Questions about the strength of pass phrases frequently popup, as does: how to generate a strong passphrase? I tried to combine both in a tool. The free tool also includes recovery time estimations for some common cases and hardware. The tool is available here.
As has been said over and over again, these strength & recovery calculations are averages, and only apply if the words are chosen at random. The tool offers 2 options for random choices. The online mode uses http://www.random.org. Offline mode uses the Excel RND function. I have 2 questions.
Commenters state that "Entropy is a property of the generation process". I agree that it is not (only) a property of the passphrase. But isn't strength (entropy) above all, a property of the combination of passphrase and recovery process?
The random choice option in the tool is a 2 step process when using the Internet as a source. The first step gets random (dictionary word) numbers from the Internet. To make the final pass-phrase choice less NSA-able, the dictionary sequence is randomized before words are picked from the dictionary by their random word number from step 1.
For sure the first step delivers a random choice. But is the final choice still a random choice when I randomized the dictionary before choosing? (using a local random pseudo generator)
