.

pwgen(1), apg(1), pass(1)