Easy to Handle
Better for typing, checking, and reading back without the usual password drama.
A tiny CLI inspired by a classic comic.
Simple passwords, hard to crack.
xkcdpass turns the lesson from
xkcd #936 into a real tool:
long passphrases that are easier to read, type, compare, and say out loud without
giving up real security.
Why xkcdpass?
Mostly a joke. Also genuinely useful.
Real Entropy
Long random word sequences do real security better than decorative complexity.
Simple CLI
One command, a few flags, and output you can actually use.
Independent
A standalone option when your password manager's built-in generator is not the shape you want.
See it in action
Simple to generate. Easy to use.
Useful for Wi-Fi passwords, account handoffs, temporary access, and any other moment when someone has to read, type, compare, or say the password correctly.
$ xkcdpass
kitchenrocketpebblelantern
$ xkcdpass --words 6 --separator -
gravity-machine-north-elephant-salad-television
Passwordless is here
And that is good news. But passwords aren't gone yet.
Passkeys avoid a lot of what makes passwords painful, and adoption is accelerating. But until every awkward corner catches up, people still get stuck reading, typing, and handing off passwords.
- Better for reading back and comparing
- Easier to type without mistakes
- Useful for handoffs, temporary access, and Wi-Fi
Install
Homebrew builds are available via the tap for macOS Apple Silicon and Linux x86_64. For anything else, grab the source on GitHub and build for whatever architecture you want.
brew tap tvanreenen/tap && brew install xkcdpass
FAQ
Some additional context.
Mostly because humans are bad at symbol soup. Passphrases are easier to read,
type, compare, and communicate while still leaving a large search space. It is
the same human-factors idea behind
what3words: you can identify any 3 metre
square on Earth with three random words like
///purely.casual.text or
///enjoys.perfected.translation, which is far easier for humans to
relay correctly than raw GPS coordinates. Systems like digits. Humans like
words.
You could, and that is probably the smoothest experience overall. But in the cases where you specifically want a passphrase a human can read, type, compare, or relay, a tool like this is a low-friction way to generate something usable without giving up real security.
No, and it does not have to be. We use the long wordlist from EFF because it is public, well-known, and curated to be more typable and memorable for humans. Security comes from random selection over a large public list, not from hiding the list itself.
Entropy is just a way to describe how large the guess space is. Bigger space
means more guesses an attacker has to try. With xkcdpass, each word
is chosen uniformly from 7,776 possibilities, so every extra word multiplies the
number of possible passphrases by 7,776. That works out to about 12.9 bits of
entropy per word. In concrete terms: 1 word gives 7,776 possibilities, 2 gives
60,466,176, 3 gives 470,184,984,576, and it keeps compounding from there.
Four words is about 51.7 bits. Six words is about 77.6 bits. In the same ballpark, that is roughly like 8 or 12 fully random characters drawn from the whole upper/lowercase, digit, and punctuation soup. Four words is fine for casual use. Six is the better default if a human is going to keep typing passwords for a while.
No. It runs locally, uses your system CSPRNG through Go's
crypto/rand, and does not call any service. The passphrase only
leaves your machine if you copy or paste it somewhere.