What is it?
CryptoPhrase is an iOS app that generates strong and memorable passphrases using cryptographically secure random numbers. It is available in the App Store!
How does it work?
CryptoPhrase uses a custom word list that contains 8,192 (213) unique english words, and each word in a passphrase is chosen at random using the iOS Randomization Services.
How strong is my passphrase?
That depends on how many words are in your passphrase. Here is the description given in CryptoPhrase.
The passphrases generated by CryptoPhrase use cryptographically secure random numbers that are available on most linux based systems, including iOS. Due to the random nature of their generation, the passphrases have no personally identifiable information that a hacker could use to crack your passphrase. This leaves them with one other method – brute force. Brute force is a last resort because it involves trying to guess every possible combination of words used in a passphrase until the correct combination is found.
To calculate how long it would take a hacker to crack a passphrase using the brute force technique, you need to know how many possible combinations of words they have to guess, and how many times they can guess per period of time.
The number of possible combinations of words is calculated from the number of words in a passphrase and the size of the word list used to generate the passphrase. The wordlist used by CryptoPhrase has 8,192 words in it, meaning that for each word in a passphrase, you multiply the number of possible word combinations by 8,192. For example, a three word passphrase has a total of over 549 billion word combinations!
549 billion may sound like a lot, but if your hacker happened to be using a purpose-built passphrase cracking computer that can perform 90 billion guesses per second, it wouldn’t take long to get through all those combinations. This is obviously a worst-case scenario, but it is the number used to calculate the average time to crack reported by CryptoPhase. Average time is also important, because there is a 50/50 chance that the correct combination will be discovered in the first half of all the possible combinations, so the average time to crack is half of the time to guess all the combinations.
Luckily, most encryption systems also have safeguards against brute force cracking techniques that, after a certain number of incorrect guesses, will delete the data protected by your passphrase, or introduce a delay until another guess can happen so that the brute force process will take exponentially longer.
Feedback
Please email cryptophrase@codeify.us with any questions or comments.
I want to know more!
Here are several links that describe the various cryptographic principles used by CryptoPhrase.
Entropy (Information Theory)
Cryptographically Secure Pseudorandom Number Generator
Password Cracking
Agile Bits Blog – Toward Better Master Passwords
Diceware
xkcd: Password Strength and Agile Bits Blog – Better Master Passwords: The geek edition