Haddock-generated passwords are of the form {word}{number}{symbol}{word}, and are generated to be at-most as long as a user-specified length. So for example, an 8-character Haddock password might be “amy7@rax”.

For a relatively low-security password, like you might use for your Twitter account, this is probably fine. It is certainly easier to remember than a password chosen uniformly at random from the available password-space, but does this memorability comes at a cost?

Haddock uses the UNIX /usr/share/dict/words file, which as about 480,000 words total. If I ask Haddock for an 8 character password, I’m likely to get something with 2 3-character words, a single digit, and a single symbol. There are about 6,200 3-character words in the dict file, and Haddock uses 10 digits and 35 symbols. Therefore there are about 6200 * 10 * 35 * 6200 = 13,454,000,000 possible 8-character passwords that Haddock can generate.

Although this is several orders of magnitude less than a uniformly-random password, it seems to make an acceptable trade-off between security and ease-of-use for non-critical account passwords.