See the Pattern Samples page for many examples and explanations.
Change options below to see different length passwords and patterns.
The user has near total control of the nature of the generated passwords. This password generator can create any type of password: monster fully random passwords, unsafe very short passwords, moderate length passwords that are highly structured or loosely structured. Now it even produces passwords made of multiple short words which are nearly always pronounceable. The user has complete control over the types of characters selected, and the probablity that any control chacacter will cause a character of the selected type to be output. Within the parameters set by the user, the selection of individual characters is random. You can even use it to generate random numbers in both base 10 and hex (but these are awful passwords).
This is a powerful, complex tool for system administrators and advanced users to create real passwords, or study the near infinte ways uncrackable but memorable passwords can be created. It is not a toy to watch the shape of character strings change. If you are generating more than one set of passwords a minute, you are wasting your time and my money. It is not possible to understand the qualities of strong passwords 8 characters and longer in 6 seconds or less each. Try to work through the actual pronunciation of each of ten, 12 character, Words Only passwords, in less than four or five minutes.
Unless followed by a numeric qualifier, each pattern character will be used exactly once to form the password, up to the maximum password length. Once the maximum password length is reached, the password is complete and any unused part of the pattern is simply ignored. There is no upper limit on how many characters a 1 qualifier may generate, except the password length. At least one is assured unless the maximum password length has already been reached. Any password less than the minimum length is discarded and a replacement generated.
Try the original password.pl for which free open source code for both the command line and as of late May, 2012, the CGI (web) version is available. All GeodSoft specific code has been removed and some modest enhancements made. It's not nearly as versitile as this version but it has a number or configuration options and is capable of generating a very large number of unique passwords, nearly all of which are better than most people can do creating their own passwords. In this version, Cc0vcc0n2Cc0vcc0 generates the original default pattern. cvcddcvc generates the original State Department style passwords. cvcnncvc is "better" and CvcnnCvc is "still better." CVCdd is "easy" and CC0VCC0nnCC0VCC0L1 is "hard."
The passwords displayed above are transmitted in plaintext over the Internet, stored in your browser cache, and you have only my assurance that they are not logged. To get around this, for each password you want, generate 1000 at time, and pick only 1. You might generate several pages with a thousand each and pick only one. Avoid the temptation to pick one that suggests something special related to you. When done, you may want to clear your browser cache. You might manually change one or more characters in any password you select. It's probably a good idea not to use the evaluator on any password you actually select. If you take these steps, it's unlikely anyone will ever know which one you selected or where you may have used it.
Think of the passwords above as examples to be modified at will. Change anything to to make them easier to type and or remember. When words are displayed, shuffle, add, remove, or modify them. Please keep in mind that any password less than 15 characters depends on character diversity for strength; in addition to lower case letters you need at least one upper case letter, at least one symbol or punctuation, and at least one digit. Think of this character mix as the "full keyboard". It takes at least 17 lower cases letters to beat 12 full keyboard characters and 23 to beat 16 full keyboard characters. If you reduce character diversity you must make passwords longer if you want them to be equally strong. It's preferable to avoid putting the upper case letters or digits in the first or last positions. More of these non lower case letter characters are stronger but may be harder to remember and or type.
There is no guarantee that passwords displayed on this page are actually good passwords. Nearly all of the passwords displayed from my sample patterns will be difficult to crack but many may also be difficult to type and or remember. The new default pattern with a minumum of 12 characters and up to four non letters rarely fails the password evaluator tests (for passwords between 12 and 14 characters). About 20% to 25% contain a short dictionary word which may be mangled beyond human recognition. Short words with 3 to 6 characters are of little concern in a 12 character password as long as there is only one. The default pattern with 12 characters and a good character mix typically has a password evaluator strength rating of 12. One lacking either mixed case letters or symbols and punctuation will rate about 10. A 12 character passowrd lacking both, i.e., one which is only lower case alphanumeric will have a strength rating about 7. Each increase of 1 in strenth represents about a 10 times increase in the amount of time it takes to crack similar passwords. This assumes the passwords are not vulnerable to dictionary attacks.
Among the many sample patterns on this and the pattern samples page a number include either consonant vowel consonant sequences, or many variations on them that may be pronounceable and have a resemblance to words. Even though the displayed characters are selected with the use of a random number generator, at times dictionary words will be displayed. Avoid these unless the word is no more than half the password. If the word is more than two thirds the length of the password, DO NOT use it. Some of the lengths of various sample passwords may not have not been increased to keep up with the speed of computers and advances in cracking techniques from 2005 - 2012. Seven character passwords should not be considered acceptable on any but disposable accounts. Eight characters is now less than marginal for important accounts. Don't use anything less than 10, and if you want to be safe use 12 characters with all character types available on a typical 95 character keyboard. 15 or more can never hurt, and lets you start using short words and other things that make the passwords easier to remember.
Passwords in which one word that can be found in any online list of words (dictionary) and are more than 66% of the password length, are bad passwords. It does not matter how the word in mangled to disguise it. Cracking tools are designed specifically to find character substitutions amd deletions, various shifts and rotations, mirroring and duplication and just about every other modifcation, in multiple combinations to a word, that anyone has thought of to disquise it. Humans generally cannot see the word in a mangled word and think it's hidden. Cracking tools and properly designed evaluators can find these easily. Try some in the password evaluator (but remember its dictionary lacks words from popular culture, including product names and words from sports, movies, songs etc., that often appear in cracker's dictionaries).
Passwords consisting primarily of two short words are not good; they are not typically bad. They are generally better than one long mangled word. They tend to be weak and can be cracked with programmed dictionaries.
This page and the information on it my not be published or distributed under the
terms of the GeodSoft Publication License.
Copyright © 2000 - 2014 George Shaffer. All rights reserved.
|Copyright © 2000-2014, George Shaffer. Terms and Conditions of Use.|