Password.pl Instructions
Pattern Formation
c: lower case consonant
v: lower case vowel
l: lower case letter
b: lower case consonants plus common 2 and 3
character consonant sequences that begin words
e: lower case consonants plus common 2 and 3
character consonant sequences that end words
C: mixed case consonant
V: mixed case vowel
L: mixed case letter
B: mixed case consonants plus common 2 and 3
character consonant sequences that begin words.
Only the first character may be upper case.
E: mixed case consonants plus common 2 and 3
character consonant sequences that end words.
Only the last character may be upper case.
d: digit
t: symbol or punctuation
p: puncuation , . ; : ' " ? ! ( ) -
r: programming symbols [ ] { } < > \ | / ` ~ ^
s: common symbols @ # $ % & * _ = +
n: non letter, i.e. digit, symbol or punctuation
m: alphanumeric, lower case letters only
M: alphanumeric, mixed case letters
a: any character, lower case letters only
A: any character, mixed case letters
h: hexadecimal (0-9, a-f)
H: hexadecimal (0-9, A-F, a-f)
\: Put the NEXT character in the password
i: user defined
j: user defined
k: user defined
x: user defined
y: user defined
z: user defined
w: Word
W: Word with a first or last character a capital
==: Define a repeating character pattern
<>: Define an ASCII sequence pattern
[]: Define a keyboard sequence pattern
{}: Define Patterns in patterns including random order
++: Define a duplicate or repeated pattern
||: Define a mirrored pattern
^: Force upper case letters only
0: zero or one of the preceding character type
1: one or more of the preceding character type
2-9: one to the specified number of the preceding
character type
Each alphabetic pattern control character is a key which selects
an array of possible values from which one or more characters
will be pseudo randomly selected. The b, B, e and E pattern
characters may result in 1, 2 or 3 character sequences for each
pattern character; if the maximum password length does not allow
sufficient length, truncation will occur. All pattern control
characters except b, B, e and E define a single password character.
The entire pattern is processed
unless the maximum password length is reached first, at which point the
password is truncated. If the pattern is processed and the minimum
length is not reached, the password is discarded, and a new cycle
started. The digits are numeric modifiers of the preceding pattern
control character, and determine if or how many of the type of
character represented by the pattern character are included.
The user has complete control over the probability each numeric
modifier represents.
Upper Case Only
Use a caret, (" ^ "), immediatly after any pattern character
which includes letters to force all resulting letters to be upper case.
This may be used after any of the following a, A, b, B, c, C, e, E,
h, H, l, L, m, M, v, V, w, W. It cannot be used after user defined character
sets, any letter that defines non letters only, or any pair of symbols
that indicate special processing (sequences, repeats, mirrored, duplicate,
and random elements).
Always use the caret immediately after the letter. Never allow a space
between the pattern character and the caret. If one or more numeric modifieres
are to follow the patttern, place them after and immediately adjacent to the
caret.
Backslash escape
The backslash (" \ ") is a special character. Any character
that follows a backslash will go directly into the password at the
appropriate location just as it appears. If a c, v, C, n, d, etc.,
directly follows a backslash, it is no longer a pattern control character
but a litteral that will appear in the password as it is typed into the
pattern field. There are two primary uses. One is to allow your preferred
seperator, whether it is a period, comma, colon, plus sign, dash, underscore
or any other character you like, to separate words, sequences, patterns,
or other components from each other.
The second use is to create a private character sequence that you never tell
to anyone, and probably should not write down. When you are making passwords
that are 15 characters and longer, you can do almost anything you want. Nearly
all the advice about what not to put in a password is irrelevant. A common and
very correct piece of advice is to not use the same password on more than one
site. This still applies to long passwords. But a long password has room for
lots of things. You may have noticed "+my1+Whatever" appearing in multiple
sample passwords, and when it does, every generated password has it. You can
enter this by entering "\+\m\y\1\+\W\h\a\t\e\v\e\r" into the pattern field.
It will appear in each password that is generated, plus whatever random
words, sequences, repeats, etc. which are defined.
Actually you SHOULD NOT ENTER THIS. Instead you should enter something like
"\*\t\o\5\*\P\a\s\s\w\o\r\d". Notice the two are structurally identical.
Both have 2 symbols in the same locations. Both have a digit in the same
place. Both have a capital in the same place. Neither the digit or capital
are in the first or last place. Either could begin or end a word and neither
the capital or digit would be the first or last character. Both have 2 and
8 character words in the same locations.
Notice that both are strong 13 character passwords just by themselves.
Somebody is probably getting agitated and thinking, but there is an 8
character dictionary word in each. It does not matter. Even if used as
a complete password the 8 character word is less than two thirds of the
total length. I know of no password cracking rule set that can find the
8 character word. Remember (except for old Windows LM hashes) passwords
are never broken in pieces. A cracker must have the entire string that
matches every single character before starting the computations that
create the hash that will be compared to the hash in the password file.
Actually there is an excption to the no known cracking rule set and the 8 character
word. It turns out that GPU enabled cracking tools are not great with
dictionaries and rule sets. Some can't just read a list of dictionary words
and do nothing else with it and some don't process traditional rules. What they
are brilliant at is brute force, and brute force combined with other things,
such as a dictionary. They are really goof at adding multiple random characters
at either or both ends of a dictionary word, so one thing they can do pretty
well is adding 5 characters to 8 character words. The basic rules still apply.
No matter how fast a GPU enabled cracker is, it's still going to take 95 times
longer to do 5 character with a 95 character set than it took to do 4
characters with a 95 character set. Most crackers are not focused on 13
character passwords, but rainbow tables go to 14 and with a GPU enabled
cracking tool, some crackers may say why not. 15 and up should be safe if
the 8 character word is mostly surrounded by non letters and does not start
the passoword.
If you adopt this approach, you will have a secret part that is a pretty
good password by itself, that you will use as part of every password you
create for the next two to four years. You've decided you are going to
do passwords properly from now on. You want passwords no one, not even the
NSA can crack. You want passwords that the fastest cracking networks yet
assembled will take hundreds of thousands of years to crack. You want to
be part of that select few percent who have never seen one of their
passwords in any common password list and who have never had an account
of theirs cracked.
You start with a strong core of 10 to 14 characters that is a strong
password by itself. It might be two words, three symbols and a digit.
It will have at least one capital (or lower case if the others are
upper case). Neither the digit or capital should be at either end of
the core password. Instead of you favorite separator, you should pick
any easy to type symbol, and use it on both ends. Maybe you will use
your favorite separator to separate the two words, or you might run
them together.
Over time you will type this core password hundreds and thousands of times.
There is no need to write it down. It will be etched into your memory within
a few weeks. You want the core password to work on either end of your
passwords because you will be using it on both ends routinely. If you've
been using strong passwords for a long time and have lots of accounts,
you know the question is not will you write them down, but where can you
write them securely? I'll leave you to answer where for yourselves based
on your situation. In most workplace environments, I consider the inside
of a purse or wallet to be reasonably secure. Few people leave these laying
around unattended.
You won't write your core password down, but you will have to write down
the unique parts. To your 10 to 14 character core you will be adding
meaningless (in the sense that they have no special meaning or relationship
to you) words, character sequences, repeats, and various odds and ends
that add about 8 characters to your core password. When you write down
the unique part you will come up with some notation that indicates
which end the core part goes on. It should be better than an arrow or
other constant indicator that quickly becomes obvious, if anyone else
sees your password list. I'd suggest any group of characters that you
can easily relate to each other, and which consists of at least 5 and no
more than 10 characters.
There are many groups to choose from. Some of the less obvious are vowels,
upper or lower case or both. The first 6 consonants: b, c ,d, f, g, h.
The three contiguous groups of five consonants, 1) j, k, l, m, and n, 2)
p, q, r, s, t and 3) v, w, x, y, and z. Mixed case doubles the numbe for
more variety. Among symbols and puctuation the eight paired symbols seem
fairly obvious: (), [], {}, and <>. They could be used to point at
either end, but do not need to; this is the only group that has a really
clear way to show the secret body embeded in the unique part: 34()5678.
Puctuation with only one part: , . ' - ( ) and possibly ` and ~. Punctuation
and symbols with two separate parts, ( ; : " ? ! = ). Punctuation and
symbols that float above the baseline, ( ` ~ ^ * - = + ' " ). The common
non punctuation symbols at the top of the keyboard: @ # $ % & * _ = +.
See "Creating Uncrackable Passwords That
Do Not Need to be Written Down" for a detailed discussion of core
passwords
How Many
Determines how many passwords will be displayed. Valid values are
1 - 1000; the default is 10. Invalid values will be set to the
minimum, default or maximum, depending on what is entered.
I have the high limit mostly for administrators who want to make
a list of passwords they can
assign their users as they need them, or pick and choose
from over a period of time, for their own use. If you print 1000 or 5000, especially if
you use different patterns, you can go a long time without coming back.
Even on the remote chance someone was sniffing between GeodSoft and
your computer, all they will see is a very long list of what may be
passwords. The chances that they will get associated with you and
the sniffer will know which ones you've used, or be in a position to
use the entire list as a cracking dictionary on computers you use
is awfully small.
I've had the 1000 limit and the instructions mentioning it going back to the
original password generator. It's hardly ever been used. I included most
of the preceding paragraph in "What's New" and within a day two morons
set the limit to 1000 and start clicking away on submit. With 5 to 10 seconds
between clicks, it was obvious they could not possibly be cutting and pasting
or saving in any fashion, or even looking at the individual passwords. They were
just watching a pagefull of passwords change in response to their infantile
urges. Put something in "instructions" and the large majority of people won't
read it. Put the same thing some place prominent, and someone who wouldn't
dream of reading instructions, thinks it gives them license to abuse the
system.
Display Across
A 1 causes the displayed passwords to be printed across the page
in rows. A 0 will cause passwords to be printed in a single
column. Valid values are 0 and 1 defaulted to 1.
Maximum zero characters
Sets an upper limit to the number of characters specified by a
pattern control character followed by zero that will be output in
the resulting passwords. The default is 2. If the pattern
contains more than 2 zero characters, the maximum must be
increased to the actual number for there to be any possibility
that all can actually appear. The low zero limit combined with
the relatively low odds on zero characters provides a way to
introduce comparatively small variations to a password pattern.
Zero odds
Sets the odds for a pattern control character followed by a zero
to be output. The default is .25 or 1 in 4. If the maximum
number of zero characters have already been output, the odds are
not used; no more zero characters are output. Before displaying
a zero character a random number between 0 and 1 is generated.
If it is less than the Zero odds, the character is output,
otherwise it is skipped. Useful values range from .1 to .9 which
are from 1 in 10 to 9 in 10 or very rarely to nearly always.
Values less than 0, or 1 and greater, are never and always and
therefore not useful; they are restored to the default if entered.
One odds
Sets the odds for more than one of the preceding pattern
character type to be output. One of the appropriate character
type is output and then a random number between 0 and 1 is
generated. If the number is less than the "One odds" another
character is output and an new random number generated. The loop
continues until a random number is greater than or equal to the
"One odds" or the maximum password length is reached. The
default is .6 or 6 in 10. At the default, unless minimum or
maximum password length impose a constraint, the number of
pattern characters is mostly low (1 - 3) but very long sequences
are occasionally produced. Increasing the "One odds" quickly adds
length so that maximum password length quickly becomes the limiting
factor for most passwords. If you want passwords of all one type
character, rather then entering a long pattern, you can enter enter
one of the desired pattern character followed by a 1 and set the
"One odds" to 0.999. Values less than 0, or 1 and greater,
are never and always and therefore not useful; they are restored
to the default if entered.
2 through 9 odds
Sets the odds for more than one of the preceding pattern
character type to be output. After the first appropriate
character type is output, a loop comparison value is calculated.
The loop comparison value is calculated as the 2 through 9 odds
divided by the (numeric modifier less 1). The loop comparison
value is subtracted from 1 on the first loop and from the
previously saved result on each successive loop (decreasing the
odds on each pass). A random number between 0 and 1 is
generated and if the result is less than the loop comparison
value, the loop continues until a random number is greater
than the shrinking odds, or the maximum number of the
character type is reached, or the maximum password length is
reached. The default .5 produces a fairly even distribution
of character lengths from 1 to the maximum allowed by the
numeric modifier of 2 through 9 over all values of 2 through 9.
Thus with d2 there is an even chance of the second digit being
generated, password length restraints allowing. Smaller numbers,
such as 0.01 (but not less than 0) force a clustering of longer
output strings while larger numbers, greater than 1 but less
than the numeric modifier, generate more shorter strings. Values less
than 0 or 9 and greater are not useful; they are restored to the
default if entered.
Flip Odds
Flip odds sets the likelihood that each repeat
character group or ASCII or keyboard sequence
that starts or ends with a letter as well as each pattern
word will have its first or last letter
case flipped. This applies independently to each repeat, sequence or
word with a flip set. Only repeat and sequence definitions with an "f"
as the last or next to last character in the definition or words
specified with an upper case "W" are flip set. The default flip odds
are 0.75 or 75% so a case flip in each flip set repeat, sequence
or word is fairly likely.
It will only be one end for sequences with letters at both ends and
repeated letters as well as pattern words. Both ends of the same
repeat, sequence or word will never be case flipped. The flip odds
only determine whether a case flip will occur or not, not at
which end it occurs. The program has a small, 55%, preference for
flipping the last character rather than the first character in
each flip set repeat, sequence (when both ends are available) or
word.
Obviously if a sequence only has letters or a letter at one end,
the flip can only occur at that end. You may wonder if a sequence
begins or ends with only one letter, does the flip have any
value? The answer is yes. For example, in an alpha numeric ASCII
sequence 789A is quite possible. 789a can never occur without a
case flip. In a keboard sequence m123 is possible but not M123
without a case flip.
Each case flip doubles the number of possible passwords any
pattern containing them can possibly produce. That's not what is
important though. They assure character complexity. Having two or
more flips in a password pretty much assures mixed case
characters. Repeats, sequences and words are only intended for
use in passwords 15 characters and longer. If you make up a
password of just alphanumeric repeats and sequences, most people
who know what it means will describe this as a low entropy
password. If you separate your "predictable" character groups
with arbitrary punctuation or symbols and use some case flips
it does not matter if your password is low entropy or not.
Theory does not crack passwords. Specific cracking tools with
specific dictionaries (or rainbow tables) and rulesets crack
passwords. If you use repeats and sequences in long passwords,
but do not tell anyone this, and your password is over 15
characters with 3 or 4 types of charcters (upper and lower
case, digits, symbols or punctuation) your password is not
going to be cracked, because a cracker has no way to target
your password, and brute force will not work with 15
character and longer passwords. Commercially available
rainbow tables stop at 14 characters, and even there they
claim only a 96% success rate meaning 4% are still missing.
aBaBaB7aB^aBaBaB is certainly a low entropy password but how
do you crack it? The answer is simple. Without fore knowledge
that the password consists of alternating mixed case characters
an 2 non letters, you don't. It's 16 characters long and
beyond brute force. It fits no description of a good password.
In fact it deliberatly does something that many password DO
NOTs advise against. But before I typed it out, it's unlikely
any human being has ever seen this exact character sequence
before. Strings no one has ever seen before do not get into
cracking dictionaries and rule sets. Only strings that are
the product of dictionaries and rule sets crack long
passwords.
Returning to flips, if you want to assure that mixed case
characters are included in your passwords, set one or
more flips, set a low Flip odds, and set
Force Mixed Case. How low should
flip odds be. That depends on how many flips are included.
Only trial and error will give you a specific answer. I'd
suggest 0.4 with one flip, 0.3 with two flips, 0.2 with
three flips, and 0.1 with four flips as starting points.
You may get mixed case with no flips if your password
pattern includes sequences. Remember flips also break
repeats and sequences regardless of whether mixed case
is otherwise present or not.
Minimum password length
Sets the minimum length in characters of the displayed passwords.
If the pattern cannot create passwords at least as long as the
minimum length, no passwords are output. Any numeric value
greater than or equal to 1 and less than or equal to the maximum
length is valid. 7 is the default minimum length.
Maximum password length
Sets the maximum password length in characters of the displayed
passwords. Password output is terminated as soon as the maximum
length is reached, truncating any password that otherwise might
have been longer. Any numeric value greater than or equal to 1
is valid. 10 is the default maximum length.
Force Mixed Case
A 1 forces the displayed passwords to contain both upper and
lower case letters; no passwords are output if the pattern
contains no mixed case type pattern control characters (C, V, L,
B, E, M, A, f, or W). Valid values are 0 and 1 defaulted to 0. There
should be two or more of the mixed case control characters in the
pattern if force mixed case is set. If there is only one mixed
case pattern control character and force mixed case is set, the
mixed case character position will always be upper case. This is
true of those which control a single character (B and E and
also C, V, L, M and A without numberic modifiers). It is not
generally true with repeats, sequences and words. If, however,
the only element that can create mixed case is a repeat without
a flip, you will only see upper case letters in the repeat
position.
Force a Digit
A 1 forces the displayed passwords to contain at least one digit;
no passwords are output if the pattern contains no digit type
pattern control characters (d, n, a and A). Valid values are 0
and 1 defaulted to 0. There should be two or more of the n, a or
A pattern control characters and no d's if force a digit is on.
If there is only one of the n, a or A control characters and
force a digit is set, the output character will always be a
digit. Though the resulting passwords may appear more complex,
forcing a digit actually reduces the number of passwords that a
control pattern can generate. If one or more d type pattern
control characters is present, this option has no effect.
Force a Symbol
A 1 forces the displayed passwords to contain at least one symbol
or punctuation character; no passwords are output if the pattern
contains no symbol type pattern control characters (s, n, a and
A). Valid values are 0 and 1 defaulted to 0. There should be two
or more of the n, a or A pattern control characters and no s's if
force a symbol is on. If there is only one of the n, a or A
control characters and force a symbol is set, the output
character will always be a symbol or punctuation character.
Though the resulting passwords may appear more complex, forcing a
symbol actually reduces the number of passwords that a control
pattern can generate. If one or more s type pattern control
characters is present, this option has no effect.
Digit sets per symbols
Determines the number of digit sets that are used symbols and
punctuation all character or non letters are specified. The default
is 3. A standard keyboard has 10 digits and 32 symbols and
punctuation characters. If an array is initialized with 1 of
each, symbols and punctuation are about 3 times as likely to
appear as a digit. By using 3 digit sets, a digit has an about
equal chance of being included but each digit is three times more
likely to appear than any specific symbol or punctuation
character. Valid values are any numeric greater than or equal to
1; large values will suppress any symbols or punctuation
characters. This is only relevant if the pattern contains one or
more of the following characters: a, A or n.
Letter sets per symbols
Affects the number of letter sets that are used with with digits
and symbols when "all" characters are called for with an "a" or "A".
When only lower case or only upper case letters are used with
numbers and symbols there would normally be 26 letters and 43
numbers and symbols. When mixed case is specified there would normally
be 52 letters and 42 numbers and symbols. If digit sets per symbols
is at the default of three, there would be 63 digits (30) and
symbols (33). With only one case of letters they would be
overwhelmed by the symbols and digits. This is defaulted to 2 so
there are 52 letters whether there is one letter case or two.
The user can increase this up to 7 to force a higher percent of
letters when letters are being "randomly" mixed with digits and
symbols. This is relevant only when the pattern contains an "a"
or "A".
Setting both this and digits sets per symbols to 1 will create
the most accurate random distribution of characters regardless of
which character groups are called for. Leaving this at 2 and
reducing digit sets per symbols to 2 would create the most even
distribution of 52 letters to 53 symbols (33) and digits (20).
Reducing digit sets per symbols to 2 and increasing letter sets
per symbols to 3 will start creating noticably more letters than
symbols and digits in "random" mixes. Raising it higher will
skew the distribution to even more letters.
Include last names
This option only applies when the pattern contains an "w" or "W" to include
a word in the pattern. Normally the word lists used include words from several
commonly available dictionaries plus common first names provided by the Census
Bureau. Setting this option will cause about 76,000 "common" last names as
definded and provided by the U.S. Census Bureau, which are not already in the
dictionaries, to be added. This significantly increases the words available as
there are almost as many last names as 5, 6 and 7 character words, and many
8 and 9 character names. The cost is that many of these names will not be
easy to pronounce and many will be unfamiliar.
User Selected Character Sets
There are six optional user selected character sets. The user can enter
any typeable characters, including spaces, into any of the six fields which
are associated with the pattern characters, "i", "j", "k", "x", "y" and "z".
When the user enters i, j, k, x, y, or z into the
pattern field, any characters that have been entered into the associated field
will be randomly selected when the i, j, k, x, y
or z is processed. The numeric modifiers work on i, j, k,
x, y and z just like they do on any other pattern characters. If, for
example, you entered a single "t" into the i field, and entered a pattern of
"i1", changed the one odds to 0.99, and the password length range from 1 to 99,
over several tries you would likely see strings of t's ranging from 1 to 99
characters. If you blanked out the "t", the generator would make the maximum
number of tries, but with nothing to output, would return with no passwords.
The i field is initialized with five common punctuation marks and one common
symbol, all of which are easy to type. This is a small character set that
make good separators for word sequences as well as repeat and sequence patterns
with words or separately. You can easily add to or remove any characters you
want from this initial group. They may easily be replaced if you want to use
this field for other purposes.
The z field is initialized with 10 symbols. These are last 4 characters in the
ASCII collating sequence (of the typeable characters). The other 6 come between
the upper and lower case letters, so all are fairly high in the ASCII collating
sequence. If a lazy or perhaps average cracker were to do a brute force attack
on a set of hashes, he might use the ASCII collating sequence as the order in
which the characters are processed. If so, depending
on how far he went, any password that started with any of these would either not
be cracked or would be among those toward the end of the run. Why not use a
lower case letter then; all are higher than 6 of the symbols? Because a good
cracker is not likely to use the ASCII collating sequence. He will most likely
use some kind of frequency table and order his search with the most frequently
used characters first. Lower case letters are typically the most frequently used
characters. "e" is by far the most frequently used character in the English language,
and probably not a good character to start passwords with. Except for use in
some programing languages, the 10 symbols I chose are all very near the bottom
of any frequency use table. What about the "#", "%", and "&"? They are all
rather infrequently used. They are also very near the beginning of the ASCII
collating sequence. In trying to avoid a skilled cracker you don't want to
give your passwords to a lazy cracker. So my thought on the u group, as
currently set up, is they are characters that would make good first letters
in passwords. You may want to change this to only "{|}~" which are the last
four characters in the ASCII collating sequence and very low in any
frequency table.
What about using vowels without an e (by far the most frequently used
character in the English language), and consonants without t, n, r , s, and
h (the most frequently used consonants) for use only in the front part of
a password (placed in two user defined fields)? I'm not sure
you get any real advantage this way. If an ASCII collating sequence
is being used as the order, all lower case letters are late in that
sequence and you've removed three that are fairly close to the end of the
alphabet. If any frequency table is being used, and you start your password
with lower case letters, all but perhaps the "q" and "j" are likely to be
near the beginning, placed ahead of nearly all capitals, digits, symbols
and most punctuation. You don't help yourself against the ASCII sequence
and only gain a very small advantage against a cracker using frequency
tables.
What about some different approaches. My password generator allows for all single
case characters, but not a choice of which case. If you want all one case it will be
lower case. I assumed that would be the preference of most users as all upper case
requires the use of the shift or caps lock key. The caps lock key is really simple,
but when I use it, as often as not, I forget to turn it off until I type a couple
unintended capitals. A user could enter all the upper case consonants in i and upper
vowels in x. Then they could use i and x exactly as I normally show c and
v being used. These could easily be mixed with C and V (but not W and E) to get mixed
case passwords, with predominatedly upper case letters. If the cracker knew that my
generator or one like it was in use at a location for which he had the password
hashes and was cracking them, he would most likely look at all lower case passwords
and mixed case passwords but not upper case passwords. In this case the user's all
upper case password would most likely be safe. When a password using all upper case
was not cracked when many others were, the cracker would probably assume the user
had used a longer password, and not likely an unexpected character set.
It's worth remembering that in most hash sets that are cracked there is some minority
that is never cracked. If the crackers, whether criminals or academic researches, have
reasonable computing resources and time, the majority of passwords are cracked because
most users insist on using aa poor or weak passwords as the systems they are on allow them
to. Most users, and frequently even technical administrators who ought to know better, tend
to prefer convenience over security. Still it is rare that some do not remain uncracked.
What are these that are not cracked? No one but the users who created them know. If they
were smart and knowledgeable enough to create passwords that are not cracked, they are
probably smart and knowledgeable enough to give general advice on creating good passwords
that reveal nothing about how they create their own passwords. Whether they used a
password generator or have a personal algorithm that allowed them to create long (14
to 20 characters) passwords which they could remember, their advice would likely
differ enough, that it would be of little value in figuring out how to crack their
own passwords.
A better use, for User Selected Character Sets, might be to use only all
upper case vowels. Now upper case is neither positional or random, but limited
to a small and easily remembered subset of letters. Passwords made this way look
nothing like any I've ever seen come out of my generator before, but they do
include mixed case letters at unpredictable locations which are very easy for
a user to remember. Again if a cracker knows what password generator is in use,
they are not likely to make the right assumptions because
these passwords do not fit with those created by any of the built in features or
defaults of the generator they believe is creating the passwords.
Another use is to create a single character, character set. This might be just
a period or semicolon, a very common puctuation and one under a homekey finger.
A user may want to use the "+" or "=" sign as a separator between groups of
characters, such as words, repeat characters, or keyboard or ASCII sequences
which are all new options.
Closely related to single character, character sets are very small character
sets with only 2 to 4 characters. The uses would be largely the same as for
single character,
charecter sets, but where the user wanted just a little more variety. Some
examples might include (";" and "," and "."),
("+" and "&"), ("-" and "_"), or perhaps
("/", "|", "\"). People who program with regular expressions
will get these ("^" and "$") and ("?", "+", "*").
What about ("!", "|", "l"), ("<", "/", ">),
or ("(", "[", "{"), or perhaps single and double
quotes plus the back tick? There are many small subsets of characters that
could make good visual separators. Which characters these happen to be
will likely depend on what you do and the characters you are comfortable
with and use regularly.
Another use is a user who has an aversion to specific characters. For example:
~ ` + = } ] | \ " '. (Not including the final period.) The tilde and back tick
may be hard to reach. The others may be hard to reach also, but are more likely
to cause either the backspace or enter key to be pressed by mistake. In this case
a user can create a set of most keyboard symbols and punctuation but avoid those
they don't like. The passwords are just as strong but more acceptable to the user.
They are just as strong because no cracker can arbitrarily start eliminating
certain characters, based on assumptions similar to our hypothetical user's
motivation. To do so would cause all passwords to be missed that used the
eliminated
symbols, which where created by people willing to use these symbols and who
did not share this hypothetical user's specific aversions. Other users might
chose other characters to avoid because of superstition or any other reason.
Even without User Defined Character Sets, there is a very simple way to avoid
disliked characters. Allow the generator to function normally, then manually
substitute other characters for the disliked ones. If the system enforces
a symbol or punctuation character in each password, it is not likely more than
one. If the generator includes two or more, the user can probably substitute a
letter or digit for the disliked character.
I've seen several password generators that avoid numbers, letters and symbols
that might easily be mistaken for each other. The avoided characters include:
(! I l i), (0 O o), (E [), (S $ s),
and some others. Either there are misguided designers of password generators
who are weakening passwords because they imagine users to
have these aversions, or there are users with such aversions. Personally I
don't see how it could matter, as you can almost never see what a typed password
looks like. Most systems display an asterisk or a large dot for each character
typed in a password field; some show nothing.
If there are users with this aversion, the user definable character sets
should provide enough flexibility to accommodate them. There are more than
enough ways to create strong passwords that I can see no reason any
individual user should have to use specific characters they wish to avoid.
I do, however, think it is a serious flaw in any password generator
design, to leave out any character or characters universally, because some
small set of users may have an aversion to such characters. In the event a
cracker targeted a site known to use such a generator, he could leave these characters
out of his cracking efforts, or place them at the very end of the list of
characters to be tested. Password strength is based on a combination of password
length and character set size. Dropping characters for a few users helps the
crackers. Giving individual users an opportunity to avoid specific characters
they do not wish to use in their passwords, helps those users without giving
the cracker any real advantage.
In all cases, once a user has entered their defined character sets, they do
not have to do so more than once. Because all versions of the GeodSoft Password
Generator use gets instead of posts, once the data had been entered and the
form submitted, the user can bookmark it, and the bookmark will have all the
user entered data in the query portion of the URL. Once saved the user can
edit it as they wish in most browsers. They may also make multiple variations
if they wish, and save each as a bookmark.
I don't think such user bookmarks represent any security threat. Assume a
business environment where criminals are targeting a powerful multi user
computer, perhaps a web, application, or database server. Would such
criminals actually take the time to hack individual PC's looking for
bookmark files that may have non standard password generator settings.
I don't think so. The may hack the PC's for other reasons such as CPU
cycles.
Hacking a lot of PCs in a place where you already have access to a
valuable multi user computer does not make a lot of sense to me. I don't
know how many businesses install firewalls on individual PCs. Nearly all
businesses do however install anti-virus and typically other anti-malware
software on PCs. Most of the better known anti-virus products are made by
companies that sell security suites which include personal firewalls. By
the time you've you've got the other things you might want, a firewall
is probably already included in the package. Windows (and I suspect Macs)
need this kind of protection. Once they have already paid for it, why
not install the firewall on the PCs?
Why should the intruder risk setting off an alarm, which may be monitored
from a central location, unless the PC(s) have something of specific
value? Even if a useful bookmark file with password generator settings
is found, it may not be obvious how to match it to a specific account
on a central computer.
Any user who bookmarks non default settings on a password generator is
more sophisticated than the average computer user. If there are multiple
bookmarks, how do you know which is real. If there is more than one, is it
wise to assume they are all real? Perhaps one is real and the others fakes
to misslead a possible intruder. They may all be fakes. The user may regard
bookmarking their password generator settings, in a manner similar to how
most security "experts" abhor writing down passwords or paper. Or they may
all be real. Any user sophisicated enough to have bookmarked multiple
password generator settings, is also capable of changing a couple characters
in the resulting passwords. Even if they are all real, how do you match
the settings to the host on which they were used? You won't know which host
a bookmark goes with until after you have cracked the password, if you
ever do.
I don't expect most users will ever use User Selected Character Sets. We know as
a matter of irrefutable fact that most users are lazy when in comes to making passwords.
The number of really bad passwords in all lists of cracked passwords prove this beyond
any doubt. Users who routinely use password generators are already in a select minority.
Just getting other users to use a password generator at all would be a large step
forward. Why would "lazy" users take advantage of the the most complicated and
sophisticated option available to alter their passwords? The answer is simple; they
won't.
I added this option for two reasons. First to give a small number of sophisticated
users a new way to control the passwords generated - to allow these users ways to
generate passwords that simply could not have been created without these options.
They also allow me to define new variations on older patterns and create new types
of patterns not seen before. I can make these passwords available to users via the
new front end that does not display most options
but simply provides a large list of password types to choose from, or via the
Pattern Samples page.
Second to create doubt in the minds of crackers. Users with strong or unusual passwords
are likely to have admin accounts or something else valuable to protect. A cracker
will not wish to avoid considering these options. Because there is simply no way a
cracker can reliably make any accurate assumptions about how these options may have
been used, the safest course is to proceed as if they do not even exist. There will
always be some passwords that are not cracked. Why change proven methods in the hope
of getting a few more passwords when doing so risks missing even more that otherwise
would have been cracked?
Trying to take advantage of the two sets that have been created is risky.
The comma and period may already have a medium to medium high placements
in existing frequency tables.
Moving the other charactes in this set up to comparable positions would
distort proven frequency tables, probably for little benefit. It would
be crazy to remove other punctuations and symbols because of this set.
The z set is even more problematic. All are and should be low in any
frequency table. Moving them up because some sophisticated user may have
used one or more in a prominent place in some of their passwords would
almost certainly be counter productive. The only rational reaction for
the cracker is to proceed as if they do not exist. But wouldn't it be
so sweet to get a valuable account where the user thought they were
being smart using these options?
Sequences and Repeats
The definitions for all sequences and repeat character patterns placed
between two matched characters share the same syntax rules. Parentheses
(" ( ) ") define a repeat character pattern. Angle brackets
or arrows (" < > ") define an ASCII sequence. Square
brackets (" [ ] ")define a keyboard sequence.
A general note on sequences and repeat character groups:
The number of possible sequences and repeat character groups is tiny
compared to the total password space at any specific length. It is possible
for crackers to create custom dictionaries for all simple repeats and
sequences up to 16 or more characters. Every combination of four
2 to 9 character repeats and sequences from 8 to 36 characters (as defined
by this password generator syntax, which includes alpha numeric, alpha, and
numeric sequences in addtition to pure ASCII and keyboard sequences) is
slightly less than an 8 character password from the full 95 character
keyboard set.
But you cannot count this number (2.66e+15) as available unless you
are actually making passwords up to 36 characters. I'm not proposing
that and I don't actually expect and readers to do so. If we are talking
about 16 character passwords there are only 1.36e+14 possible combinations
of all repeats and sequences this password generator can create with up to
four characters in each sequence or repeat. This is somewhat more than the
number of 7 charcater full keyboard passwords. While storing a custom
dictionary on disk may be problematical, this number is clearly within the
reach of a fast desktop. Generating the dictionary in memory and passing
it directly to the cracker should take between 5 and 6 weeks on a fast
desktop and several seconds on a fast network. Adding some longer patters,
with more short ones would somewhat increase the number of possibilites,
but letting the password length drop to 15 would reduce the total
possiblilities.
Though I've included these options in the hopes that they may entice
someone who uses similar sequences and repeats to try these in longer
and much stronger passwords, I don't expect to use them. I think words
are easier to remember and type than meaningless sequences. To me the
ASCII sequences are clearly harder to type than words. If keyboard
sequences were limited to alphanumeric and a single row they would be
easy to type, but with wraps from row to row and flips I don't find
them easy. I'll probably use an occassional 2 or possibly 3 character
repeat without flips. To me there is no advantage and perhaps the
highest risk of any element I've provided. Especially if user selection
limits the choices to one row, the number of available choices is
very low, and th just the kind of element that crackers may be willing
to look for in long passwords.
The only way repeats, ASCII and keyboard sequences
can be used in a password safely, is if the password is 15 characters or
longer AND MULTIPLE arbitrary variations are added to these passwords.
If you define mostly or only alpha and or numeric sequences,
it is ESSENTIAL to use punctuation and
or symbol characters to separate your repeats and sequences. You
MUST also use flips which will arbitarily
change the case of the first or last letter in all sequences and repeats.
If no letter begins or ends the character group, then a keyboard shift is
performed on the digits, symbols and punctuation, including ASCII sequences
which do not have natural shift variations for these characters..
The odds of this happening are 75% for each defined flip and this number
(the flip odds) should not be lowered except when force mixed case,
force digits and force symbols are all set to "1". I strongly
recommend using flips on all repeat and sequence groups. Using non
alphanumeric separators with case flips on multiple repeat and sequence
groups will greatly complicate the cracker's job. Adding words, psuedo
words, or short psuedo random character groups to the mix, will
complicate matters even more.
Increasing password length to 17 to 20 characters when using multipe repeat
and or sequence groups would make these passwords significantly stronger.
I've included these options because such patterns have frequently shown up
in short cracked passwords which suggests at least some people find them
easy to type and or remember. I abhor the use of these kind character groups
in conventional length passwords. I would consider it an abuse of the generator
if these were used in any psswords less than 15 characters. My hope is that
a few people who have used such elements in the past can be enticed to try
long passwords, if they see that their weak components can be part of a strong
password.
A example may help. Consider a sipmle repeat group, "aaaa", 4 lower case
a's. If you asked almost any password experts if this could be a good thing
in a password, you would get nearly unanimous and emphatic no's. Such a
character group is about the last thing most password experts want to see in
a password. I think most of the industry still thinks of 8 characters as a
good password length and anything longer as a long password. Most have not
yet come to grips with the fact that general increases in computer power and
development of cracking techniques (massive parallelism) has renderd 8
character passwords obsolete for protecting any important or sensitive
account. 10 should now be considerd the minimum and 12 if you want a clear
margin of safety, for important accounts.
Returning to our repeat group of aaaa's, lets look at it in a new context.
Assume we've already created a fairly strong more or less conventional
password, "xuleK#79Duw". It's 11 characters from the full keyboard and
the capitals, digits and symbol are all at non obvious locations. The
only dictionary word is the 3 letter reversed word wud. Would attaching
the 4 a's to the begining or end, or splitting them 2 and 2 or 3 and 1
and adding them to both ends make xuleK#79Duw stronger or weaker. The
answer is simple. STRONGER. This cannot be reasonably be debated. Adding
a "bad" element makes a "good" password better. Even with insider
information giving the character and location of each "a", the cracker's
job of getting the good password is not made one bit easiers. Without
this information, the password is almost 10,000 times hardder to crack.
It's true from purely a strength standpoine a more random sequence
like "$P4f"would be better, but perhaps harder to remember and or type:
$P4fxuleK#79Duw, $P4xuleK#79Duwf, $PxuleK#79Duw4f, $xuleK#79DuwP4f,
xuleK#79Duw$P4f. Compare these two sets: aaaaxuleK#79Duw,
aaaxuleK#79Duwa, aaxuleK#79Duwaa, axuleK#79Duwaaa, xuleK#79Duwaaaa.
Which is easier to remember and type? The aaaa's by far in my opinion.
The aaaa's make the password much stronger, at a very modest cost to
usability. The more random sequence adds a small, but ultimately
immesurable degree in strength at a large cost in usability.
Given the choice between a well constructed 12 character password
and a 16 characrer password with 3 sequences and a repeat, I'll take
the longer. I'd hope it included punctuation or symbol separators and
flips; without them I'd think the user was taking unnecessary risks.
Given a 19 character password with 4, four charcter groups of
sequences and or repeats, with puctuation and or symbols as
separators and flips, it should be a no brainer to anyone who
understands password strength and cracking techniques. If the force
mixed case and digit flags were set so all displayed passwords had
the full charcater mix (without the flags, odds would cause some
passwords with no digits and or active flips to be displayed), the
long password is between ten and a thousand times a trillion (10^13
to 10^16) times stronger than a good 12 character password, even
though it is made from elements most password experts have been
trained to think of as weak or low entropy.
Returning to sequence and repeat syntax,
the first character group after the enclosing pair define the character that
repeats or the character that starts a sequence. The most versitile and
strongly recommended option is to provide an empty pair of
" ' ' " (apostrophes or single quotes) with no
spaces between. If you put anything between the single quotes, the program
will not understand, and will generate no passwords. If you enter an empty
pair of single quotes the program will psuedo randomly select a single
character from the ASCII or keyboard character set, as appropriate. This
character will be used as the repeat character or the first character of
the sequence.
You may also enter any single character that is not any of the six
characters that start or end a repeat or sequence defition. If you
try to use any of these six characters inside a repeate or sequence
definition the program will generate a large error message and no
passwords. If you enter any single legal character, that character
will be used as the repeat character or the first sequence
character, unless you include one of the options described below,
which limit the selected characters to specific subsets of the
ASCII or keyboard sequences.
Providing a single character for a repeat pattern or sequence beginning
is NOT recommended. Setting up a repeat or sequence character pattern
requires an understanding of the syntax and requires a minimum of four
different characters; if you want to specify a length range, six
characers are required. It would likely be simpler just to type the
password(s) that you want. Such passwords are likely to be a weak
passwords, even if they are long, as historically most human created
passwords are weak, often, even when they do not appear to be
obviously weak.
A range of possible repeat or sequence start characters may be specified
by entering two different characters (not including the six characters
used to enclose repeat and sequence definitions), separated by a dash,
(" - "). The program will pseudo randomly select a character between the
specified start and end characters, inclusive of them. The end
character must be greater than the start character in the appropriate
sequence (ASCII for repeat characters).
You need to look up an ASCII
character chart unless you know the full sequence. The keyboard sequence
as used by this generator starts with the unshifted back tick / tilde key,
(" ` ~ ") and follows the top key row to the equal
sign / plus sign key, (" = + "), then wraps to
the lower and upper case "q", (" q Q "). It continues
unshifted in the same manner over the next three rows. At the slash /
question mark key, (" / ? "), it wraps, picking up
the space bar, then up to the shifted tilde and repeats the keyboard
with all the shifted key characters. At the end of the shifted sequence
it wraps back to the unshifted backtick, skipping the spacebar which
is in the middle of the keyboard sequence.
The use of character ranges is not recommeded. Unless you are very
familiar with the sequence you are selecting from, you may get
surprises.
By surprise, I mean "<a-z9> does not slect a lower case 9
character sequence, though the majority will be such. It selects
a nine character sequence that starts with an a to z. If a "z" is
chosen the sequence will be 'z{|} ~!"#'. Following the z, the
last four characters of the typeable ASCII sequence are chosen,
then the prrogram wraps to the beginning of the typeable ASCII,
character set, picking up a space, exclamation mark, quote and
pound sign.
Following the start character selection is the length. This
may be a fixed length or a range. A zero after the start character
definition asks for a random length between 2 and 9. Other than
zero, a single digit will specify a fixed length. A one will work
but there generally much simpler ways to get a single character
of almost any type. A range is specified with 2 digits separated
by a dash. The second digit must be greater than the first. You
can specify a 1-2 or 1-9 and both will work, though you cannot
call a single character a sequence or repeat. Any range from
1-2 to 1-9 to 8-9 and between these will work. If you try 0-5 or
zero to any other number you will get 2 through 9. Any other
invalid specification will result in a fixed length equal to the
first digit. If you provid anything except a digit after the
start specification, you will get an error message.
An "f" adjacent to the close parenthesis or square or angle
bracket or just one position away from the close character
indicates a flip. If any sequence or repeat has a letter
at either or both ends, depending on the flip odds, one end will
be reverse cased. The flip odds which are defaulted to 0.75 or
75% determine if a flip happens in each repeat or sequence. If
there are letters at both ends, and the odds select a flip, the
program has a slight preference for the last character rather
than the first. These odds are 55% to 45% and cannot be changed.
If a sequence only has a letter at one end, if a flip occurs
that is where it will occur. Obviously a repeat either has the
same letter at both ends or no letter at either end.
If a repeat or sequence has no letter at either end, and a flip is
defined, the flip odds still determine if a flip will occur. Regardless
of whether the character group is a repeat, a keyboard sequence or an
ASCII sequence, if a flip is selected, a keyboard shift will be
performed at one end of the group. The same odds apply as for groups
with letters at both ends. It's 55% in favor of the last character
versus 45% for the first characer. Depending on which character was
selected, the other character on the same key will be displayed. If a
digit was slected then the symbol above it will be displayed. If any
Shift character was selected, you get the character that you get by
unshifting that key, i.e., the lower character of two on the same
key.
While a flip can cause mixed case, if there is more than one sequence
defined in a password, there is a fair chance that there will be
mixed case letters. Flips also break sequences and repeats even when
they do not cause mixed case. Because all repeats, and most sequences
can have either end flipped, the use of flips almost triples the total
number of character groups available with sequences and repeats. Limiting
the groups to 4 characters to insure they will fit in 16 character
passwords leaves comparatively few sequences that cross letter and
symbol and number and symbol boundries. Though there are almost three
times the number of character groups, there are more than 7 times the
number of passwords if flips are used on all repeats and sequences.
If you feel like you are getting too many shift chnges in your password,
you can leave the fips defined and reduce the filp odds and set the
force mixed case, force a digit, and force a symbol flags all to "1"
rather than the default "0". These pay no attention to where in the
password the character types occur, just that they do. If you are using
punctuation or symbols to separate your character groups, you are guaranteed
to have symbols and do not need to set the force symbols flag. If you have
a single "d" as a pattern character which guarantees a digit, or if you
have a backslash literal digit, there is no need to set the force digit
flag as you are guaranteed at least one digit.
Unless you have both an upper and lower case litteral defined with a
backslash escape, or your have an upper case litteral and a word which
is guaranteed to be mostly lower case, you should probably have the
force mixed case flag set. Even with four sequences and repeats in a
password, all could easily produce only upper case letters (or symbols
or digits).
With the force character type flags set, or pattern definitions that
guarantee specific types of characters, you can set the flip odds
very low (0.01) and always get all character types. A sequence
and repeat with a lower case word and a "Cvcd" is all you
need. With only one flip defined in the repeat, and effectively
turned off with 0.01 odds, the pattern easily generates all character
types with a small set of user defined punctuation used as group
separators. With the "d" in Cvcd and the punctuation, group dividers,
only a mixed case flag is needed. The "vc" guarantees lower case
letters. The sequence, the repeat and the "C" can all create upper
case letters.
With the force mixed case flag turned off approximately 15 to 30% of
the displayed passwords are all lower case. It varies widely from one
batch to the next. When the flag is turned on, it only requires several
extra loops to get the 10 passwords with all the character types. I do
not think I saw a single flip in the repeat characters. I didn't
expect to. With a flip restored to the sequence and the flip odds
set to 0.25 you see a flip in about half the passwords.
<!-- What password am I talking about here? -->
The flip does not actually add to the strength in my password evaluator.
With the force mixed case flag on and three parts that can create upper or
lower case you do not need a flip for mixed case. I prefer to have it to
add variability to the simpler elements. Each group is four characters
except the word which is 4 or 5. With the group separators this makes 19
or 20 character passwords depending on word length. The strength rating
is mid to upper 20's mostly depending on the word length. Even with the
forced mixed case off and an all lower case password with a 4 character
word the strength rating is 23.
This compares to 12 for a 12 character password using the full 95 keyboard
character set. Missing mixed case or symbols and punctuation it drops to 10,
and missing both, i.e. lower case alphanumeric it drops to 7. Each increase
in the scale corresponds to a 10 times strength (cracking time) increase so
a 12 is between 10 and a thousand times stronger than a 10; on average it
will be aboue 100 times stronger.
This shows how much length affects strength. The weakest of the 19 character
passwords are 9 steps above the strongest 12 character passwords or 100 million
times. The strongest 20 character passwords are 21 steps stronger than the
weakest 12 character passwords. That's 100 million trillion times stronger,
without the flips. Given all that I've told you about these passwords, which
is quite a bit, there is very little that will help you crack them.
I never said what kind of sequence is used or whether it is complete or limited
as discussed next. I never said what order the elements
are arranged in. You have no idea what is in the punctuation divider group. There
is at least one character that most people would consider a symbol and not
punctuation. one which some would question which it is. I've said the flip is back
in the sequence as well as the repeat and the odds have been raised so you see it
about half the time. You don't really have any idea how large my word list is and
what is included. Good luck cracking any resulting passwords.
The last set of options allows any sequence or repeat to be limited to one of
three subsets of the full group. These are "m" for alphanumeric, "l" for
letters, and "d" for digits. If used, the three mutually exclusive indicators
must be the very last charcter, immediately adjacent to the close parenthesis,
square or angle bracket. When used, these characters limit the displayed characters
you would expect. As they are being processed, any character which does not fit
with these type modifiyers is simply skipped, and the sequence resumed when the
next character of the appropriate type is found. The correct character count
is maintained across non matching characters, and if necessary the program
will wrap back to the beginning of the sequence to find the correct number
of characters of the right type.
The most useful is the alphanumeric "m" with the ASCII sequence. Since few people
have memorized the full sequence, and there is no keyboard to look at, typing in
ASCII symbols and punctuation in the proper order could be a bit of a challenge.
Anyone who can use
a computer can count and nearly everyone knows the alphabet. If you use the "m", all
you need to remember is the order is "0-9A-Za-z0-7". The last digit group is for
wrap if a sequence happens to start with "z". The longest sequence is 9 and to get
wrap you have to start near the end of the lower case alphabet. "z" is the last
character and you can only add 8 digits including the "0".
You can use these where you wish, but if you make regular use of repeats and
sequences, you are already using about the smallest sets of character groupings
available. A "d" takes an already small group and reduces it to almost nothing.
Even the largest grouping, the alphanumeric "m" discards a third of the useable
characters. There is justification for avoiding the ASCII symbols; most people
will need to take their written down passwords and lay them in front of
themselveswhile they type. The others are displayed in front of you all the
time on thekeyboard, or you only need to remember one character, possibly with
a shift or unshift at one end. Over use of these subset limiter with repeats
and keyboard sequences moves into the area of let's see how bad we can make it
and still get away with it.
Words in Patterns
Words as part of patterns, along with character repeats and ASCII and
keyboard sequences is part of a major enhancement introduced in June of
2012. This is part of looking for ways to make 15 character and longer
passwords practical and memorable.
A single "w" will cause a randomly selected word to be dislayed at that
position in the password. If all 6 through 9 character lists are
installed the word will be from 2 to 9 characters long, though
you will rarely if ever see a 2 character word because there are so
few of them compared to the other lengths. If an upper case "W" is
used, depending on the settings of flip
odds and force mixed case, the first or
last letter of the word is likely to be upper case.
The numeric modifiers work in a manner similar to those used with
sequences and repeats.
Zero and "1" are meaningless and ignored if they
follow a "w" or "W". 2 through 9, used alone specify word containing
that many characters. The words are selected randomly from the
appropriate pool. BE AWARE there are are very few 2 and 3 character
words. Use these numbers carefully.
A digit dash digit following a "w" or "W" indicates a desired length
range. 3-5 should be OK as there is a moderatly large pool of five
character words. You will see many 4 character words and a fair
scattering of 3. The number of words increases significantly at each
length up to 6, slows to 7 and becomes almost flat to 8 which has
the most words. It then dips a little to 9. If you use 3 or more
words, it is suggested that you at least allow for the possibility
of one 8 or 9 character word. Allowing up to one 9 chararacter
word in the password greatly increases the total number of words
in use. The 8 and 9 character words are about 43% of the total.
By default, the word lists do not include common last names that were
not already in one of the dictionaies used to build these word lists.
By setting "Include last names" to 1, the size of the word
lists are increased sigificantly by including a very large number of
last names the U.S. Census Bureau defines as common. Most of these are
not of English or West European origin and may be initially difficult
to pronounce. Using these adds significantly to the strength of
passwords that are made with this option turned on. If howerver you
find them too difficult to pronounce, remember or type, then for you
they do not make the password more useable You only need to set
Include last names back to 0 and click on Submit and these names
will no longer be included in the words in passwords.
Patterns in Patterns
Patterns in patters are defined with curly braces
(" { } ") and provide two additional
cpabilities. The first allows a character grouping to
be defined in parenthesis, which may be pretty much
anything with two or more characters. A single digit
outside the parenthesis causes the grouping to repeat
2 to 9 times. Unlike most other pattern definitions,
the first time this is used, the generated characters
are saved and reused as a litteral group. This allows
character groupings like "aBaBaB", "j4Pj4P" or "zuT3zuT3"
to be repeated up to 9 times (with the first of those
shown already repeated 3 times and the other 2 twice
each).
A second optional group, also defined within parenthesis,
which may be almost anything, will be used
once. It may be placed before the first repeating group or after any
repeating group. The trailing digit specifies the location. A zero
places this second group before the repeating pattern. A 1 through 9
places it after the first through ninth repeat. If the number is
greater than the number of repeats, the second group appears at
the end. The second, optional group, must be defined after the
first; if the order is switched, no passwords will be displayed.
The second ability is to randomize the order of elements defined within
the paired curly braces. Depending on how you look at it this may be the
must useful option of the many new options added in mid 2012. On one
hand it undermines the notion of a constant structure to help
remember passwords. On the other, it allows a set group of elements to
become highly versititle.
Multiple definitions of any type may used. These include sequences
which use thier normal separators and syntax. Other groups are defined
in parenthesis and may be almost anything that can be defined with
normal pattern characters or user defined character groups. A repeated
single character group may be defined by including parenthesis
in parenthesis. The usual rules for numeric modifiers apply.
Everything between the paired curly braces is scanned and each
element saved. Each parenthesis, or square or angle bracket pair should
be followed by an "r" to indicate it is to be randomized. In addition
one group may be followed by an "s" to indicate that this is a
separator character or pattern.
The separator character or group my be anything from a single character
defined by a backslash escape such as "\." or it may be a single character
randomly selected from any pattern definintion type or user defined
character set. It may also be a combination of two or more of any of
these. It will be repeated between each randomized group; in other
words the separator group will appear once less than the number
of randomized groups that are defined. You may reverse the role of
the separator group by defining a complex separator, and a series
of simple randomized groups. The simple randomized groups could
be a single literal or a user defined character set with as few
as one characters.
The separator character or group in not necessarily constant unless
it is defined in such a way that it must be, i.e., a single or multiple escaped
literal character or characters or a one character user defined group.
If a single pattern character is used, such as "p" for punctuation,
an different character will be randomly selected from the punctuation
group each time one is needed. The same applies to user defined groups
with muliple characters.
If you nest words, ("w" or "W"), or sequences, ("[]" or "<>"), inside of
parenthesis inside curly braces the results are unpredictable. You can have
more than one pair of curly braces in a pattern provided they do not overlap
or nest; the results are unpredictable if you do either. You can nest curly
braces in a mirrored pattern, ("| |"), or a mirrored pattern in curly
brace to one level; the results are unpredictable if you try more than one
level or overlap the open and close characters. If the content is not
trivial, more than one nesting of mirrored or curly brace patterns will
likely create passwords too long to use.
Mirrored Passwords
A pair of vertical bars, ("| |"), will cause whatever is between the
vertical bars to be mirrored. Obviously this will double the length of
whatever is mirrored. I've included it because sometimes short passwords,
typically 3 to 5 characters, are mirrored, so I assume this helps some people remember
something while increasing its length. I have doubts about the use of this
option, and it certainly
should not be used to mirror a short password to make a medium size password of
10 to 14 characters.
I also have doubts about mirroring a strong 8 character or longer passwords to
make a long password. If you take a well constructed 8 character password like
"cuD9&Fuj" to make this "cuD9&FujjuF&9Duc" 16 character password, I
doubt it will be very helpful in remembering or typing it. If you take very poor 8 or
9 character passwords like Password1 or Whatever3 and mirror it, you should not
be supprised if it is cracked when a systen it is used on is compromised.
Unlike
some other variations on passwords which cause hundreds to millions of variations
per password, and are therefore very computationally expensive and low yeild,
mirroring requres at most a doubling, and is a normal part of most rule sets
already used. I dont' know what the normal cutoff length for mirroring is.
I'd guess it might be around 7 to 9 characters. Even if it's only 5 or 6, if
crackers begin to suspect people are starting to use longer passwords, it
would be a trivial change to increase the limit to 12 characters and catch
passwords up to 24 characters. The time increase would be considerably less
than double as short passwords are probably already checked with mirroring,
and there would still be some upper length limit excluding the longer
dictonary words. Words 10 characters and longer account for about half of
an unabridged dictionary's entries, and 12 and longer about a quarter.
This is a cracking setting which will likely increase gradually over time.
Where I think mirroring may be of some value is in mirroring individual small
elements, so the mirrored piece is only a moderate part of
a considerably longer password. I think the guideline I use for individual words
in a password would be an appropriate upper limit on on a mirrored piece. My
guideline for words is that they should always be less than two thirds of the
length of the password. This is 7 characters in a 12 character password. Since
mirroring will always result in an even number of characters, this would mean
6 in a 12 character password as 8 is equal to, not less than two thirds.
My suggested limits are:
6 in 11 |
10 in 16 |
12 in 21 |
|
6 in 12 |
10 in 17 |
14 in 22 |
|
8 in 13 |
10 in 18 |
14 in 23 |
|
8 in 14 |
12 in 19 |
16 in 24 |
|
8 in 15 |
12 in 20 |
16 in 25 |
|
Word Only Passwords
Words only was a new feature of passwords.pl, added in March 2007. Feature is
the wrong word. Words Only is an entirely separate password generator, with
totally independent logic, that simply shares the user interface
of the pattern based password generator. Though it uses multiple dictionary
words to create passwords, at 12 characters and longer, few if cracking tools
running on a single computer will be able to break
these passwords, except in the freakishly rare circumstances when a
common phrase is formed. On Windows, pronounceable, all lower case
passwords between 12 and 14 characters may be vulnerable to crackers
that use rainbow tables. 12 lower case letters can easily be brute forced
by a password cracking network. Because they lack character complexity,
15 character and longer, words only passwords are strongly recommended.
Unlike the pattern based password generator, which creates it's passwords
one character at a time, Words Only randomly draws from a list of two through
five character words and names. In test runs it created 2 duplicate passwords
in one million 11 character passwords and 14 duplicate passwords in ten million
12 character passwords.
Like the pattern based password generator, little in Words Only is truly
random. There is not an equal distribution of words of the various lengths.
The list used is made from English dictionaries and common U.S. names which
means many names of non English origin. There are well over 100 times as
many five letter words as two letter words and more than twice as many
five letter words as four letter words. There more than four times as many
four letter words as three letter words.
There are two very different ways to select the words. Dump all the words
into a common pool and draw randomly from it or to dump the words into pools
of all the same size words, and decide randomly which length you want and
then randomly select a word from the selected length pool. Both have problems.
From the single pool you will see very few two letter words, and at 10 characters,
many passwords with two five letter words. From the separate pools you will
get a gross over representation of short words. If you want the maximum diversity
there are about 400 times as many 10 letter passwords made of 5 two character
words as there are of 2 five character words, despite the greatly larger
number of five letter words, but the overall character sequence will be
almost random, defeating the purpose for using words in the first place.
In order to better meet length restraints placed on the passwords, and provide
a greater diversity than the common pool approach would provide, I chose a
variation on the separate pools approach. The selection is not truly random.
Fewer three, and many fewer two letter words are selected than a truly random
selection would allow. But many more of both are included than if a combined
pool had been used.
There is also logic to prevent endless loops if the minimum and maximum lengths
are the same. This is not a problem when building passwords a character at a time
but when using words limited to two characters or longer this can be a problem.
Any time the assembled words create a password one character shorter than the
required length, the password cannot be created and potentially there is an infinite
loop. You could recognize the situation, discard the password, and start over. Or
you could recognize the situation, and add a random character to complete the password.
Since I am trying to created strong, all lower case passwords, I chose to add the
letter, and randomly add it between the last two words, or at the end. Though
some of the other passwords may be very awkward to pronounce, this is the only
time that a truly unpronounceable password is likely to be created. There is no control
over this function, except to choose minimum and maximum lengths that are at
least one character different.
Password Lengths
Users can easily control the length range of the Words Only passwords in the same
manner as any other, by setting the minimum and maximum password lengths.
There is a restriction not applied
in the pattern password generator. No Words Only password can be less than 10
characters long. Setting the minimum length to any number less than 10, automatically
results in the default 11 to 12 character length. You can get 10 character passwords by
setting both the minimum and maximum lengths to 10. When there is only a one or
two character difference between the minimum and maximum lengths, the longer
length will be heavily favored. If the spread is larger, the shorter lengths
will be favored. If the spread exceeds 5 characters, you will probably never see
the maximum length.
Two Character Words
You can change the frequency of two and three character words by changing the
Zero and One odds. About two thirds (.65) of the two character words are
discarded before they are selected. If you set Zero Odds around .01, two character
words will be selected as frequently as four or five character words.
If you set this somewhere over .9, two character words would be selected
about as often as if they were in a common pool.
Three Character Words
Three character words are discarded just over one third (.35) of the times
they would otherwise be selected. If you set One Odds around .01, three character
words will be selected about as often as four and five character words.
If you set One Odds somewhere between .7 and .9, three character words will
be selected about as often as if they were in a common pool.
Five Character Words
The "2 through 9 odds" setting of .99 effectively eliminates the selection of
a second five character word in passwords less than 13 characters. By setting
this to .01 or lower you effectively
remove this restraint. There is no restriction on multiple 5 character words in
passwords 13 characters and longer.
Other Options
The "How many passwords?" and "Display across? (0 or 1)" options work as normal.
The other options "Maximum zero characters,"
and the four options at the bottom of the right column, "Force Mixed Case (0 or 1),"
"Force a Digit (0 or 1)," "Force a Symbol (0 or 1)," and "Digit sets per symbols"
have no effect on Words Only passwords.
Top of Page -
Site Map
This page and the information on it my not be published or distributed under the
terms of the GeodSoft Publication License.
Copyright © 2000 - 2014 George Shaffer. All rights reserved.
|