GeodSoft logo   GeodSoft

Password.pl Instructions

Pattern Formation


  c: lower case consonant
  v: lower case vowel
  l: lower case letter
  b: lower case consonants plus common 2 and 3
     character consonant sequences that begin words
  e: lower case consonants plus common 2 and 3
     character consonant sequences that end words
  C: mixed case consonant
  V: mixed case vowel
  L: mixed case letter
  B: mixed case consonants plus common 2 and 3
     character consonant sequences that begin words.
     Only the first character may be upper case.
  E: mixed case consonants plus common 2 and 3
     character consonant sequences that end words.
     Only the last character may be upper case.
  d: digit
  t: symbol or punctuation
  p: puncuation  , . ; : ' " ? ! ( ) -
  r: programming symbols [ ] { } < > \ | / ` ~ ^
  s: common symbols @ # $ % & * _ = +
  n: non letter, i.e. digit, symbol or punctuation
  m: alphanumeric, lower case letters only
  M: alphanumeric, mixed case letters
  a: any character, lower case letters only
  A: any character, mixed case letters
  h: hexadecimal (0-9, a-f)
  H: hexadecimal (0-9, A-F, a-f)
  \: Put the NEXT character in the password
  i: user defined
  j: user defined
  k: user defined
  x: user defined
  y: user defined
  z: user defined
  w: Word
  W: Word with a first or last character a capital
 ==: Define a repeating character pattern
 <>: Define an ASCII sequence pattern
 []: Define a keyboard sequence pattern
 {}: Define Patterns in patterns including random order
 ++: Define a duplicate or repeated pattern
 ||: Define a mirrored pattern
  ^: Force upper case letters only
  0: zero or one of the preceding character type
  1: one or more of the preceding character type
2-9: one to the specified number of the preceding
     character type

Each alphabetic pattern control character is a key which selects an array of possible values from which one or more characters will be pseudo randomly selected. The b, B, e and E pattern characters may result in 1, 2 or 3 character sequences for each pattern character; if the maximum password length does not allow sufficient length, truncation will occur. All pattern control characters except b, B, e and E define a single password character. The entire pattern is processed unless the maximum password length is reached first, at which point the password is truncated. If the pattern is processed and the minimum length is not reached, the password is discarded, and a new cycle started. The digits are numeric modifiers of the preceding pattern control character, and determine if or how many of the type of character represented by the pattern character are included. The user has complete control over the probability each numeric modifier represents.

Upper Case Only

Use a caret, (" ^ "), immediatly after any pattern character which includes letters to force all resulting letters to be upper case. This may be used after any of the following a, A, b, B, c, C, e, E, h, H, l, L, m, M, v, V, w, W. It cannot be used after user defined character sets, any letter that defines non letters only, or any pair of symbols that indicate special processing (sequences, repeats, mirrored, duplicate, and random elements).

Always use the caret immediately after the letter. Never allow a space between the pattern character and the caret. If one or more numeric modifieres are to follow the patttern, place them after and immediately adjacent to the caret.

Backslash escape

The backslash (" \ ") is a special character. Any character that follows a backslash will go directly into the password at the appropriate location just as it appears. If a c, v, C, n, d, etc., directly follows a backslash, it is no longer a pattern control character but a litteral that will appear in the password as it is typed into the pattern field. There are two primary uses. One is to allow your preferred seperator, whether it is a period, comma, colon, plus sign, dash, underscore or any other character you like, to separate words, sequences, patterns, or other components from each other.

The second use is to create a private character sequence that you never tell to anyone, and probably should not write down. When you are making passwords that are 15 characters and longer, you can do almost anything you want. Nearly all the advice about what not to put in a password is irrelevant. A common and very correct piece of advice is to not use the same password on more than one site. This still applies to long passwords. But a long password has room for lots of things. You may have noticed "+my1+Whatever" appearing in multiple sample passwords, and when it does, every generated password has it. You can enter this by entering "\+\m\y\1\+\W\h\a\t\e\v\e\r" into the pattern field. It will appear in each password that is generated, plus whatever random words, sequences, repeats, etc. which are defined.

Actually you SHOULD NOT ENTER THIS. Instead you should enter something like "\*\t\o\5\*\P\a\s\s\w\o\r\d". Notice the two are structurally identical. Both have 2 symbols in the same locations. Both have a digit in the same place. Both have a capital in the same place. Neither the digit or capital are in the first or last place. Either could begin or end a word and neither the capital or digit would be the first or last character. Both have 2 and 8 character words in the same locations.

Notice that both are strong 13 character passwords just by themselves. Somebody is probably getting agitated and thinking, but there is an 8 character dictionary word in each. It does not matter. Even if used as a complete password the 8 character word is less than two thirds of the total length. I know of no password cracking rule set that can find the 8 character word. Remember (except for old Windows LM hashes) passwords are never broken in pieces. A cracker must have the entire string that matches every single character before starting the computations that create the hash that will be compared to the hash in the password file.

Actually there is an excption to the no known cracking rule set and the 8 character word. It turns out that GPU enabled cracking tools are not great with dictionaries and rule sets. Some can't just read a list of dictionary words and do nothing else with it and some don't process traditional rules. What they are brilliant at is brute force, and brute force combined with other things, such as a dictionary. They are really goof at adding multiple random characters at either or both ends of a dictionary word, so one thing they can do pretty well is adding 5 characters to 8 character words. The basic rules still apply. No matter how fast a GPU enabled cracker is, it's still going to take 95 times longer to do 5 character with a 95 character set than it took to do 4 characters with a 95 character set. Most crackers are not focused on 13 character passwords, but rainbow tables go to 14 and with a GPU enabled cracking tool, some crackers may say why not. 15 and up should be safe if the 8 character word is mostly surrounded by non letters and does not start the passoword.

If you adopt this approach, you will have a secret part that is a pretty good password by itself, that you will use as part of every password you create for the next two to four years. You've decided you are going to do passwords properly from now on. You want passwords no one, not even the NSA can crack. You want passwords that the fastest cracking networks yet assembled will take hundreds of thousands of years to crack. You want to be part of that select few percent who have never seen one of their passwords in any common password list and who have never had an account of theirs cracked.

You start with a strong core of 10 to 14 characters that is a strong password by itself. It might be two words, three symbols and a digit. It will have at least one capital (or lower case if the others are upper case). Neither the digit or capital should be at either end of the core password. Instead of you favorite separator, you should pick any easy to type symbol, and use it on both ends. Maybe you will use your favorite separator to separate the two words, or you might run them together.

Over time you will type this core password hundreds and thousands of times. There is no need to write it down. It will be etched into your memory within a few weeks. You want the core password to work on either end of your passwords because you will be using it on both ends routinely. If you've been using strong passwords for a long time and have lots of accounts, you know the question is not will you write them down, but where can you write them securely? I'll leave you to answer where for yourselves based on your situation. In most workplace environments, I consider the inside of a purse or wallet to be reasonably secure. Few people leave these laying around unattended.

You won't write your core password down, but you will have to write down the unique parts. To your 10 to 14 character core you will be adding meaningless (in the sense that they have no special meaning or relationship to you) words, character sequences, repeats, and various odds and ends that add about 8 characters to your core password. When you write down the unique part you will come up with some notation that indicates which end the core part goes on. It should be better than an arrow or other constant indicator that quickly becomes obvious, if anyone else sees your password list. I'd suggest any group of characters that you can easily relate to each other, and which consists of at least 5 and no more than 10 characters.

There are many groups to choose from. Some of the less obvious are vowels, upper or lower case or both. The first 6 consonants: b, c ,d, f, g, h. The three contiguous groups of five consonants, 1) j, k, l, m, and n, 2) p, q, r, s, t and 3) v, w, x, y, and z. Mixed case doubles the numbe for more variety. Among symbols and puctuation the eight paired symbols seem fairly obvious: (), [], {}, and <>. They could be used to point at either end, but do not need to; this is the only group that has a really clear way to show the secret body embeded in the unique part: 34()5678. Puctuation with only one part: , . ' - ( ) and possibly ` and ~. Punctuation and symbols with two separate parts, ( ; : " ? ! = ). Punctuation and symbols that float above the baseline, ( ` ~ ^ * - = + ' " ). The common non punctuation symbols at the top of the keyboard: @ # $ % & * _ = +.

See "Creating Uncrackable Passwords That Do Not Need to be Written Down" for a detailed discussion of core passwords

How Many

Determines how many passwords will be displayed. Valid values are 1 - 1000; the default is 10. Invalid values will be set to the minimum, default or maximum, depending on what is entered. I have the high limit mostly for administrators who want to make a list of passwords they can assign their users as they need them, or pick and choose from over a period of time, for their own use. If you print 1000 or 5000, especially if you use different patterns, you can go a long time without coming back. Even on the remote chance someone was sniffing between GeodSoft and your computer, all they will see is a very long list of what may be passwords. The chances that they will get associated with you and the sniffer will know which ones you've used, or be in a position to use the entire list as a cracking dictionary on computers you use is awfully small.

I've had the 1000 limit and the instructions mentioning it going back to the original password generator. It's hardly ever been used. I included most of the preceding paragraph in "What's New" and within a day two morons set the limit to 1000 and start clicking away on submit. With 5 to 10 seconds between clicks, it was obvious they could not possibly be cutting and pasting or saving in any fashion, or even looking at the individual passwords. They were just watching a pagefull of passwords change in response to their infantile urges. Put something in "instructions" and the large majority of people won't read it. Put the same thing some place prominent, and someone who wouldn't dream of reading instructions, thinks it gives them license to abuse the system.

Display Across

A 1 causes the displayed passwords to be printed across the page in rows. A 0 will cause passwords to be printed in a single column. Valid values are 0 and 1 defaulted to 1.

Maximum zero characters

Sets an upper limit to the number of characters specified by a pattern control character followed by zero that will be output in the resulting passwords. The default is 2. If the pattern contains more than 2 zero characters, the maximum must be increased to the actual number for there to be any possibility that all can actually appear. The low zero limit combined with the relatively low odds on zero characters provides a way to introduce comparatively small variations to a password pattern.

Zero odds

Sets the odds for a pattern control character followed by a zero to be output. The default is .25 or 1 in 4. If the maximum number of zero characters have already been output, the odds are not used; no more zero characters are output. Before displaying a zero character a random number between 0 and 1 is generated. If it is less than the Zero odds, the character is output, otherwise it is skipped. Useful values range from .1 to .9 which are from 1 in 10 to 9 in 10 or very rarely to nearly always. Values less than 0, or 1 and greater, are never and always and therefore not useful; they are restored to the default if entered.

One odds

Sets the odds for more than one of the preceding pattern character type to be output. One of the appropriate character type is output and then a random number between 0 and 1 is generated. If the number is less than the "One odds" another character is output and an new random number generated. The loop continues until a random number is greater than or equal to the "One odds" or the maximum password length is reached. The default is .6 or 6 in 10. At the default, unless minimum or maximum password length impose a constraint, the number of pattern characters is mostly low (1 - 3) but very long sequences are occasionally produced. Increasing the "One odds" quickly adds length so that maximum password length quickly becomes the limiting factor for most passwords. If you want passwords of all one type character, rather then entering a long pattern, you can enter enter one of the desired pattern character followed by a 1 and set the "One odds" to 0.999. Values less than 0, or 1 and greater, are never and always and therefore not useful; they are restored to the default if entered.

2 through 9 odds

Sets the odds for more than one of the preceding pattern character type to be output. After the first appropriate character type is output, a loop comparison value is calculated. The loop comparison value is calculated as the 2 through 9 odds divided by the (numeric modifier less 1). The loop comparison value is subtracted from 1 on the first loop and from the previously saved result on each successive loop (decreasing the odds on each pass). A random number between 0 and 1 is generated and if the result is less than the loop comparison value, the loop continues until a random number is greater than the shrinking odds, or the maximum number of the character type is reached, or the maximum password length is reached. The default .5 produces a fairly even distribution of character lengths from 1 to the maximum allowed by the numeric modifier of 2 through 9 over all values of 2 through 9. Thus with d2 there is an even chance of the second digit being generated, password length restraints allowing. Smaller numbers, such as 0.01 (but not less than 0) force a clustering of longer output strings while larger numbers, greater than 1 but less than the numeric modifier, generate more shorter strings. Values less than 0 or 9 and greater are not useful; they are restored to the default if entered.

Flip Odds

Flip odds sets the likelihood that each repeat character group or ASCII or keyboard sequence that starts or ends with a letter as well as each pattern word will have its first or last letter case flipped. This applies independently to each repeat, sequence or word with a flip set. Only repeat and sequence definitions with an "f" as the last or next to last character in the definition or words specified with an upper case "W" are flip set. The default flip odds are 0.75 or 75% so a case flip in each flip set repeat, sequence or word is fairly likely.

It will only be one end for sequences with letters at both ends and repeated letters as well as pattern words. Both ends of the same repeat, sequence or word will never be case flipped. The flip odds only determine whether a case flip will occur or not, not at which end it occurs. The program has a small, 55%, preference for flipping the last character rather than the first character in each flip set repeat, sequence (when both ends are available) or word.

Obviously if a sequence only has letters or a letter at one end, the flip can only occur at that end. You may wonder if a sequence begins or ends with only one letter, does the flip have any value? The answer is yes. For example, in an alpha numeric ASCII sequence 789A is quite possible. 789a can never occur without a case flip. In a keboard sequence m123 is possible but not M123 without a case flip.

Each case flip doubles the number of possible passwords any pattern containing them can possibly produce. That's not what is important though. They assure character complexity. Having two or more flips in a password pretty much assures mixed case characters. Repeats, sequences and words are only intended for use in passwords 15 characters and longer. If you make up a password of just alphanumeric repeats and sequences, most people who know what it means will describe this as a low entropy password. If you separate your "predictable" character groups with arbitrary punctuation or symbols and use some case flips it does not matter if your password is low entropy or not.

Theory does not crack passwords. Specific cracking tools with specific dictionaries (or rainbow tables) and rulesets crack passwords. If you use repeats and sequences in long passwords, but do not tell anyone this, and your password is over 15 characters with 3 or 4 types of charcters (upper and lower case, digits, symbols or punctuation) your password is not going to be cracked, because a cracker has no way to target your password, and brute force will not work with 15 character and longer passwords. Commercially available rainbow tables stop at 14 characters, and even there they claim only a 96% success rate meaning 4% are still missing.

aBaBaB7aB^aBaBaB is certainly a low entropy password but how do you crack it? The answer is simple. Without fore knowledge that the password consists of alternating mixed case characters an 2 non letters, you don't. It's 16 characters long and beyond brute force. It fits no description of a good password. In fact it deliberatly does something that many password DO NOTs advise against. But before I typed it out, it's unlikely any human being has ever seen this exact character sequence before. Strings no one has ever seen before do not get into cracking dictionaries and rule sets. Only strings that are the product of dictionaries and rule sets crack long passwords.

Returning to flips, if you want to assure that mixed case characters are included in your passwords, set one or more flips, set a low Flip odds, and set Force Mixed Case. How low should flip odds be. That depends on how many flips are included. Only trial and error will give you a specific answer. I'd suggest 0.4 with one flip, 0.3 with two flips, 0.2 with three flips, and 0.1 with four flips as starting points. You may get mixed case with no flips if your password pattern includes sequences. Remember flips also break repeats and sequences regardless of whether mixed case is otherwise present or not.

Minimum password length

Sets the minimum length in characters of the displayed passwords. If the pattern cannot create passwords at least as long as the minimum length, no passwords are output. Any numeric value greater than or equal to 1 and less than or equal to the maximum length is valid. 7 is the default minimum length.

Maximum password length

Sets the maximum password length in characters of the displayed passwords. Password output is terminated as soon as the maximum length is reached, truncating any password that otherwise might have been longer. Any numeric value greater than or equal to 1 is valid. 10 is the default maximum length.

Force Mixed Case

A 1 forces the displayed passwords to contain both upper and lower case letters; no passwords are output if the pattern contains no mixed case type pattern control characters (C, V, L, B, E, M, A, f, or W). Valid values are 0 and 1 defaulted to 0. There should be two or more of the mixed case control characters in the pattern if force mixed case is set. If there is only one mixed case pattern control character and force mixed case is set, the mixed case character position will always be upper case. This is true of those which control a single character (B and E and also C, V, L, M and A without numberic modifiers). It is not generally true with repeats, sequences and words. If, however, the only element that can create mixed case is a repeat without a flip, you will only see upper case letters in the repeat position.

Force a Digit

A 1 forces the displayed passwords to contain at least one digit; no passwords are output if the pattern contains no digit type pattern control characters (d, n, a and A). Valid values are 0 and 1 defaulted to 0. There should be two or more of the n, a or A pattern control characters and no d's if force a digit is on. If there is only one of the n, a or A control characters and force a digit is set, the output character will always be a digit. Though the resulting passwords may appear more complex, forcing a digit actually reduces the number of passwords that a control pattern can generate. If one or more d type pattern control characters is present, this option has no effect.

Force a Symbol

A 1 forces the displayed passwords to contain at least one symbol or punctuation character; no passwords are output if the pattern contains no symbol type pattern control characters (s, n, a and A). Valid values are 0 and 1 defaulted to 0. There should be two or more of the n, a or A pattern control characters and no s's if force a symbol is on. If there is only one of the n, a or A control characters and force a symbol is set, the output character will always be a symbol or punctuation character. Though the resulting passwords may appear more complex, forcing a symbol actually reduces the number of passwords that a control pattern can generate. If one or more s type pattern control characters is present, this option has no effect.

Digit sets per symbols

Determines the number of digit sets that are used symbols and punctuation all character or non letters are specified. The default is 3. A standard keyboard has 10 digits and 32 symbols and punctuation characters. If an array is initialized with 1 of each, symbols and punctuation are about 3 times as likely to appear as a digit. By using 3 digit sets, a digit has an about equal chance of being included but each digit is three times more likely to appear than any specific symbol or punctuation character. Valid values are any numeric greater than or equal to 1; large values will suppress any symbols or punctuation characters. This is only relevant if the pattern contains one or more of the following characters: a, A or n.

Letter sets per symbols

Affects the number of letter sets that are used with with digits and symbols when "all" characters are called for with an "a" or "A". When only lower case or only upper case letters are used with numbers and symbols there would normally be 26 letters and 43 numbers and symbols. When mixed case is specified there would normally be 52 letters and 42 numbers and symbols. If digit sets per symbols is at the default of three, there would be 63 digits (30) and symbols (33). With only one case of letters they would be overwhelmed by the symbols and digits. This is defaulted to 2 so there are 52 letters whether there is one letter case or two. The user can increase this up to 7 to force a higher percent of letters when letters are being "randomly" mixed with digits and symbols. This is relevant only when the pattern contains an "a" or "A".

Setting both this and digits sets per symbols to 1 will create the most accurate random distribution of characters regardless of which character groups are called for. Leaving this at 2 and reducing digit sets per symbols to 2 would create the most even distribution of 52 letters to 53 symbols (33) and digits (20). Reducing digit sets per symbols to 2 and increasing letter sets per symbols to 3 will start creating noticably more letters than symbols and digits in "random" mixes. Raising it higher will skew the distribution to even more letters.

Include last names

This option only applies when the pattern contains an "w" or "W" to include a word in the pattern. Normally the word lists used include words from several commonly available dictionaries plus common first names provided by the Census Bureau. Setting this option will cause about 76,000 "common" last names as definded and provided by the U.S. Census Bureau, which are not already in the dictionaries, to be added. This significantly increases the words available as there are almost as many last names as 5, 6 and 7 character words, and many 8 and 9 character names. The cost is that many of these names will not be easy to pronounce and many will be unfamiliar.

User Selected Character Sets

There are six optional user selected character sets. The user can enter any typeable characters, including spaces, into any of the six fields which are associated with the pattern characters, "i", "j", "k", "x", "y" and "z". When the user enters i,  j,  k,  x,  y,  or z into the pattern field, any characters that have been entered into the associated field will be randomly selected when the i,  j,  k,  x,  y  or z  is processed. The numeric modifiers work on i,  j,  k,  x,  y and z just like they do on any other pattern characters. If, for example, you entered a single "t" into the i field, and entered a pattern of "i1", changed the one odds to 0.99, and the password length range from 1 to 99, over several tries you would likely see strings of t's ranging from 1 to 99 characters. If you blanked out the "t", the generator would make the maximum number of tries, but with nothing to output, would return with no passwords.

The i field is initialized with five common punctuation marks and one common symbol, all of which are easy to type. This is a small character set that make good separators for word sequences as well as repeat and sequence patterns with words or separately. You can easily add to or remove any characters you want from this initial group. They may easily be replaced if you want to use this field for other purposes.

The z field is initialized with 10 symbols. These are last 4 characters in the ASCII collating sequence (of the typeable characters). The other 6 come between the upper and lower case letters, so all are fairly high in the ASCII collating sequence. If a lazy or perhaps average cracker were to do a brute force attack on a set of hashes, he might use the ASCII collating sequence as the order in which the characters are processed. If so, depending on how far he went, any password that started with any of these would either not be cracked or would be among those toward the end of the run. Why not use a lower case letter then; all are higher than 6 of the symbols? Because a good cracker is not likely to use the ASCII collating sequence. He will most likely use some kind of frequency table and order his search with the most frequently used characters first. Lower case letters are typically the most frequently used characters. "e" is by far the most frequently used character in the English language, and probably not a good character to start passwords with. Except for use in some programing languages, the 10 symbols I chose are all very near the bottom of any frequency use table. What about the "#", "%", and "&"? They are all rather infrequently used. They are also very near the beginning of the ASCII collating sequence. In trying to avoid a skilled cracker you don't want to give your passwords to a lazy cracker. So my thought on the u group, as currently set up, is they are characters that would make good first letters in passwords. You may want to change this to only "{|}~" which are the last four characters in the ASCII collating sequence and very low in any frequency table.

What about using vowels without an e (by far the most frequently used character in the English language), and consonants without t, n, r , s, and h (the most frequently used consonants) for use only in the front part of a password (placed in two user defined fields)? I'm not sure you get any real advantage this way. If an ASCII collating sequence is being used as the order, all lower case letters are late in that sequence and you've removed three that are fairly close to the end of the alphabet. If any frequency table is being used, and you start your password with lower case letters, all but perhaps the "q" and "j" are likely to be near the beginning, placed ahead of nearly all capitals, digits, symbols and most punctuation. You don't help yourself against the ASCII sequence and only gain a very small advantage against a cracker using frequency tables.

What about some different approaches. My password generator allows for all single case characters, but not a choice of which case. If you want all one case it will be lower case. I assumed that would be the preference of most users as all upper case requires the use of the shift or caps lock key. The caps lock key is really simple, but when I use it, as often as not, I forget to turn it off until I type a couple unintended capitals. A user could enter all the upper case consonants in i and upper vowels in x. Then they could use i and x exactly as I normally show c and v being used. These could easily be mixed with C and V (but not W and E) to get mixed case passwords, with predominatedly upper case letters. If the cracker knew that my generator or one like it was in use at a location for which he had the password hashes and was cracking them, he would most likely look at all lower case passwords and mixed case passwords but not upper case passwords. In this case the user's all upper case password would most likely be safe. When a password using all upper case was not cracked when many others were, the cracker would probably assume the user had used a longer password, and not likely an unexpected character set.

It's worth remembering that in most hash sets that are cracked there is some minority that is never cracked. If the crackers, whether criminals or academic researches, have reasonable computing resources and time, the majority of passwords are cracked because most users insist on using aa poor or weak passwords as the systems they are on allow them to. Most users, and frequently even technical administrators who ought to know better, tend to prefer convenience over security. Still it is rare that some do not remain uncracked. What are these that are not cracked? No one but the users who created them know. If they were smart and knowledgeable enough to create passwords that are not cracked, they are probably smart and knowledgeable enough to give general advice on creating good passwords that reveal nothing about how they create their own passwords. Whether they used a password generator or have a personal algorithm that allowed them to create long (14 to 20 characters) passwords which they could remember, their advice would likely differ enough, that it would be of little value in figuring out how to crack their own passwords.

A better use, for User Selected Character Sets, might be to use only all upper case vowels. Now upper case is neither positional or random, but limited to a small and easily remembered subset of letters. Passwords made this way look nothing like any I've ever seen come out of my generator before, but they do include mixed case letters at unpredictable locations which are very easy for a user to remember. Again if a cracker knows what password generator is in use, they are not likely to make the right assumptions because these passwords do not fit with those created by any of the built in features or defaults of the generator they believe is creating the passwords.

Another use is to create a single character, character set. This might be just a period or semicolon, a very common puctuation and one under a homekey finger. A user may want to use the "+" or "=" sign as a separator between groups of characters, such as words, repeat characters, or keyboard or ASCII sequences which are all new options.

Closely related to single character, character sets are very small character sets with only 2 to 4 characters. The uses would be largely the same as for single character, charecter sets, but where the user wanted just a little more variety. Some examples might include (";" and "," and "."),  ("+" and "&"),  ("-" and "_"),  or perhaps ("/", "|", "\").  People who program with regular expressions will get these ("^" and "$") and ("?", "+", "*").  What about ("!", "|", "l"),  ("<", "/", ">),  or ("(", "[", "{"),  or perhaps single and double quotes plus the back tick? There are many small subsets of characters that could make good visual separators. Which characters these happen to be will likely depend on what you do and the characters you are comfortable with and use regularly.

Another use is a user who has an aversion to specific characters. For example: ~ ` + = } ] | \ " '. (Not including the final period.) The tilde and back tick may be hard to reach. The others may be hard to reach also, but are more likely to cause either the backspace or enter key to be pressed by mistake. In this case a user can create a set of most keyboard symbols and punctuation but avoid those they don't like. The passwords are just as strong but more acceptable to the user.

They are just as strong because no cracker can arbitrarily start eliminating certain characters, based on assumptions similar to our hypothetical user's motivation. To do so would cause all passwords to be missed that used the eliminated symbols, which where created by people willing to use these symbols and who did not share this hypothetical user's specific aversions. Other users might chose other characters to avoid because of superstition or any other reason.

Even without User Defined Character Sets, there is a very simple way to avoid disliked characters. Allow the generator to function normally, then manually substitute other characters for the disliked ones. If the system enforces a symbol or punctuation character in each password, it is not likely more than one. If the generator includes two or more, the user can probably substitute a letter or digit for the disliked character.

I've seen several password generators that avoid numbers, letters and symbols that might easily be mistaken for each other. The avoided characters include: (! I l i), (0 O o), (E [), (S $ s), and some others. Either there are misguided designers of password generators who are weakening passwords because they imagine users to have these aversions, or there are users with such aversions. Personally I don't see how it could matter, as you can almost never see what a typed password looks like. Most systems display an asterisk or a large dot for each character typed in a password field; some show nothing.

If there are users with this aversion, the user definable character sets should provide enough flexibility to accommodate them. There are more than enough ways to create strong passwords that I can see no reason any individual user should have to use specific characters they wish to avoid.

I do, however, think it is a serious flaw in any password generator design, to leave out any character or characters universally, because some small set of users may have an aversion to such characters. In the event a cracker targeted a site known to use such a generator, he could leave these characters out of his cracking efforts, or place them at the very end of the list of characters to be tested. Password strength is based on a combination of password length and character set size. Dropping characters for a few users helps the crackers. Giving individual users an opportunity to avoid specific characters they do not wish to use in their passwords, helps those users without giving the cracker any real advantage.

In all cases, once a user has entered their defined character sets, they do not have to do so more than once. Because all versions of the GeodSoft Password Generator use gets instead of posts, once the data had been entered and the form submitted, the user can bookmark it, and the bookmark will have all the user entered data in the query portion of the URL. Once saved the user can edit it as they wish in most browsers. They may also make multiple variations if they wish, and save each as a bookmark.

I don't think such user bookmarks represent any security threat. Assume a business environment where criminals are targeting a powerful multi user computer, perhaps a web, application, or database server. Would such criminals actually take the time to hack individual PC's looking for bookmark files that may have non standard password generator settings. I don't think so. The may hack the PC's for other reasons such as CPU cycles.

Hacking a lot of PCs in a place where you already have access to a valuable multi user computer does not make a lot of sense to me. I don't know how many businesses install firewalls on individual PCs. Nearly all businesses do however install anti-virus and typically other anti-malware software on PCs. Most of the better known anti-virus products are made by companies that sell security suites which include personal firewalls. By the time you've you've got the other things you might want, a firewall is probably already included in the package. Windows (and I suspect Macs) need this kind of protection. Once they have already paid for it, why not install the firewall on the PCs?

Why should the intruder risk setting off an alarm, which may be monitored from a central location, unless the PC(s) have something of specific value? Even if a useful bookmark file with password generator settings is found, it may not be obvious how to match it to a specific account on a central computer.

Any user who bookmarks non default settings on a password generator is more sophisticated than the average computer user. If there are multiple bookmarks, how do you know which is real. If there is more than one, is it wise to assume they are all real? Perhaps one is real and the others fakes to misslead a possible intruder. They may all be fakes. The user may regard bookmarking their password generator settings, in a manner similar to how most security "experts" abhor writing down passwords or paper. Or they may all be real. Any user sophisicated enough to have bookmarked multiple password generator settings, is also capable of changing a couple characters in the resulting passwords. Even if they are all real, how do you match the settings to the host on which they were used? You won't know which host a bookmark goes with until after you have cracked the password, if you ever do.

I don't expect most users will ever use User Selected Character Sets. We know as a matter of irrefutable fact that most users are lazy when in comes to making passwords. The number of really bad passwords in all lists of cracked passwords prove this beyond any doubt. Users who routinely use password generators are already in a select minority. Just getting other users to use a password generator at all would be a large step forward. Why would "lazy" users take advantage of the the most complicated and sophisticated option available to alter their passwords? The answer is simple; they won't.

I added this option for two reasons. First to give a small number of sophisticated users a new way to control the passwords generated - to allow these users ways to generate passwords that simply could not have been created without these options. They also allow me to define new variations on older patterns and create new types of patterns not seen before. I can make these passwords available to users via the new front end that does not display most options but simply provides a large list of password types to choose from, or via the Pattern Samples page.

Second to create doubt in the minds of crackers. Users with strong or unusual passwords are likely to have admin accounts or something else valuable to protect. A cracker will not wish to avoid considering these options. Because there is simply no way a cracker can reliably make any accurate assumptions about how these options may have been used, the safest course is to proceed as if they do not even exist. There will always be some passwords that are not cracked. Why change proven methods in the hope of getting a few more passwords when doing so risks missing even more that otherwise would have been cracked?

Trying to take advantage of the two sets that have been created is risky. The comma and period may already have a medium to medium high placements in existing frequency tables. Moving the other charactes in this set up to comparable positions would distort proven frequency tables, probably for little benefit. It would be crazy to remove other punctuations and symbols because of this set. The z set is even more problematic. All are and should be low in any frequency table. Moving them up because some sophisticated user may have used one or more in a prominent place in some of their passwords would almost certainly be counter productive. The only rational reaction for the cracker is to proceed as if they do not exist. But wouldn't it be so sweet to get a valuable account where the user thought they were being smart using these options?

Sequences and Repeats

The definitions for all sequences and repeat character patterns placed between two matched characters share the same syntax rules. Parentheses (" ( ) ") define a repeat character pattern. Angle brackets or arrows (" < > ") define an ASCII sequence. Square brackets (" [ ] ")define a keyboard sequence.

A general note on sequences and repeat character groups: The number of possible sequences and repeat character groups is tiny compared to the total password space at any specific length. It is possible for crackers to create custom dictionaries for all simple repeats and sequences up to 16 or more characters. Every combination of four 2 to 9 character repeats and sequences from 8 to 36 characters (as defined by this password generator syntax, which includes alpha numeric, alpha, and numeric sequences in addtition to pure ASCII and keyboard sequences) is slightly less than an 8 character password from the full 95 character keyboard set.

But you cannot count this number (2.66e+15) as available unless you are actually making passwords up to 36 characters. I'm not proposing that and I don't actually expect and readers to do so. If we are talking about 16 character passwords there are only 1.36e+14 possible combinations of all repeats and sequences this password generator can create with up to four characters in each sequence or repeat. This is somewhat more than the number of 7 charcater full keyboard passwords. While storing a custom dictionary on disk may be problematical, this number is clearly within the reach of a fast desktop. Generating the dictionary in memory and passing it directly to the cracker should take between 5 and 6 weeks on a fast desktop and several seconds on a fast network. Adding some longer patters, with more short ones would somewhat increase the number of possibilites, but letting the password length drop to 15 would reduce the total possiblilities.

Though I've included these options in the hopes that they may entice someone who uses similar sequences and repeats to try these in longer and much stronger passwords, I don't expect to use them. I think words are easier to remember and type than meaningless sequences. To me the ASCII sequences are clearly harder to type than words. If keyboard sequences were limited to alphanumeric and a single row they would be easy to type, but with wraps from row to row and flips I don't find them easy. I'll probably use an occassional 2 or possibly 3 character repeat without flips. To me there is no advantage and perhaps the highest risk of any element I've provided. Especially if user selection limits the choices to one row, the number of available choices is very low, and th just the kind of element that crackers may be willing to look for in long passwords.

The only way repeats, ASCII and keyboard sequences can be used in a password safely, is if the password is 15 characters or longer AND MULTIPLE arbitrary variations are added to these passwords. If you define mostly or only alpha and or numeric sequences, it is ESSENTIAL to use punctuation and or symbol characters to separate your repeats and sequences. You MUST also use flips which will arbitarily change the case of the first or last letter in all sequences and repeats. If no letter begins or ends the character group, then a keyboard shift is performed on the digits, symbols and punctuation, including ASCII sequences which do not have natural shift variations for these characters..

The odds of this happening are 75% for each defined flip and this number (the flip odds) should not be lowered except when force mixed case, force digits and force symbols are all set to "1". I strongly recommend using flips on all repeat and sequence groups. Using non alphanumeric separators with case flips on multiple repeat and sequence groups will greatly complicate the cracker's job. Adding words, psuedo words, or short psuedo random character groups to the mix, will complicate matters even more.

Increasing password length to 17 to 20 characters when using multipe repeat and or sequence groups would make these passwords significantly stronger. I've included these options because such patterns have frequently shown up in short cracked passwords which suggests at least some people find them easy to type and or remember. I abhor the use of these kind character groups in conventional length passwords. I would consider it an abuse of the generator if these were used in any psswords less than 15 characters. My hope is that a few people who have used such elements in the past can be enticed to try long passwords, if they see that their weak components can be part of a strong password.

A example may help. Consider a sipmle repeat group, "aaaa", 4 lower case a's. If you asked almost any password experts if this could be a good thing in a password, you would get nearly unanimous and emphatic no's. Such a character group is about the last thing most password experts want to see in a password. I think most of the industry still thinks of 8 characters as a good password length and anything longer as a long password. Most have not yet come to grips with the fact that general increases in computer power and development of cracking techniques (massive parallelism) has renderd 8 character passwords obsolete for protecting any important or sensitive account. 10 should now be considerd the minimum and 12 if you want a clear margin of safety, for important accounts.

Returning to our repeat group of aaaa's, lets look at it in a new context. Assume we've already created a fairly strong more or less conventional password, "xuleK#79Duw". It's 11 characters from the full keyboard and the capitals, digits and symbol are all at non obvious locations. The only dictionary word is the 3 letter reversed word wud. Would attaching the 4 a's to the begining or end, or splitting them 2 and 2 or 3 and 1 and adding them to both ends make xuleK#79Duw stronger or weaker. The answer is simple. STRONGER. This cannot be reasonably be debated. Adding a "bad" element makes a "good" password better. Even with insider information giving the character and location of each "a", the cracker's job of getting the good password is not made one bit easiers. Without this information, the password is almost 10,000 times hardder to crack.

It's true from purely a strength standpoine a more random sequence like "$P4f"would be better, but perhaps harder to remember and or type: $P4fxuleK#79Duw, $P4xuleK#79Duwf, $PxuleK#79Duw4f, $xuleK#79DuwP4f, xuleK#79Duw$P4f. Compare these two sets: aaaaxuleK#79Duw, aaaxuleK#79Duwa, aaxuleK#79Duwaa, axuleK#79Duwaaa, xuleK#79Duwaaaa. Which is easier to remember and type? The aaaa's by far in my opinion. The aaaa's make the password much stronger, at a very modest cost to usability. The more random sequence adds a small, but ultimately immesurable degree in strength at a large cost in usability.

Given the choice between a well constructed 12 character password and a 16 characrer password with 3 sequences and a repeat, I'll take the longer. I'd hope it included punctuation or symbol separators and flips; without them I'd think the user was taking unnecessary risks. Given a 19 character password with 4, four charcter groups of sequences and or repeats, with puctuation and or symbols as separators and flips, it should be a no brainer to anyone who understands password strength and cracking techniques. If the force mixed case and digit flags were set so all displayed passwords had the full charcater mix (without the flags, odds would cause some passwords with no digits and or active flips to be displayed), the long password is between ten and a thousand times a trillion (10^13 to 10^16) times stronger than a good 12 character password, even though it is made from elements most password experts have been trained to think of as weak or low entropy.

Returning to sequence and repeat syntax, the first character group after the enclosing pair define the character that repeats or the character that starts a sequence. The most versitile and strongly recommended option is to provide an empty pair of  " ' ' "  (apostrophes or single quotes) with no spaces between. If you put anything between the single quotes, the program will not understand, and will generate no passwords. If you enter an empty pair of single quotes the program will psuedo randomly select a single character from the ASCII or keyboard character set, as appropriate. This character will be used as the repeat character or the first character of the sequence.

You may also enter any single character that is not any of the six characters that start or end a repeat or sequence defition. If you try to use any of these six characters inside a repeate or sequence definition the program will generate a large error message and no passwords. If you enter any single legal character, that character will be used as the repeat character or the first sequence character, unless you include one of the options described below, which limit the selected characters to specific subsets of the ASCII or keyboard sequences.

Providing a single character for a repeat pattern or sequence beginning is NOT recommended. Setting up a repeat or sequence character pattern requires an understanding of the syntax and requires a minimum of four different characters; if you want to specify a length range, six characers are required. It would likely be simpler just to type the password(s) that you want. Such passwords are likely to be a weak passwords, even if they are long, as historically most human created passwords are weak, often, even when they do not appear to be obviously weak.

A range of possible repeat or sequence start characters may be specified by entering two different characters (not including the six characters used to enclose repeat and sequence definitions), separated by a dash, (" - "). The program will pseudo randomly select a character between the specified start and end characters, inclusive of them. The end character must be greater than the start character in the appropriate sequence (ASCII for repeat characters).

You need to look up an ASCII character chart unless you know the full sequence. The keyboard sequence as used by this generator starts with the unshifted back tick / tilde key, (" ` ~ ") and follows the top key row to the equal sign / plus sign key, (" = + "), then wraps to the lower and upper case "q", (" q Q "). It continues unshifted in the same manner over the next three rows. At the slash / question mark key, (" / ? "), it wraps, picking up the space bar, then up to the shifted tilde and repeats the keyboard with all the shifted key characters. At the end of the shifted sequence it wraps back to the unshifted backtick, skipping the spacebar which is in the middle of the keyboard sequence.

The use of character ranges is not recommeded. Unless you are very familiar with the sequence you are selecting from, you may get surprises. By surprise, I mean "<a-z9> does not slect a lower case 9 character sequence, though the majority will be such. It selects a nine character sequence that starts with an a to z. If a "z" is chosen the sequence will be 'z{|} ~!"#'. Following the z, the last four characters of the typeable ASCII sequence are chosen, then the prrogram wraps to the beginning of the typeable ASCII, character set, picking up a space, exclamation mark, quote and pound sign.

Following the start character selection is the length. This may be a fixed length or a range. A zero after the start character definition asks for a random length between 2 and 9. Other than zero, a single digit will specify a fixed length. A one will work but there generally much simpler ways to get a single character of almost any type. A range is specified with 2 digits separated by a dash. The second digit must be greater than the first. You can specify a 1-2 or 1-9 and both will work, though you cannot call a single character a sequence or repeat. Any range from 1-2 to 1-9 to 8-9 and between these will work. If you try 0-5 or zero to any other number you will get 2 through 9. Any other invalid specification will result in a fixed length equal to the first digit. If you provid anything except a digit after the start specification, you will get an error message.

An "f" adjacent to the close parenthesis or square or angle bracket or just one position away from the close character indicates a flip. If any sequence or repeat has a letter at either or both ends, depending on the flip odds, one end will be reverse cased. The flip odds which are defaulted to 0.75 or 75% determine if a flip happens in each repeat or sequence. If there are letters at both ends, and the odds select a flip, the program has a slight preference for the last character rather than the first. These odds are 55% to 45% and cannot be changed. If a sequence only has a letter at one end, if a flip occurs that is where it will occur. Obviously a repeat either has the same letter at both ends or no letter at either end.

If a repeat or sequence has no letter at either end, and a flip is defined, the flip odds still determine if a flip will occur. Regardless of whether the character group is a repeat, a keyboard sequence or an ASCII sequence, if a flip is selected, a keyboard shift will be performed at one end of the group. The same odds apply as for groups with letters at both ends. It's 55% in favor of the last character versus 45% for the first characer. Depending on which character was selected, the other character on the same key will be displayed. If a digit was slected then the symbol above it will be displayed. If any Shift character was selected, you get the character that you get by unshifting that key, i.e., the lower character of two on the same key.

While a flip can cause mixed case, if there is more than one sequence defined in a password, there is a fair chance that there will be mixed case letters. Flips also break sequences and repeats even when they do not cause mixed case. Because all repeats, and most sequences can have either end flipped, the use of flips almost triples the total number of character groups available with sequences and repeats. Limiting the groups to 4 characters to insure they will fit in 16 character passwords leaves comparatively few sequences that cross letter and symbol and number and symbol boundries. Though there are almost three times the number of character groups, there are more than 7 times the number of passwords if flips are used on all repeats and sequences.

If you feel like you are getting too many shift chnges in your password, you can leave the fips defined and reduce the filp odds and set the force mixed case, force a digit, and force a symbol flags all to "1" rather than the default "0". These pay no attention to where in the password the character types occur, just that they do. If you are using punctuation or symbols to separate your character groups, you are guaranteed to have symbols and do not need to set the force symbols flag. If you have a single "d" as a pattern character which guarantees a digit, or if you have a backslash literal digit, there is no need to set the force digit flag as you are guaranteed at least one digit.

Unless you have both an upper and lower case litteral defined with a backslash escape, or your have an upper case litteral and a word which is guaranteed to be mostly lower case, you should probably have the force mixed case flag set. Even with four sequences and repeats in a password, all could easily produce only upper case letters (or symbols or digits).

With the force character type flags set, or pattern definitions that guarantee specific types of characters, you can set the flip odds very low (0.01) and always get all character types. A sequence and repeat with a lower case word and a "Cvcd" is all you need. With only one flip defined in the repeat, and effectively turned off with 0.01 odds, the pattern easily generates all character types with a small set of user defined punctuation used as group separators. With the "d" in Cvcd and the punctuation, group dividers, only a mixed case flag is needed. The "vc" guarantees lower case letters. The sequence, the repeat and the "C" can all create upper case letters.

With the force mixed case flag turned off approximately 15 to 30% of the displayed passwords are all lower case. It varies widely from one batch to the next. When the flag is turned on, it only requires several extra loops to get the 10 passwords with all the character types. I do not think I saw a single flip in the repeat characters. I didn't expect to. With a flip restored to the sequence and the flip odds set to 0.25 you see a flip in about half the passwords.

<!-- What password am I talking about here? -->

The flip does not actually add to the strength in my password evaluator. With the force mixed case flag on and three parts that can create upper or lower case you do not need a flip for mixed case. I prefer to have it to add variability to the simpler elements. Each group is four characters except the word which is 4 or 5. With the group separators this makes 19 or 20 character passwords depending on word length. The strength rating is mid to upper 20's mostly depending on the word length. Even with the forced mixed case off and an all lower case password with a 4 character word the strength rating is 23.

This compares to 12 for a 12 character password using the full 95 keyboard character set. Missing mixed case or symbols and punctuation it drops to 10, and missing both, i.e. lower case alphanumeric it drops to 7. Each increase in the scale corresponds to a 10 times strength (cracking time) increase so a 12 is between 10 and a thousand times stronger than a 10; on average it will be aboue 100 times stronger.

This shows how much length affects strength. The weakest of the 19 character passwords are 9 steps above the strongest 12 character passwords or 100 million times. The strongest 20 character passwords are 21 steps stronger than the weakest 12 character passwords. That's 100 million trillion times stronger, without the flips. Given all that I've told you about these passwords, which is quite a bit, there is very little that will help you crack them.

I never said what kind of sequence is used or whether it is complete or limited as discussed next. I never said what order the elements are arranged in. You have no idea what is in the punctuation divider group. There is at least one character that most people would consider a symbol and not punctuation. one which some would question which it is. I've said the flip is back in the sequence as well as the repeat and the odds have been raised so you see it about half the time. You don't really have any idea how large my word list is and what is included. Good luck cracking any resulting passwords.

The last set of options allows any sequence or repeat to be limited to one of three subsets of the full group. These are "m" for alphanumeric, "l" for letters, and "d" for digits. If used, the three mutually exclusive indicators must be the very last charcter, immediately adjacent to the close parenthesis, square or angle bracket. When used, these characters limit the displayed characters you would expect. As they are being processed, any character which does not fit with these type modifiyers is simply skipped, and the sequence resumed when the next character of the appropriate type is found. The correct character count is maintained across non matching characters, and if necessary the program will wrap back to the beginning of the sequence to find the correct number of characters of the right type.

The most useful is the alphanumeric "m" with the ASCII sequence. Since few people have memorized the full sequence, and there is no keyboard to look at, typing in ASCII symbols and punctuation in the proper order could be a bit of a challenge. Anyone who can use a computer can count and nearly everyone knows the alphabet. If you use the "m", all you need to remember is the order is "0-9A-Za-z0-7". The last digit group is for wrap if a sequence happens to start with "z". The longest sequence is 9 and to get wrap you have to start near the end of the lower case alphabet. "z" is the last character and you can only add 8 digits including the "0".

You can use these where you wish, but if you make regular use of repeats and sequences, you are already using about the smallest sets of character groupings available. A "d" takes an already small group and reduces it to almost nothing. Even the largest grouping, the alphanumeric "m" discards a third of the useable characters. There is justification for avoiding the ASCII symbols; most people will need to take their written down passwords and lay them in front of themselveswhile they type. The others are displayed in front of you all the time on thekeyboard, or you only need to remember one character, possibly with a shift or unshift at one end. Over use of these subset limiter with repeats and keyboard sequences moves into the area of let's see how bad we can make it and still get away with it.

Words in Patterns

Words as part of patterns, along with character repeats and ASCII and keyboard sequences is part of a major enhancement introduced in June of 2012. This is part of looking for ways to make 15 character and longer passwords practical and memorable.

A single "w" will cause a randomly selected word to be dislayed at that position in the password. If all 6 through 9 character lists are installed the word will be from 2 to 9 characters long, though you will rarely if ever see a 2 character word because there are so few of them compared to the other lengths. If an upper case "W" is used, depending on the settings of flip odds and force mixed case, the first or last letter of the word is likely to be upper case.

The numeric modifiers work in a manner similar to those used with sequences and repeats. Zero and "1" are meaningless and ignored if they follow a "w" or "W". 2 through 9, used alone specify word containing that many characters. The words are selected randomly from the appropriate pool. BE AWARE there are are very few 2 and 3 character words. Use these numbers carefully.

A digit dash digit following a "w" or "W" indicates a desired length range. 3-5 should be OK as there is a moderatly large pool of five character words. You will see many 4 character words and a fair scattering of 3. The number of words increases significantly at each length up to 6, slows to 7 and becomes almost flat to 8 which has the most words. It then dips a little to 9. If you use 3 or more words, it is suggested that you at least allow for the possibility of one 8 or 9 character word. Allowing up to one 9 chararacter word in the password greatly increases the total number of words in use. The 8 and 9 character words are about 43% of the total.

By default, the word lists do not include common last names that were not already in one of the dictionaies used to build these word lists. By setting "Include last names" to 1, the size of the word lists are increased sigificantly by including a very large number of last names the U.S. Census Bureau defines as common. Most of these are not of English or West European origin and may be initially difficult to pronounce. Using these adds significantly to the strength of passwords that are made with this option turned on. If howerver you find them too difficult to pronounce, remember or type, then for you they do not make the password more useable You only need to set Include last names back to 0 and click on Submit and these names will no longer be included in the words in passwords.

Patterns in Patterns

Patterns in patters are defined with curly braces (" { } ") and provide two additional cpabilities. The first allows a character grouping to be defined in parenthesis, which may be pretty much anything with two or more characters. A single digit outside the parenthesis causes the grouping to repeat 2 to 9 times. Unlike most other pattern definitions, the first time this is used, the generated characters are saved and reused as a litteral group. This allows character groupings like "aBaBaB", "j4Pj4P" or "zuT3zuT3" to be repeated up to 9 times (with the first of those shown already repeated 3 times and the other 2 twice each).

A second optional group, also defined within parenthesis, which may be almost anything, will be used once. It may be placed before the first repeating group or after any repeating group. The trailing digit specifies the location. A zero places this second group before the repeating pattern. A 1 through 9 places it after the first through ninth repeat. If the number is greater than the number of repeats, the second group appears at the end. The second, optional group, must be defined after the first; if the order is switched, no passwords will be displayed.

The second ability is to randomize the order of elements defined within the paired curly braces. Depending on how you look at it this may be the must useful option of the many new options added in mid 2012. On one hand it undermines the notion of a constant structure to help remember passwords. On the other, it allows a set group of elements to become highly versititle.

Multiple definitions of any type may used. These include sequences which use thier normal separators and syntax. Other groups are defined in parenthesis and may be almost anything that can be defined with normal pattern characters or user defined character groups. A repeated single character group may be defined by including parenthesis in parenthesis. The usual rules for numeric modifiers apply. Everything between the paired curly braces is scanned and each element saved. Each parenthesis, or square or angle bracket pair should be followed by an "r" to indicate it is to be randomized. In addition one group may be followed by an "s" to indicate that this is a separator character or pattern.

The separator character or group my be anything from a single character defined by a backslash escape such as "\." or it may be a single character randomly selected from any pattern definintion type or user defined character set. It may also be a combination of two or more of any of these. It will be repeated between each randomized group; in other words the separator group will appear once less than the number of randomized groups that are defined. You may reverse the role of the separator group by defining a complex separator, and a series of simple randomized groups. The simple randomized groups could be a single literal or a user defined character set with as few as one characters.

The separator character or group in not necessarily constant unless it is defined in such a way that it must be, i.e., a single or multiple escaped literal character or characters or a one character user defined group. If a single pattern character is used, such as "p" for punctuation, an different character will be randomly selected from the punctuation group each time one is needed. The same applies to user defined groups with muliple characters.

If you nest words, ("w" or "W"), or sequences, ("[]" or "<>"), inside of parenthesis inside curly braces the results are unpredictable. You can have more than one pair of curly braces in a pattern provided they do not overlap or nest; the results are unpredictable if you do either. You can nest curly braces in a mirrored pattern, ("| |"), or a mirrored pattern in curly brace to one level; the results are unpredictable if you try more than one level or overlap the open and close characters. If the content is not trivial, more than one nesting of mirrored or curly brace patterns will likely create passwords too long to use.

Mirrored Passwords

A pair of vertical bars, ("| |"), will cause whatever is between the vertical bars to be mirrored. Obviously this will double the length of whatever is mirrored. I've included it because sometimes short passwords, typically 3 to 5 characters, are mirrored, so I assume this helps some people remember something while increasing its length. I have doubts about the use of this option, and it certainly should not be used to mirror a short password to make a medium size password of 10 to 14 characters.

I also have doubts about mirroring a strong 8 character or longer passwords to make a long password. If you take a well constructed 8 character password like "cuD9&Fuj" to make this "cuD9&FujjuF&9Duc" 16 character password, I doubt it will be very helpful in remembering or typing it. If you take very poor 8 or 9 character passwords like Password1 or Whatever3 and mirror it, you should not be supprised if it is cracked when a systen it is used on is compromised.

Unlike some other variations on passwords which cause hundreds to millions of variations per password, and are therefore very computationally expensive and low yeild, mirroring requres at most a doubling, and is a normal part of most rule sets already used. I dont' know what the normal cutoff length for mirroring is. I'd guess it might be around 7 to 9 characters. Even if it's only 5 or 6, if crackers begin to suspect people are starting to use longer passwords, it would be a trivial change to increase the limit to 12 characters and catch passwords up to 24 characters. The time increase would be considerably less than double as short passwords are probably already checked with mirroring, and there would still be some upper length limit excluding the longer dictonary words. Words 10 characters and longer account for about half of an unabridged dictionary's entries, and 12 and longer about a quarter. This is a cracking setting which will likely increase gradually over time.

Where I think mirroring may be of some value is in mirroring individual small elements, so the mirrored piece is only a moderate part of a considerably longer password. I think the guideline I use for individual words in a password would be an appropriate upper limit on on a mirrored piece. My guideline for words is that they should always be less than two thirds of the length of the password. This is 7 characters in a 12 character password. Since mirroring will always result in an even number of characters, this would mean 6 in a 12 character password as 8 is equal to, not less than two thirds.

My suggested limits are:
6 in 11 10 in 16 12 in 21          
6 in 12 10 in 17 14 in 22
8 in 13 10 in 18 14 in 23
8 in 14 12 in 19 16 in 24
8 in 15 12 in 20 16 in 25

Word Only Passwords

Words only was a new feature of passwords.pl, added in March 2007. Feature is the wrong word. Words Only is an entirely separate password generator, with totally independent logic, that simply shares the user interface of the pattern based password generator. Though it uses multiple dictionary words to create passwords, at 12 characters and longer, few if cracking tools running on a single computer will be able to break these passwords, except in the freakishly rare circumstances when a common phrase is formed. On Windows, pronounceable, all lower case passwords between 12 and 14 characters may be vulnerable to crackers that use rainbow tables. 12 lower case letters can easily be brute forced by a password cracking network. Because they lack character complexity, 15 character and longer, words only passwords are strongly recommended.

Unlike the pattern based password generator, which creates it's passwords one character at a time, Words Only randomly draws from a list of two through five character words and names. In test runs it created 2 duplicate passwords in one million 11 character passwords and 14 duplicate passwords in ten million 12 character passwords.

Like the pattern based password generator, little in Words Only is truly random. There is not an equal distribution of words of the various lengths. The list used is made from English dictionaries and common U.S. names which means many names of non English origin. There are well over 100 times as many five letter words as two letter words and more than twice as many five letter words as four letter words. There more than four times as many four letter words as three letter words.

There are two very different ways to select the words. Dump all the words into a common pool and draw randomly from it or to dump the words into pools of all the same size words, and decide randomly which length you want and then randomly select a word from the selected length pool. Both have problems. From the single pool you will see very few two letter words, and at 10 characters, many passwords with two five letter words. From the separate pools you will get a gross over representation of short words. If you want the maximum diversity there are about 400 times as many 10 letter passwords made of 5 two character words as there are of 2 five character words, despite the greatly larger number of five letter words, but the overall character sequence will be almost random, defeating the purpose for using words in the first place.

In order to better meet length restraints placed on the passwords, and provide a greater diversity than the common pool approach would provide, I chose a variation on the separate pools approach. The selection is not truly random. Fewer three, and many fewer two letter words are selected than a truly random selection would allow. But many more of both are included than if a combined pool had been used.

There is also logic to prevent endless loops if the minimum and maximum lengths are the same. This is not a problem when building passwords a character at a time but when using words limited to two characters or longer this can be a problem. Any time the assembled words create a password one character shorter than the required length, the password cannot be created and potentially there is an infinite loop. You could recognize the situation, discard the password, and start over. Or you could recognize the situation, and add a random character to complete the password. Since I am trying to created strong, all lower case passwords, I chose to add the letter, and randomly add it between the last two words, or at the end. Though some of the other passwords may be very awkward to pronounce, this is the only time that a truly unpronounceable password is likely to be created. There is no control over this function, except to choose minimum and maximum lengths that are at least one character different.

Password Lengths

Users can easily control the length range of the Words Only passwords in the same manner as any other, by setting the minimum and maximum password lengths. There is a restriction not applied in the pattern password generator. No Words Only password can be less than 10 characters long. Setting the minimum length to any number less than 10, automatically results in the default 11 to 12 character length. You can get 10 character passwords by setting both the minimum and maximum lengths to 10. When there is only a one or two character difference between the minimum and maximum lengths, the longer length will be heavily favored. If the spread is larger, the shorter lengths will be favored. If the spread exceeds 5 characters, you will probably never see the maximum length.

Two Character Words

You can change the frequency of two and three character words by changing the Zero and One odds. About two thirds (.65) of the two character words are discarded before they are selected. If you set Zero Odds around .01, two character words will be selected as frequently as four or five character words. If you set this somewhere over .9, two character words would be selected about as often as if they were in a common pool.

Three Character Words

Three character words are discarded just over one third (.35) of the times they would otherwise be selected. If you set One Odds around .01, three character words will be selected about as often as four and five character words. If you set One Odds somewhere between .7 and .9, three character words will be selected about as often as if they were in a common pool.

Five Character Words

The "2 through 9 odds" setting of .99 effectively eliminates the selection of a second five character word in passwords less than 13 characters. By setting this to .01 or lower you effectively remove this restraint. There is no restriction on multiple 5 character words in passwords 13 characters and longer.

Other Options

The "How many passwords?" and "Display across? (0 or 1)" options work as normal. The other options "Maximum zero characters," and the four options at the bottom of the right column, "Force Mixed Case (0 or 1)," "Force a Digit (0 or 1)," "Force a Symbol (0 or 1)," and "Digit sets per symbols" have no effect on Words Only passwords.

transparent spacer

Top of Page - Site Map

This page and the information on it my not be published or distributed under the terms of the GeodSoft Publication License. Copyright © 2000 - 2014 George Shaffer. All rights reserved.

 
Home >
How-To >
Good Passwords >
instruct.htm

What's New
How-To
Opinion
Book
                                       
Email address

Copyright © 2000-2014, George Shaffer. Terms and Conditions of Use.