Password generator

I made up a nice password generator for those who want properly secure passwords that are easy to remember. The properties of this password are as follows:

* 31 characters long, consisting of eight three-character 'groups' separated by spaces
* every odd group is a alphabetical group
* every even group is a numeric group
* every even alphabetical group is capitalised
* the middle character in every numeric group is shifted to form a symbol
* the middle character in every alphabetical group is a vowel, while the other two are consonants

These rules are very simple yet allow for the creation of very memorable passwords. All you have to remember for any given password are four syllables, and twelve digits. Then, just use the rules above to convert your password memory into the password. Here are some sample passwords:

gan 1#9 FUZ 5)3 jod 8(3 DEG 0@9
hat 0#7 QEG 0)0 foh 4)4 GIG 2%3
nor 2!2 BIL 2*3 suy 9#7 NOP 8%4
wul 3&2 BOR 5#5 bog 8(9 QIB 6^4
waz 0#8 YEZ 6^0 fof 1)4 NIP 1%9
gox 1^7 JON 9!0 xor 9^1 MED 4$3
hef 5*9 FIW 8$8 ric 2^2 KAW 3*6
boh 2%2 LUT 4^0 wif 7%4 MOB 0!1
yag 1)3 NAY 8@7 xox 1#0 BOV 8&7
hux 1&1 BAB 7$0 foc 7$1 FOJ 3&8
jij 8@9 BUK 1(5 pen 8@7 TEV 1#1
rid 2#4 BAL 0$7 rub 2*1 YOG 3%7
sel 8^5 YET 1$2 cap 3*9 WAB 2(8
hab 3@7 SIQ 2%7 ror 0%1 VAT 3^4
gow 8$4 HOV 5%6 lij 3&2 DOW 9!7
sin 6^7 XIM 8*5 laz 3!0 XUV 6^1
liw 1#3 BOC 8@3 gus 2%9 PUJ 4)3
pal 0)6 WEB 9$3 dig 9!8 SUP 8&6
seb 4&4 FER 1!1 cew 3(9 NEW 6!8
kuz 4*7 FUV 3&3 kam 0#8 XOL 6@1

Find it here: http://jsbin.com/iloqam

Note that the characteristics of the generated passwords themselves greatly reduce the search complexity in case an attacker knows such information.

No silver bullet: the maximum possible complexity for unit length (character) in a password is one which is generated in a completely random fashion (that is, without worrying about memorization issues). On the other hand, lengthy passwords are themselves harder to memorize than shorter ones, so using a 20-character password which is supposedly easier to memorize, but with a strength of a 10-character random one, could actually be harder to keep in mind cache than its shorter counterpart.

>>2
True. When characteristics are unknown, entropy is:

31*log(95)/log(2)=203.6655 bits (4 d.p.)

When characteristics are known, entropy is:

(8*log(21)+4*log(5)+12*log(10))/log(2)=84.2894 bits (4 d.p.)

I prefer to use three words from a dictionary in the form adjective-adjective-noun

Eg.
old free papaya
green heavy chair
long sad grass
specific ornate glacier

>>4
Very easy to break with a slightly tweaked dictionary attack.

>>4
This, much easier to remember and perfectly fine

AUTISM SPEAKS

>>6
Enjoy your shit entropy. Meanwhile I'll be here with my unbreakable, 200-bit password that is just as easy to remember.

>>8
Ill be waiting hundreds of years just for you to crack my simple 3-word combination while you circlejerk over your extremely hard to remember computer generator passwords.

http://imgs.xkcd.com/comics/password_strength.png

>>9
I just said that it's easy to remember. I can recall it off the top of my head and type it in under 5 seconds. Also, your password is very low in entropy and very easy to crack.
>>10
Randall is blatantly wrong. His suggested passwords are extremely low in entropy.

>>11
Show me a cracking algorithm that can very easily crack 3-word random word combinations or n-word random combinations within 10 years

>>12
On a single consumer desktop? No. On a dedicated FPGA or medium-sized server farm? Very easily.

>>13
Please do show the algorithm elite cracker.


Not to mention it should have support for multiple languages.

>>14
Any dictionary search will suffice. This really isn't relevant though; what is relevant is that I have a password that is more forwards-compatible and future-proofed as cracking techniques and performance improves, while you don't. Mine is also just as easy to remember.

>>15
Not as easy as a n-word random combination.

I can simply just increase my words and throw in words in other languages to make it even worse.


If needed I can even throw in random unknown patches to screw over your shitty dictionary search

print (lambda r: ' '.join([(lambda c: c.upper() if i%4 else c)(''.join([chr(r(97, 122)) for j in xrange(3)])) if not i%2 else str(r(0,9)) + ('!@#$%^&*()')[r(10)] + str(r(0,9)) for i in xrange(8)]))(__import__('random').randrange)

>>17
Please go away.

>>17
Sorry, wrong version; this is what I wanted to post:
print (lambda r: ' '.join([(lambda c: c.upper() if i%4 else c)((lambda a, b: a[r(len(a))]+b[r(len(b))]+a[r(len(a))])('bcdfghjklmnpqrstvwxyz', 'aeiou')) if not i%2 else str(r(0,9)) + ('!@#$%^&*()')[r(10)] + str(r(0,9)) for i in xrange(8)]))(__import__('random').randrange)

>>18
Why? That code is better than OP's (since it's not JavaScript, at the very least).

>>20
The OP's code is the best, even though it uses JavaScript, which is not a great language. The reason? It provides the highest user convenience -- one click from this page and you get 20 passwords. All others require at least copy/paste/save/run interpreter.

dubs generator

check 'em

you guys mention tweak a lot.
remember that you don't normally ``tweak" something without a reason.
that is, regardless of what your password is, unless they have an idea what it is, then they will use pure bruteforce.

>>21
If you want to look at it that way.
However, if you want to make sure that no one else is getting that output, you better run an offline version.
Also, OP's code is rather shitty, even if we disregard JS.

openssl rand -base64 18

>>12

You have no clue what password cracking is all about.

To begin with, more specific algorithms only come into place when there is some space for reducing the size of the key space (for which we borrow the term "complexity" from the computability theory) through some insight of the key selection or generation process (that is, the key selection process is biased in some way). But this is not needed to evaluate the proposed scheme -- it is sufficient to measure the password complexity itself and compare to the current technology standards. This is equivalent to test the simplest algorithm conceivable -- brute force -- against the entire key space.

Just as a note, complexity is a measure of scale. Put simply, in the current context, It is the logarithm of the number of possibilities involved -- assuming choices are mutually independent. When the logarithm is on base ten, we call it a "Bel" scale. When the logarithm is on base "e", we call it a "Neper". When it's on base two -- the most common in the computing context -- it's simply a "bit".

A three-word password, assuming a key space of 500,000 words (guessed from here: http://en.wikipedia.org/wiki/English_language#Number_of_words_in_English), will yield a complexity of roughly 56.794 bits (ln 500000^3/ln 2 = 3 ln 500000/ln 2 ~ 56.794).

This is a complexity comparable to a 10-character completely random password composed of case-sensitive letters and numbers (no symbols involved), which is 57.004 bits. In other words, it is a good replacement for such passwords, but only if we consider a really extensive English vocabulary in its composition. If we limit ourselves to much more common words (50,000 words, for example), the complexity drops to the somewhat ridiculous 46.828-bit search space. Bad idea.

While a complexity of 57 bits is good for passwords, it is still a shitty complexity for any serious cryptographic application. This is why passwords should be very long and deep (much more symbols involved). This is also a reason why the word "password" is being replaced by the word "passphrase" where security is an issue, to suggest that the key should be fairly long.

But the problem is rather easy to solve. First, let's consider a word space of just 10,000 words: a very small portion of the English dictionary. A passphase composed of five words has complexity of 66.438 bits -- higher than the forementioned ones. A passphase composed of ten words has complexity of 132.877 bits -- now perfectly suitable for cryptographic purposes. This happens if the words are uncorrelated (that is, they cannot form any expected English phrase, at least not on purpose) and the word choice is completely random.

>>26
Yeah whatever loser keep typing nobody is going to read that.

>>26
man this is dumb as hell " First, let's consider a word space of just 10,000 words" yeah like you know 10000 words lmao you probably ever just like a 100 words AT MOST.

>>28
Actually, it seems ``you'' are the one dumb as hell, teenager. Think a little more before embarassing yourself with your crap posts.

>>29
fuck you pedantic thinks-hes'-so-superior faggot storm nigger

>>26
hey fag, check my pbkdf2

>>29
It is spelled "teanigger."

This is the password I use all the time: mahdicwhiteyujelly?umirin?

Never once had some script kiddy with a dictionary brute forcer crack it yet.

DUBS
>>33

>>1000
huh?

>>29
YHBT

>>31-35
Poor attempts.

>>33
I've added your password to my list of commonly used passwords. Ill have fun with your accounts, thanks.

Why do I always read the title as "Passwrd generator" (notice the lack of "o"), and every time I realize it says in fact "Password generator", I imagine a small little clown in the back of my head saying "WRRRRD!!!" in a really annoying way?
This has happened to me at least four times now.

>>38
My throat itches. This comment is completely unrelated to your (or my) post, but I just felt like posting it. After all, being tanasinn, is all about feeling.

40GET ONII-CHAN

WRRRD!

My anus is b31ng h4xx0r3d

>>38
I pronounce "password" as "passwarrrd." Like a pirate.

>>43
I laughed at your post, and I read it twice, I found it very humorous.
Now that has been said, I hope you keep posting funny things like that, but I implore you not to force anything, it won't be as funny.

>>44
NOW THAT HAS BEEN SAID, I HOPE YOU KEEP POSTING FUNNY THINGS LIKE THAT, BUT I IMPLORE YOU NOT TO FORCE ANYTHING INTO MY ANUS

>>44,45
Rest assured, I force only what I insert into anuses, and that only because it is so large.