c: lower case consonant
v: lower case vowel
l: lower case letter
w: lower case consonants plus common 2 and 3
character consonant sequences that start words
e: lower case consonants plus common 2 and 3
character consonant sequences that end words
C: mixed case consonant
V: mixed case vowel
L: mixed case letter
W: mixed case consonants plus common 2 and 3
character consonant sequences that start words.
Only the first character may be upper case.
E: mixed case consonants plus common 2 and 3
character consonant sequences that end words.
Only the last character may be upper case.
s: symbol or punctuation
n: non letter, i.e. digit, symbol or punctuation
m: alphanumeric, lower case letters only
M: alphanumeric, mixed case letters
a: any character, lower case letters only
A: any character, mixed case letters
h: hexadecimal (0-9, a-f)
0: zero or one of the preceding character type
1: one or more of the preceding character type
2-9: one to the specified number of the preceding
Each alphabetic pattern control character is a key which selects
an array of possible values from which one or more characters
will be pseudo randomly selected. The w, W, e and E pattern
characters may result in 1, 2 or 3 character sequences for each
pattern character; if the maximum password length does not allow
sufficient length, truncation will occur. All pattern control
characters except w, W, e and E define a single password character.
The entire pattern is processed
unless the maximum password length is reached first, at which point the
password is truncated. If the pattern is processed and the minimum
length is not reached, the password is discarded, and a new cycle
started. The digits are numeric modifiers of the preceding pattern
control character, and determin if or how many of the type of
character represented by the pattern character are included.
The user has complete control over the probability each numeric
Determines how many passwords will be displayed. Valid values are
1 - 1000; the default is 10. Invalid values will be set to the
minimum, default or maximum, depending on what is entered.
I have the high limit mostly for administrators who want to make
a list of passwords they can
assign their users as they need them, or pick and choose
from over a period of time, for their own use. If you print 1000 or 5000, especially if
you use different patterns, you can go a long time without coming back.
Even on the remote chance someone was sniffing between GeodSoft and
your computer, all they will see is a very long list of what may be
passwords. The chances that they will get associated with you and
the sniffer will know which ones you've used, or be in a position to
use the entire list as a cracking dictionary on computers you use
is awfully small.
I've had the 1000 limit and the instructions mentioning it going back to the
original password generator. It's hardly ever been used. I included most
of the preceding paragraph in "What's New" and within a day two morons
set the limit to 1000 and start clicking away on submit. With 5 to 10 seconds
between clicks, it was obvious they could not possibly be cutting and pasting
or saving in any fashion, or even looking at the individual passwords. They were
just watching a pagefull of passwords change in response to their infantile
urges. Put something in "instructions" and the large majority of people won't
read it. Put the same thing some place prominent, and someone who wouldn't
dream of reading instructions, thinks it gives them license to abuse the
A 1 causes the displayed passwords to be printed across the page
in rows. A 0 will cause passwords to be printed in a single
column. Valid values are 0 and 1 defaulted to 1.
Maximum zero characters
Sets an upper limit to the number of characters specified by a
pattern control character followed by zero that will be output in
the resulting passwords. The default is 2. If the pattern
contains more than 2 zero characters, the maximum must be
increased to the actual number for there to be any possibility
that all can actually appear. The low zero limit combined with
the relatively low odds on zero characters provides a way to
introduce comparatively small variations to a password pattern.
Sets the odds for a pattern control character followed by a zero
to be output. The default is .25 or 1 in 4. If the maximum
number of zero characters have already been output, the odds are
not used; no more zero characters are output. Before displaying
a zero character a random number between 0 and 1 is generated.
If it is less than the Zero odds, the character is output,
otherwise it is skipped. Useful values range from .1 to .9 which
are from 1 in 10 to 9 in 10 or very rarely to nearly always.
Values less than 0 or 1 and greater are never and always and
therefore not useful; they are restored to the default if entered.
Sets the odds for more than one of the preceding pattern
character type to be output. One of the appropriate character
type is output and then a random number between 0 and 1 is
generated. If the number is less than the "One odds" another
character is output and an new random number generated. The loop
continues until a random number is greater than or equal to the
"One odds" or the maximum password length is reached. The
default is .6 or 6 in 10. At the default, unless minimum or
maximum password length impose a constraint, the number of
pattern characters is mostly low (1 - 3) but very long sequences
are occasionally produced. Values less than 0 or 1 and greater
are never and always and therefore not useful; they are restored
to the default if entered.
2 through 9 odds
Sets the odds for more than one of the preceding pattern
character type to be output. After the first appropriate
character type is output, a loop constant is calculated. The
loop constant is calculated as the provided value divided by
(numeric modifier less 1). The loop constant is subtracted from
1 on the first loop and from the saved result on each successive
loop (decreasing the odds on each pass). A random number between
0 and 1 is generated and if the result is less than the
calculated result (1 - loop constant, etc.) the loop continues
until a random number is greater than the shrinking odds or the
maximum password length is reached. The default .5 produces a
fairly even distribution of character lengths from 1 to the
maximum allowed by the numeric modifier of 2 through 9 over all
values of 2 through 9. Thus with d2 there is an even chance of
the second digit being generated, password length restraints
allowing. Smaller numbers (but not less than 0) force a
clustering of longer output strings and larger numbers (less than
the numeric modifier) generate more shorter strings. Values less
than 0 or 9 and greater are not useful; they are restored to the
default if entered.
Minimum password length
Sets the minimum length in characters of the displayed passwords.
If the pattern cannot create passwords at least as long as the
minimum length, no passwords are output. Any numeric value
greater than or equal to 1 and less than or equal to the maximum
length is valid. 7 is the default minimum length.
Maximum password length
Sets the maximum password length in characters of the displayed
passwords. Password output is terminated as soon as the maximum
length is reached, truncating any password that otherwise might
have been longer. Any numeric value greater than or equal to 1
is valid. 10 is the default maximum length.
Force Mixed Case
A 1 forces the displayed passwords to contain both upper and
lower case letters; no passwords are output if the pattern
contains no mixed case type pattern control characters (C, V, L,
W, E, M or A). Valid values are 0 and 1 defaulted to 0. There
should be two or more of the mixed case control characters in the
pattern if force mixed case is set. If there is only one mixed
case pattern control character and force mixed case is set, the
mixed case character position will always be upper case. Though
the resulting passwords may appear more complex, forcing mixed
case actually reduces the number of passwords that a control
pattern can generate.
Force a Digit
A 1 forces the displayed passwords to contain at least one digit;
no passwords are output if the pattern contains no digit type
pattern control characters (d, n, a and A). Valid values are 0
and 1 defaulted to 0. There should be two or more of the n, a or
A pattern control characters and no d's if force a digit is on.
If there is only one of the n, a or A control characters and
force a digit is set, the output character will always be a
digit. Though the resulting passwords may appear more complex,
forcing a digit actually reduces the number of passwords that a
control pattern can generate. If one or more d type pattern
control characters is present, this option has no effect.
Force a Symbol
A 1 forces the displayed passwords to contain at least one symbol
or punctuation character; no passwords are output if the pattern
contains no symbol type pattern control characters (s, n, a and
A). Valid values are 0 and 1 defaulted to 0. There should be two
or more of the n, a or A pattern control characters and no s's if
force a symbol is on. If there is only one of the n, a or A
control characters and force a symbol is set, the output
character will always be a symbol or punctuation character.
Though the resulting passwords may appear more complex, forcing a
symbol actually reduces the number of passwords that a control
pattern can generate. If one or more s type pattern control
characters is present, this option has no effect.
Digit sets per symbols
Determines the number of digit sets that are placed into arrays
containing digits as well as symbols and punctuation. The default
is 3. A standard keyboard has 10 digits and 32 symbols and
punctuation characters. If an array is initialized with 1 of
each, symbols and punctuation are about 3 times as likely to
appear as a digit. By using 3 digit sets, a digit has an about
equal chance of being included but each digit is three times more
likely to appear than any specific symbol or punctuation
character. Valid values are any numeric greater than or equal to
1; large values will suppress any symbols or punctuation
characters. This is only relevant if the pattern contains one or
more of the following characters: a, A or n.
Word Only Passwords
Words only is a completely new feature of passwords.pl. Feature is
the wrong word. Words Only is an entirely new password generator, with
totally independent logic, that simply shares the user interface
of the pattern based password generator. Though it uses multiple dictionary
words to create passwords, at 11
characters and longer, few if any cracking tools will be able to break
these passwords, except in the freakishly rare circumstances when a
common phrase is formed.
Unlike the pattern based password generator, which creates it's passwords
one character at a time, Words Only randomly draws from a list of two through
five character words and names. In test runs it created 2 duplicate passwords
in one million 11 character passwords and 14 duplicate passwords in ten million
12 character passwords.
Like the pattern based password generator, little in Words Only is truly
random. There is not an equal distribution of words of the various lengths.
The list used is made from English dictionaries and common U.S. names which
means many names of non English origin. There are well over 100 times as
many five letter words as two letter words and more than twice as many
five letter words as four letter words. There more than four times as many
four letter words as three letter words.
There are two very different ways to select the words. Dump all the words
into a common pool and draw randomly from it or to dump the words into pools
of all the same size words, and decide randomly which length you want and
then randomly select a word from the selected length pool. Both have problems.
From the single pool you will see very few two letter words, and at 10 characters,
many passwords with two five letter words. From the separate pools you will
get a gross over representation of short words. If you want the maximum diversity
there are about 400 times as many 10 letter passwords made of 5 two character
words as there are of 2 five character words, despite the greatly larger
number of five letter words, but the overall character sequence will be
almost random, defeating the purpose for using words in the first place.
In order to better meet length restraints placed on the passwords, and provide
a greater diversity than the common pool approach would provide, I chose a
variation on the separate pools approach. The selection is not truly random.
Fewer three, and many fewer two letter words are selected than a truly random
selection would allow. But many more of both are included than if a combined
pool had been used.
There is also logic to prevent endless loops if the minimum and maximum lengths
are the same. This is not a problem when building passwords a character at a time
but when using words limited to two characters or longer this can be a problem.
Any time the assembled words create a password one character shorter than the
required length, the password cannot be created and potentially there is an infinite
loop. You could recognize the situation, discard the password, and start over. Or
you could recognize the situation, and add a random character to complete the password.
Since I am trying to created strong, all lower case passwords, I chose to add the
letter, and randomly add it between the last two words, or at the end. Though
some of the other passwords may be very awkward to pronounce, this is the only
time that a truly unpronounceable password is likely to be created. There is no control
over this function, except to choose minimum and maximum lengths that are at
least one character different.
Users can easily control the length range of the Words Only passwords in the same
manner as any other, by setting the minimum and maximum password lengths.
There is a restriction not applied
in the pattern password generator. No Words Only password can be less than 10
characters long. Setting the minimum length to any number less than 10, automatically
results in the default 11 to 12 character length. You can get 10 character passwords by
setting both the minimum and maximum lengths to 10. When there is only a one or
two character difference between the minimum and maximum lengths, the longer
length will be heavily favored. If the spread is larger, the shorter lengths
will be favored. If the spread exceeds 5 characters, you will probably never see
the maximum length.
Two Character Words
You can change the frequency of two and three character words by changing the
Zero and One odds. About two thirds (.65) of the two character words are
discarded before they are selected. If you set Zero Odds around .01, two character
words will be selected as frequently as four or five character words.
If you set this somewhere over .9, two character words would be selected
about as often as if they were in a common pool.
Three Character Words
Three character words are discarded just over one third (.35) of the times
they would otherwise be selected. If you set One Odds around .01, three character
words will be selected about as often as four and five character words.
If you set One Odds somewhere between .7 and .9, three character words will
be selected about as often as if they were in a common pool.
Five Character Words
The "2 through 9 odds" setting of .99 effectively eliminates the selection of
a second five character word in passwords less than 13 characters. By setting
this to .01 or lower you effectively
remove this restraint. There is no restriction on multiple 5 character words in
passwords 13 characters and longer.
The "How many passwords?" and "Display across? (0 or 1)" options work as normal.
The other options "Maximum zero characters,"
and the four options at the bottom of the right column, "Force Mixed Case (0 or 1),"
"Force a Digit (0 or 1)," "Force a Symbol (0 or 1)," and "Digit sets per symbols"
have no effect on Words Only passwords.
Top of Page -
This page and the information on it my not be published or distributed under the
terms of the GeodSoft Publication License.
Copyright © 2000 - 2014 George Shaffer. All rights reserved.