Insult Passphrase Generator
cheswick.com> Each entry has about 42 bits of randomness. Queries are not recorded. Randomness is probably as good as the random resource in the operating system.
Hmmm. Such a statement should be backed by proof, not by trust. Until you can run the code locally you can't assume that any of these things is true. As far as we know, this can be a reverse password harvesting scheme.
> Such a statement should be backed by proof, not by trust.
Just noting that "Cheswick" is the dude that literally (co-)wrote the book on firewalls (1e in 1994):
* https://en.wikipedia.org/wiki/Firewalls_and_Internet_Securit...
Is this some sort of argument from authority? I'm not accusing the author of anything.
But now that you mention him, the man was working at Bell labs during the time when Ken wrote his famous essay "reflections on trusting trust". If he shared just a small part of his colleague's spirit, it would be irresistible to him to log all passwords that thousands of people may decide to use. Mainly as a conversation starter, not to do anything bad with these passwords. Maybe he's gathering cool stories in case of a hypothetical Turing award in the future?
It is an argument from authority, but such a critique is less relevant in this context. This is not the examination of a logical argument.
GP was arguing that OP is trustworthy because he has a reputation to maintain.
> GP was arguing that OP is trustworthy because he has a reputation to maintain.
I, the GP, is arguing nothing of the sort.
Then what was your point? Why else reference the author’s reputation?
I'm very fortunate I do not live with your kind of paranoia.
Is it paranoia to have proper security practices? You should strive to be excellent in everything you do. I do not think that targeting the GP with an ad hominem attack is a valid argument.
The fact that you are using the internet means that you have implicit trust in much less trustworthy entities than a known security researcher.
That being said, there's no need to use 3rd party password generators, if you can make your own.
Ok sure, but you're moving the goalposts. The OP was talking specifically with respect to using a non client side password generator. As a joke it is funny, but only a fool would use a password generator that can't be audited and that may be logged.
> only a fool would use a password generator that can't be audited and that may be logged.
Really?
1. It’s from a known-reliable source
2. Even if the password is stored, logged, broadcast around the world for billions to see, so what?
A. Source has no way to know if the user used the password anywhere or saved it
B. Source doesn’t know who the user is
C. Source doesn’t know in which website or resource the password was used.
So… I stand by my paranoia claim. I wouldn’t go so far as to call you foolish like you did me, but I’d say such a world view will not be a net gain for you over your lifetime. You’ll have difficulty delegating work. You’ll have major trust issues. Maybe you already do. But as they say, “you do you.”
No need to make your own generator.
But being able to inspect (theoretically even audit) the source, building (if necessary) and running it locally in some container/sandbox without network connection would be minimum reqirements for me.
I mean, I'll take it.
It's the long con!
I use https://www.useapassphrase.com/ since forever and that uses client side generation (i.e. the password never leaves your browser). And speaking about passphrases... I find it borderline insulting that many sites still use the archaic "whateveR1@" format, like, dude, I just gave you sentence worth of words that will take a bazillion more years to crack than passworD1@ ... some people just learn something in school and then use it for 20 years, I swear.
The [capital, number, special] scheme reminds me of the passwords at my uni. Everyone got a plaintext stored (you could recover and get the pw back, I doubt there was any encryption) 7 digit (yes digit, not alphanumeric) password for your account. After a while these were "upgraded" to 8 and must contain a letter. So the amount of [7 digits]+a passwords were massive. They then upgraded to "must contain a lower and upper case" and you got [7 digits]+a+A passwords, after which a special character must be included and the [7 digit]+a+A+! was born...
Security is no issue if you don't care. They did abolish unhashed storage after a while (and a while is really quite recent).
Ha, pretty much exactly this stand up bit: https://youtu.be/aHaBH4LqGsI?si=Zs2IvRUqtIrn9KH8 .
Good god I loathe that disgusting slime of a man. Even worse than James Corden, and that's saying something.
Reminds me of default passwords on wifi routers a decade ago - ATT especially had a very identifiable SSID format (ATT###), and a default 10-digit password. That leaves you with (9,999,999,999 + 1 =) 10 billion[1] passwords possible, which even at that time only took a couple hours to test all of them. That SSID pattern also left you with only 1,000 possible SSIDs, so a rainbow table was definitely reasonable.
[1] - though now that I think about it, that might not properly cover the case of leading zeroes in the password, so the total number of possible passwords might be larger than 10B; that's assuming a naïve password list generated just from numbers, not from treating the digits as characters, so I need to reason about this a bit more...
It's O(10 billion), so your intuition is good regardless :) passwords with ten 10-digits: 10x10x... = 10^10 = 10 billion, passwords with nine digits = 10^9, etc etc down to 11,111,111,110 (I don't think we should count the empty password). The full length password dominates the size of the keyspace so much that you more or less get truncations for free.
Eh, that's still better than my days at Uni where my student ID was my Social Security Number and grades were posted outside the classroom as a sheet with everyone's SSN and their scores.
Do you vet the JS this site sends you every time you use if, or do you trust that because it was client side in the past it will always remain so? Also, picking four random words "meat side" is pretty easy in my experience, but using a client side (not browser) password manager neatly solves the "inane password complexity requirements" problem.
This is an opportune moment to plug my command-line passphrase generator.
Open source, runs on your machine.
It makes passwords like:
I named it pgentiptoeing saxophone wholesaler luxurious leftover codeword eruption gnarly skies taco username affidavitGet it from https://github.com/ctsrc/Pgen
If nothing else that would force me to finally learn to spell affidavit. Or just give on on whatever I locked behind that phrase.
Have you, uh… had a lot of opportunity to misspell “affidavit”?
If so, please let me know the name of your SaaS so I can steer well clear of it…
It’s one of those words I use just rarely enough to never learn how to spell, like supeena, deeposition, and perjery.
I occasionally use words that I have trouble spelling as part of a password. I learn 'em fast, let me tell you!
Sounds like "Word Disassociation".
I'll go with the flow and plug mine too, called acopw (get it, Accio Password, I'm so funny):
https://git.sr.ht/~jamesponddotco/acopw-cli
It can generate diceware passwords, random passwords, PINs, and UUIDv4.
It uses my own Go module for this, which comes with a list of words with over 23 thousand words:
I use a 1000-line word list, head(1), shuf(1) and then tr(1) to join the lines.
I've just been using
and then manually typing them in, optionally adding any special characters or whatever the particular site requires. Changing 5 as needed, of course.shuf -n 5 /usr/share/dict/wordsOne of the neatest bonuses that you get from using pgen instead is that it can also tell you the amount of entropy of passphrases that each combination of settings (wordlist, number of words) will produce. This alone should ideally be reason enough to adopt pgen :)
> Do you vet the JS this site sends you every time you use if,
Hit ctrl+s
Which you should do even if you fully trust the website owner anyway
I use Safari’s password generation and keychain. Works great and has readable passwords.
I do the same and it usually only takes a few days to a week to learn a 16 character pretty random looking password, which with an 6-monthly change-your-password-rule is no big deal.
Or just increment a token in the already-secure password you're being forced to rotate like a sane person.
Obligatory xkcd https://xkcd.com/936/
Great username btw
It bothers me how much folks parrot this XKCD, especially using it to imply passphrases are superior. They are in fact not! Four common words are definitely easier to remember, but is it really feasible to remember hundreds (thousands?) of truly unique four word combinations easily? I would argue strongly it’s not for most people, so then you’re still using a password manager for the vast majority of passwords. Yes, you still need to remember a few, where then passcodes are ok. Also, many sites have arcane password complexity requirements (protip site owners, the only thing that really matters is length) which may not allow for your passphrase as suggestingly formatted by XKCD, thus needing a password manager more.
If we are using a password manager as we should be, there is no real justification for using memorable passwords for the majority of passwords. Let’s use the example from XKCD:
correct horse battery staple = 2048^4 = 2^44
If instead we use the same length of 28 characters with the full range of characters allowed by most websites:
M4Uk@gQRU!JFgwlI6MV$VV39TEA. = 70^28 = ~2^172
Dunno about you, but I’ll gladly take significantly more entropy with zero extra cost any day.
I don't remember all of them and I use a password manager, that's true.
But If I need to login on a device where my password manager is not installed, or you can't use a password manager (e.g. windows UAC prompt, linux tty), it will be way easier to open my password manager on my phone and type a password rather than a long random string.
I don't use a passphrase for every login, but for some logins where I think it could be benefitial to easily type it without using autofill I use them.
Yep. For most logins, a password manager is the way. But there are some you are simply going to have to or want to remember (password manager key, workstation login), and for those, passphrases are better.
> for some logins where I think it could be benefitial to easily type it
See my reply to sibling commenter, I had already covered this case in my original post.
UAC supports clipboard, I use managed passwords with it.
>I don't use a passphrase for every login, but for some logins...
>I don't always drink beer, but when I do...
And if you were to add a few additional characters scattered within the passphrase?
What about your login password though? Or an email password which you occasionally need to access on a machine you don't control? Those are the passwords where I use a passphrase.
> What about your login password though? Or an email password which you occasionally need to access on a machine you don't control?
>> using a password manager for
>> the /vast majority/ of passwords
Added emphasis to what I said previously to show I had answered that already.
Doesn't the assertion that correct horse battery staple = 2048^4 require the attacker to know that you're using this pattern?
It might make a slight difference or it might not, but you can't know that it will so best to assume that it doesn't. In practice the amount of computing power actually available is going to make much more difference than the method used.
IMO, pass phrases only seem useful if you have a quite insecure password. It is ideal to aim for 115-128 bits of entropy, which is not that bad with just random lower case letters and numbers (24 characters is good) but turns into a long and complex passphrase. To learn a random password write it down (split into groups of 6ish characters) and copy it from the paper for 2-4 weeks (do not try to guess until you are almost certain your guess is correct).
The XKCD is not arguing against password managers. It is arguing against websites mindlessly imposing silly rules on passwords, as you are.
Indeed, the XKCD comic Password Strength does not argue against password managers, but sometimes when someone posts that comic I wonder why they need to come up with a memorable password given that password managers exist.
Secondly, jsjohnst was not supporting silly password rules, merely pointing out that a password manager can make the password rules less of a hassle to comply with [https://news.ycombinator.com/item?id=39690528]:
> Also, many sites have arcane password complexity requirements (protip site owners, the only thing that really matters is length)
So this is basically the swordfighting sim in the Snow Crash metaverse (well, The metaverse, this one does not require a qualifier), but ported to Monkey Island. Should we take Hiro Protagonist's swordplay acumen as a warning to question the promised randomness?
While what you say is absolutely true, a cursory skim of the website's webmaster's profile[1] suggests he would be putting a lot of reputation on the line if he were acting maliciously.
[1]: https://cheswick.com/ches/cv/index.html
EDIT: Pardon my sudden lack of linguistic finesse, clearly the beer I had tonight was good.
It could be a research project so it might still have some neferious purpose to it.
When I get hold of good beer, linguistic finesse is not a quality that emerges.
That's what they want us to think.
I refuse to believe their beer was good without proof.
Until we try out the beer locally we can't be sure.
My thoughts exactly. Bring on the free beer!
According to the movie, the Enigma was broken because each message closed with the exact same phrase in every message. These all start with the exact same word.
However, anyone taking this thing as anything more than the jovial manner in which it is intended is not someone that understands a word of what you just said. So it's all just grandstanding for the sake of it
42 bit is not that much to begin with, you can brute force a simple cryptographic hash in minutes.
Assuming that person trying to brute force your password knows that this passphrase generator exists and starts their search with all possible insult passphrases, otherwise they're searching in a much larger space
Of course, searching through all eight word combinations will be quite a bit harder. But that does not really protect you that much. If you are attacking passwords, you will try increasingly large sets of possible passwords. After you have gone through the million most common passwords and so on, you will also sooner than later spend a few minutes on trying all those insults before moving on to all eight word combinations, at least if this generator becomes popular enough to warrant inclusion in an attack.
This is hilarious, I love these. If you're tempted to use one of these as your password, you probably have to choose the first one you see in order to maintain the desired 42 bits of security. You can't keep refreshing until you find one you like since the search space for a reaaaaally good one is probably much smaller than the search space of all combinations.
(I acknowledge this site is mostly a joke and you'd be crazy to use any of these for an important password)
Do note that 42bits is way too low for a secure password. You should be targeting something over 77 bits [0], so you would need to combine 2 passphrases. Sound pretty hard to remember to me :P
Shameless plug: I made a secure* passphrase and password generator in Python [1]
[0] https://www.eff.org/es/deeplinks/2016/07/new-wordlists-rando...
Would a lower complexity be enough, with proper key stretching?
It depends entirely on your security requirements, but all in all, in broad definitions, 42 bits is not enough. Maybe if key rotation happens fast enough, faster than expected brute force, then, maybe? Again, all up to definitions and context. Let's not forget that this "passphrase generator" is mostly a joke :D
In the early '90s, a dial-up BBS I frequently visited stored passwords in plaintext. The sysop read my pass phrase and banned me for it.
As far as I know, they ALL stored the password as plaintext. I ran VBBS and then Iniquity, and those stored the password as plaintext and visible to the sysop.
I also suspect WIIV and Tele(can't remember the last part of the name) stored them as plaintext, but I didn't evaluate those as closely.
I once caught someone calling into my BBS as another user, so I implemented a pseudo 2-factor authentication system that asked for some other details from the profile. I also added a script that made my co-sysops enter a whacky 2nd password in case someone used a vulnerability to download other users' passwords.
I remember in the 2010's when several popular forums swore that they never stored plain-text passwords, but then sent out emails to their users once they were hacked that their passwords have likely been compromised
I mean, if they didn't salt the hashes on a per-user basis, with even 2010s hardware it would be fairly easy to compute the hash of every password below a certain complexity and associate them with emails to get a set of login credentials.
A few interesting generations:
> You malformed garbage can of podagric pig precipitations
That alliteration for the second part is particularly pleasing. Although they wouldn't make good passphrases, it'd be fun to see an "oops! all alliterations" version of this.
> You misbegotten locker of pathological coon cat [dial] dross
I wonder how the "[dial]" slipped in there -- is it part of the animal list or the excrement list?
Edit: after refreshing a few more times I've seen a few other tags attached to other words ("labis [eccl]", "painter [S US]", "budget [dial]", "scrip [archaic]"). I'm guessing that "dial" means dialect, and the words that went into this were scraped from some old version of Roget's Thesaurus.
> Roget's Thesaurus.
well now I want to make one of these generators using cosine similarity and this "embeddings" thing all the kids are raving about to make passphrases where the words are related, making them even easier to remember, e.g.
or taking inspiration from those NYT games, ones where they differ by a letter, but I'm no good at that game so I don't have any examples handyremember recall recollect reminisce
Reminder of Diceware:
> Diceware is a method for creating passphrases, passwords, and other cryptographic variables using ordinary dice as a hardware random number generator. For each word in the passphrase, five rolls of a six-sided die are required. The numbers from 1 to 6 that come up in the rolls are assembled as a five-digit number, e.g. 43146. That number is then used to look up a word in a cryptographic word list. In the original Diceware list 43146 corresponds to munch. By generating several words in sequence, a lengthy passphrase can thus be constructed randomly.
My dear friend Bowerick asked me about this and maybe someone can help him out:
Is there a site that lists everyone in the entire universe in alphabetical order?
Bowerick would like to use it for a project he is working on in his spare time - and he has a lot of that since his accident.
This seems very familiar.. Isn't there a plotline in The Hitchhiker's Guide To The Galaxy about someone travelling around apologising to the entire universe in alphabetical order, using a time machine iirc?
Edit: Hah, my bad, I thought Bowerick was a HN user Google set me straight!
Good one!
That would be Wowbagger the Infinitely Prolonged, and his mission was to insult the entire universe, in alphabetical order.
I think you're referring to Bowerick Wowbagger the Infinitely Prolonged -- an immortal who went about insulting every living being in the universe in alphabetical order :)
We issued temporary passphrases for new users once and thankfully checked them manually before issuing them. Even if you remove swear words it's amazing how random words put together could be interpreted as insults and slurs.
Randomly offensive passphrases aren't really a problem. There's only one person who's supposed to know it and if two or more know it then it's just temporary and up to the person who "owns" it to make a new one.
Also, I don't care how sensitive someone is, if the tech that clicked the "Generate" button informs them, "it's just random words strung together :shrug:" how offended can you be? I mean, seriously?
If anything we should be doing our darndest to intentionally make passphrases as offensive as possible so that people are encouraged to change them right away! Generating temporary passphrases for new employees? Feed a picture of them into an AI that's trained to generate insults about their appearance!
>Randomly offensive passphrases aren't really a problem.
They are absolutely a problem from a business perspective.
>how offended can you be? I mean, seriously?
Have you never worked in a customer-facing position? Customers get offended all the time.
I mean, it's not really anyone's place to decide what is or isn't offensive to someone else. But even if a customer isn't actually offended, they may feign offense for purposes like discounts, preferential treatment, rage-baiting for internet points, etc.
All of those scenarios suck for the lowly tier 1 customer service employee who has to deal with it, and sucks for the company.
Much easier for everyone (customer, company, and the poor person who is actually dealing with the customer) to just... not send offensive passphrases.
"Absolute weapon" is a great one. I've heard "Prairie hat" be used as well for someone with an unfortunate hairstyle.
When we started using hexadecimal-encoded identifiers as user watermarks, we had to replace all of the vowels with special characters because people were seeing slurs over their video player.
Project name should be "Captain Haddock"
This reminds me of the "Abuse" room from Monty Python's Argument Clinic [0].
Shirley I'm not the only one.
This is great in that it creates a grammatically correct sentence, which really helps with memorization, and which is lacking in many other "passphrase generators" that are simply sets of disconnected words.
Though password managers are useful, they don't obsolete memorization! At the very least, you need to memorize your password manager's master password. I also don't put extra-sensitive passwords in my password manager, such as for my email account, laptop OS, SSH key, employer enterprise account, etc. I probably have about ten passwords / passphrases memorized, and I don't think this'll ever reduce.
To scratch my own itch, I created https://phrase.shop, which also generates grammatically correct phrases (not full sentences though), minus the insults. Hopefully you find it useful too!
I'm probably not gonna use these for my passwords, but there are some pretty awesome insults generated here!
Is the source code available somewhere, and if so, under what license?
I'm currently working on a tiny game, and this gave me the idea of having generated insults in the banter!
Bill Cheswick is a cool dude. In the 80s and 90s, he ran the Internet Mapping Project, which was an attempt to collate the complexity that is our routing stack into something approachable. It also produced some really cool graphs: https://cheswick.com/ches/map/gallery/index.html
As a young engineer, I had the opportunity to meet him at one of the tech conferences my dad was attending, where he gave me one of his printed copies of the internet map (and signed it). Hung on my childhood bedroom wall until my parents moved. Lovely piece.
I made a readable passphrase generator[0] (in Spanish) with a UI that lets you configure the sentence structure. It's all generated in the client and code is open[1]. According to my primitive calculations I get up to 9x bits of entropy
Nice except that it is an absolute no go to generate these on the server.
Why not port to JS and generate it on the client? Should be trivial.
Yould should not encourage people to trust you.
Yeah! Only a, "distasteful mail pouch of ratty cuckoo dejecta" would use a 3rd party service to generate passphrases!
Superb. Loving it.
I wish this was Open Source. I want to add quite a lot of pre-defined words that should come up more often than not. ;-)
I wrote an insult function for my company Slack bot back in 2016 - the bot had other uses for automating my dayjob.
But it's pretty simple; here's the exported function: https://gist.github.com/dijit/3c3c9754b79fa961805172fb48c72b...
This reminds me of the mid 90s when we first started having servers in the colo and you'd need to give a Noc tech the root password to fix things.. our policy was to always have the most offensive root password so you'd never -want- to give it to anyone... god it was fun...
Ah, when society had shame.
Setting the seed would be great.
I use a passwordcard[1]. When the paper dissolves, I generate a new one from the same seed and print it again.
So the template is 'You <adjective> <object> of <adjective> <animal> <noun>'.
If there's about 42 bits of randomness, presumably there's an average of a bit more of 2^8 entries in each of those five lists?
Reminds me of A Clockwork Orange quote...
"Well, well, well, well. If it isn't fat, stinking billy goat Billy-Boy in poison. How art thou, thou globby bottle of cheap stinking chip-oil?"
This is why is why I pay for internet!
Doctor Zachary Smith would love this for insulting the Robot on Lost in Space!
Lost In Space - Dr Smith insulting the Robot:
https://www.youtube.com/watch?v=wyH33DXusTY
Jonathan Harris and PimpBot 5000 appeared on Conan O'Brien in 1998:
Terrible and hilarious. Maybe not use it for your passphrases, entropy seems low? Also all sentences starts with "you".
What stops someone from adding anything generated by their "passphrase generator" to a brute-force dictionary?
Nothing, except that all possible combinations - assuming proper randomness - add up to A Lot of entries.
If the generator author keeps a log of the generated phrases users his generator suggested,then it doesn't matter if a generator came with the phrase "upper class koala bear tango" with great randomness.
If I take it and use it as my password, the generator author then has my password in his list.
(If the generation happens on the client of course this doesn't apply, assuming it doesn't also phone home).
True -- but absent logging, it should be absolutely possible to tell everyone how you generate your passwords without making them less secure.
For example, I get 44 bits of entropy from https://atlas.aylett.co.uk/pw/, purely from the randomness of the words. Knowing that I used that script doesn't help you: there's no point in adding every permutation to a list, there are too many of them.
If you don't know that I used this mechanism then you may be worse off, but I can't assume I'm better off.
And obviously I'm happy using my own generator, but the reason I wrote it was because I didn't want to have to trust someone else's :).
Nothing, but the calculations about bits of randomness already assume that you know how the paraphrase is being generated, including all the possible words.
You fight like a dairy farmer.
That's not an insult! Bovine nipple squeezers know how to moove... They'll milk your pride, dump it into a bucket, and pasteurize your very soul.
It 100% is an insult for men of low moral fiber and a certain age, at least until undergoing some rigorous training.
You can even mutter them while entering the password and nobody will suspect that it's an actual passphrase.. just the typical nerd talking to her/his computer.
You heartrending pocket flask of malignant Turkish cat burp
Any idea how we get this added to Bitwarden? :-D
I didn't go chasing through all the typescript but I'd presume adding a new PassphraseGenerationStrategy https://github.com/bitwarden/clients/blob/desktop-v2024.3.0/... (related: https://github.com/bitwarden/clients/pull/7690 )
The first word doesn’t seem very random.
Someone should test whether insults are actually easier to remember than non-insults.
Good one, added it to my Powershell profile for the occasional giggle so I can invoke it on demand, feel free to reuse it
function Insult { (Invoke-WebRequest -Uri "https://cheswick.com/insults") .ParsedHtml.getElementsByTagName("p")[2].innerText } #Outputs a random quality insult!
Note: delete the space behind insults") Formatting ¯\_(ツ)_/¯
> You foul caldron of ulcerated flying squirrel detritus
I kinda like this one.
Nice. I get why “Russian” is an insult again, but “Irish”?
I've been wondering, to use something like this in a new captcha system. AI is great for solving captchas, but megacorp censorship won't let them swear. So captcha: Write some swearwords in this textbox.
A swearword password is great for the same reasons: You can't publish it in most public locations. They'll refuse to publish it.
Next up: A password full of covid disinformation. Preferrably racist.
Today I learned about 20 new insulting English words.
I don’t understand long passwords of dictionary words. Is an 8-word password not just an 8-character password?
Add a pinch of passive agressiveness and I can guarantee you hackernews will love and use this
"You maladroit equine galvanic fastener"
`You depressive china of noxious burro deer slabber`.
Is it just me thinking that it's not ok to have China in the nouns list? Or do we also find "united states of america" or "germany" in there?
Lowercase ’c’ makes it pretty clear it’s not the country … you tiresome tumbler of nephritic laughing jackass soot.
Ironic that china (the dish ware) was coined[1] for a common source of porcelain at the time, China?
[1] https://en.m.wiktionary.org/wiki/china#English
Edit: Capitalization
yup..
seen several Capitalized names of places
You disagreeable lota of plagued Japanese spaniel chaff
You unpretty hipflask of neuritic Colorado beetle excretes
You wearisome clothesbasket of envenomed Yorkshire terrier feces
It's not names of places. Japanese spaniel is a dog breed. Colorado beetle a beetle. Yorkshire terrier another dog breed.
Oh, I didn't know until now that Brussels griffon is a kind of dog. I got this one:
You ill-proportioned GI can of plagued Brussels griffon dribble
"China" is a term used for fine dishes made from porcelain as far as I'm aware (non-native speaker myself)
In this case, I suspect "china" comes from Cockney rhyming slang, "china plate", "mate", as in "friend".
No, it's referring to the tableware -- every word in that position for all the phrases is a container of some sort (or at least a thing that can contain other things).
Insults in an insult generator is a problem how?
It's lowercase, so it's probably not China the country but china as in porcelain.
I think 'You elephant in a china shop' needs to be in there too, so everyone can be at peace.
Imagine actually being insulted by an insult generator.
But China under CCP is actually depressive.
Come on, there's reasonable (n words would probably not be the greatest even in an insult generator), and then there's what you're complaining about. China is a country that is viewed negatively by most of the western democratic countries. And for a good reason. If you equate China with Asian, implying racism, that is your own bias speaking.
Probably reasonable people would differ on whether unfavourably viewed (by the West) countries, such as Iran, Cuba, Palestine, or Saudi Arabia are disliked for good reason or not.
I agree with other comments that “China” in this context is intended to refer to porcelain. However including “Persian” (rugs?), “Cubano” (cigars?), “Afghan” (dogs?), or Arab (numerals?) as nouns in your cute online insult generator is probably a bad idea.
Edit: I see that “Boston” and “English” are also included as insults. At least with those there can be no doubt.
Dog breeds like Boston (terrier) and English (setter|bulldog|…) are included in the animals list.
Boston, USA or Boston UK?