Original comic by Randall Munroe (xkcd, CC BY-NC 2.5).
xkcdpass is a small Go CLI that generates xkcd-style passphrases from the embedded EFF large wordlist using cryptographically secure randomness.
By default, it prints 4 random lowercase words concatenated with no separator, in the style of correcthorsebatterystaple.
The comic is a simple lesson in information theory: what feels obscure is not always hard to guess. Counterintuitive as it may seem, a few memorable words from a known list can be stronger than the convoluted strings typical password rules require.
On supported published platforms, install with Homebrew:
brew tap tvanreenen/tap
brew install xkcdpassPublished Homebrew release artifacts are currently available for:
- macOS Apple Silicon (
darwin/arm64) - Linux x86_64 (
linux/amd64), including typical x86_64 WSL environments
For other platforms, build from source locally:
- macOS Intel (
darwin/amd64) - Linux ARM64 (
linux/arm64) - Windows native
go build -o xkcdpass ./cmd/xkcdpassxkcdpass
xkcdpass --words 6
xkcdpass --separator -
xkcdpass --separator _Sample output (default: no separator):
washroomunquotedzebravelocity
Hyphenated (optional; easier to read or type):
xkcdpass --separator -washroom-unquoted-zebra-velocity
- Entropy source: Go's
crypto/rand, backed by the operating system CSPRNG—notmath/rand, which is unsuitable for secrets. - Uniform words: Each word is an independent, uniformly random draw from the full embedded list (the same word may appear more than once). Indices come from
crypto/rand.Int, which avoids modulo bias you get when shrinking random bytes with% len(list)and the list length is not a power of two. - Flat phrase space: No templates, grammatical rules, or frequency weighting—those steer output toward a smaller or more predictable set of phrases than uniform words from the whole list.
- Formatting: Lowercase words are fixed; an optional separator between words does not add entropy.
The EFF large wordlist is public, so strength is quoted the way passphrase tools usually do: treat the list and the number of words as known, and measure what is left to guess—the specific sequence of words. Each independent uniform word adds about 12.9 bits (log2(7776)). For n words, that is n times as much altogether (log2(7776^n) bits).
Examples with the embedded 7,776-word list and a known word count:
- 4 words: about 51.7 bits
- 6 words: about 77.6 bits
Use --words 6 for stronger real-world usage.
For development and release workflows, see CONTRIBUTING.md.
The embedded wordlist is based on the EFF large wordlist for passphrases:
- Source: EFF Large Wordlist for Passphrases
- File: eff_large_wordlist.txt
See THIRD_PARTY_NOTICES.md for attribution details.
