Abbrase POS

How does this work?

First of all, secure random numbers are generated.

[266, 419, 350, 885, 256]

Each number corresponds to a three letter prefix from a list of 1024 common English prefixes. The password is made by joining them together.

eggsencelshaavo

Finally, a phrase is found that abbreviates to the password. The words are chosen to make an English phrase of the form adjective*–noun–verb–adjective*–noun to make the phrase more memorable.

eggshaped sensation celebrates sharp avocado

The mnemonic is much easier to remember than the input numbers, but equally secure!

Each prefix gives the password 10 bits of entropy, so this password has 50 bits of entropy (assuming your attacker doesn't know which phrases you are likely to choose). While less than the 4.7 bits per letter (70 bits total for 15 letters) for a completely random lowercase password, this abbreviated passphrase is memorable, and if the attacker does not know you are using abbrase she has a larger search space.

All steps are performed locally in your browser, and not sent to any other server. For more security, try the Python version in the Abbrase github repository.

Based on the original Abbrase by rmmh which uses Markov chains calculated from bigram frequency lists rather than parts of speech to generate the phrase from the abbreviations. Also inspired of course by xkcd: Password Strength.

"Isn't using a phrase more secure than abbreviating it?" — Not necessarily for phrases Abbrase generates. Displayed phrases are generated almost deterministically from the password, so they have little added security. Otherwise yes, 4 words have more security than 4 abbreviated words, but they're less convenient to type, and the added characters aren't as valuable as the first few characters.

"The results are complete nonsense" — True, it was a bit of a failed experiment. Better than 5 completely random words but not by a huge amount. Sorry.