How's It Work?

Technical Overview
with accompanying code

Isn't Math.random() not secure (entropy-wise)?

It isn't and was taken into account while building this. So responding to that, this application is utilizing a secure PRNG called 'seedrandom' that produces a sufficiently random seed.

Taking this route allows entropy to be collected from local sources; such as your cookies, browsing history, scroll position, clock, native random number generator, and more. Most would agree that this is more than secure for a random seed source. Feel free to learn more about it here.

On document load, this is where all the magic happens:


  $(document).ready(function() {
      Math.seedrandom();
  };

What about the word list?

The application utilizes a 7,776-word listing. The wordlist was derived from The EFF's new long list. Great compilation.

You may have noticed on the first request this site, it takes a little bit to get up and running (but hopefully not). That's because your browser is downloading the full wordlist into an array within your browser to choose from. This makes absolutely certain there are no server-side calls after the wordlist is successfully downloaded.


  passwordInput.prop('readonly', true);

  $.get('../xkcd_wordlist.txt').then(function(data){
    wordList = data.split('\n');
    passwordInput.prop('readonly', false);
    updatePasswordField();
  });

Future note, if there is enough of a call for it, I'd like to add functionality for custom wordlists. We'll see if this becomes popular enough to warrant it.

Command Line Access

This route comes with a BIG caveat: it should not be considered secure. Calls made to the command line via secure@xkcd-pw:~$ curl -L xkcd.pw/ is not generated locally. It is making a call to a server-side, command-line xkcd password generator.

Optionally, adding additional path parameters returns a different word count. Check out the example below.


  secure@xkcd-pw:~$ curl -L xkcd.pw/7
  
  dissoluteness wintergreen fawkes tolkien sole skater writ
  
  secure@xkcd-pw:~$ curl -L xkcd.pw/1
  
  vindicator

Helping Out

Spread the word to people who might be interested. Telling someone to check xkcd.pw for xkcd passwords is dead simple and really helps.

XKCD`.pw`

Totally In-Browser XKCD Password Generator

Generating the passwords above is done completely in browser.
Interested in seeing the dictionary used? Go directly to the xkcd wordlist to check it out.
Each combination is randomly choosen between 7,776 different words.
CLI access: secure@xkcd-pw:~$ curl -L xkcd.pw/ (Not secure, but good in a bind)

Words

#

XKCD.pw

Totally In-Browser XKCD Password Generator

XKCD`.pw`