GeodSoft logo   GeodSoft

Password Generator Pattern Samples

Words   Word Like   Pronounceable Bits   Mixed Structure   Random  

The Password Generator can create passwords of nearly any description. Passwords can be completely random, using one of several character sets, but the real power is in structured passwords that aid in memorizing them. By structured I mean putting certain kinds of characters at specific places in the generated passwords. The patterns may be rigid and entirely deterministic or may be as sloppy as the user wishes. By sloppy I mean the user can add much or little randomness so that one of a series or related patterns may be created or the "pattern" can be little more than a loose selection where certain types of letters might go. Once a choice of the type of character is made, either by a rigid pattern, or program logic and probability, the actual character selection is random.

As a side effect of Password Generator's configurability it can create various "keys", usernames, random numbers in hex and base 10, and probably several other kinds of semi random strings. It certainly cannot, as at least one so called password generator claimed, create serial numbers, the very definition of which requires some degree of sequential progression. It is not a password safe, and does not integrate with any application to create or manage a particular type of password. Password Generator is a general purpose password creator which has been online since March 2001. It is up to the user to decide what type, and how strong, passwords should be for various purposes. This page should assist the user in making such decisions.

General Considerations

This section is a crash course in some of the key points I make in my long Passwords Howto section. Those who've read other parts of the site may know that my first password generator was based on one used in the State Department in the mid 1980's. This always created passwords in the form of cvc99cvc where cvc is consonant, vowel, consonant and 99 is any two digits: two easily pronounceable bits around an easy to remember 2 digit number. The whole was quite easy to remember and quite strong for its day. These are probably still better than 99% of the passwords in use, though if a cracker suspects the pattern is being used, it will take about 7 minutes to crack. Actually with today's tools, the cracker would have to first create a script to write the list of possible values to disk. That should take around an hour or so and perhaps another hour or so to run the script, writing them to disk.

There are two essential concepts that need to be learned from the State Department work. Memorable passwords can be made from multiple small pieces, each of which is easy to remember by itself, and the pieces should not be related. The State Department used very small pieces which were adequate for computers of the time, and to help overcome user resistance, because the generated passwords were so different than the single word or name based passwords that most people automatically select. To create stronger passwords longer and or more pieces can be used, different types of pieces can be used, and the location of the pieces can and should be varied.

The question that always needs to be asked first is the combination of length and character diversity sufficient to stop any brute force attack, and if this true, then is there any reason to suspect that a potential attacker can program a dictionary that includes the whole password. Password hashes are always created from the entire password (except for Windows up through NT and 2000) and changing any character anywhere in the password completely changes the hash. The hash is never assembled from separate bits and pieces (except for Windows up through NT and 2000). If the answer to the first question is yes, and no to the second, then you have a strong password.

The question, is the entire password random, is completely meaningless. It's also largely self defeating. Any random password long enough and with sufficient character diversity to resist a brute force attack will need to be written down. It will be very difficult if not impossible to remember. With effort, if it's used immediately several times, and on a daily basis, random passwords around 8 characters can be learned. If you go on a three week vacation and don't use the password, there is a very good chance you won't remember it, even if you'd been using it for a year.

Because of the difficulty of typing random passwords into blind fields, there is a very good chance that such a password will be stored electronically in plain text on the computer(s) from which it will be used, so it can be cut and pasted into password fields. It might be in a word processing document or spreadsheet, hopefully password protected, It might be stored in a password safe, which may or may not have a password algorithm stronger than the office type products. Because most of these are proprietary, you only have the developers word that they use strong encryptions and implement it well.

Both using an office application or password safe raise the question of how strong the master password is, and where it might be stored. I am often amazed how bad the password choices are that people make. If you take the password safe approach, your master password is the key to all your computer accounts. I recently talked with a brilliant, very successful computer professional who uses the password safe approach. He admitted that his master password was all numeric. There is less character diversity in digits than any other character type. If computer professionals have trouble getting this right, perhaps we shouldn't expect ordinary users to do better. I have to admit that for the first half or so of my career, nearly all my passwords appear in my common password list, even long after I knew about the State Department passwords.

The people who make a big deal about how random their password generators are understand that given sufficient randomness, plus sufficient complexity, it is possible to guarantee passwords that cannot be cracked. What these people do not understand, or simply refuse to acknowledge is that the sole purpose of strong passwords is to prevent potential attackers from cracking these password, and that strength plus unpredictability are sufficient to accomplish this. True randomness in not necessary, and may not even be helpful given its other drawbacks.

A potential cracker has to work with computers and tools available today. A strong password needs to be able to defeat these and any that are likely to become available during the expected lifetime of the password. My updated cracking times table shows how to measure password strength. There is no right level. Do you want to stop a local script kiddie, a professional cracker who targets commercial operations for financial gain, or a government agency like the NSA. Pick the right length and character diversity (complexity) combination and your password will not fall to a brute force attack. When you get into passwords around 10 (ll for safety) or more characters from the 95 character set or 14 (15 for safety) or more lower case letters, even NSA is not going to brute force crack them. It is possible that NSA has other techniques that depend on knowledge of psychology, plus frequency of letters, syllables, words, that amount to super sophisticated programmed attacks the rest of will never know about.

Make some mistakes in creating your password, and your password may fall to a well designed dictionary attack in a few minutes or less. That's why it's critical never to use a password that's based on a variation of any single word, and here word means any single character sequence that has ever appeared in an publicly available electronic list or that can be picked off your own hard drive. A potential danger of pattern and word based passwords, is that you can't be sure the funny sounding password you just picked isn't a popular slang word in the nearest country that speaks a different language, or the really random string you just used isn't actually a reversed, keyboard shifted common word. A password checker or evaluator should catch the latter, but not the former.

That's why the word based passwords need to be long, so they have have 5, 6, or 7 syllables and the chance of them being meaningful in any language is infinitesimal. And complex paswords need at least three unrelated components. You can have a five or six character dictionary word in a 12 character password, if the rest is unrelated and unpredictable. There are around 20,000 five letter words and common names in the U.S. Adding two digits at the end is simple for today's cracking tools. Adding seven characters of any or all types, when you don't even know where the word is in relation to the other letters, simply is not an option, with any publically available password cracking tool, and 20000 times 2 years sort of puts it out of reach, even if you know program it. And what if the word is 6 characters instead, or two four character words, or no words?

There are so many ways of putting pieces together, that will defeat any known cracking tool, that there is no point to, and some very good reasons for avoiding true randomness. This password generator is meant to help people find there own way to create strong passwords. In my password how-to section, as a thought experiment I describe a way to make strong passwords from the names, initials, birthdays, and birth locations of family members. This defies all common advice on creating passwords, but I challenge anyone to show how to go about cracking these passwords. Of course if you know these are exactly the pieces a password was made of, making all possible combinations up to say 15 characters is probably practical, but I was showing that you could make unconventional abbreviations from names and places and unconvetional date formats. In six years I've never received a single comment on this section.

It's important to make the distinctions between randomness and unpredictability because many in the computer field, especially in the area of passwords, have confused means and ends. We want unpredictability, that is we want passwords a potential adversary cannot predict. We want passwords for which an adversary cannot develop a method to recreate our passwords. If our means of creating a password are predictable then an adversary can develop a method to discover them. If, for example, we use common words, uppercase the first letter, and add a 1 to the end, an adversary can take a dictionary (electronic word list) try each base word, uppercase the first letter, append a 1, and both uppercase and append, to every word in the dictionary and find our password regardless of what word we chose.

That's what cracking is about, predicting how most people create passwords. Actually this is known from multiple previous studies. Many people use keyboard sequences like "qwerty" so enter these and all other known common passwords into a cracking dictionary. Add normal words and names on which to perform all the common variations people are known to use. Voila! Most of the passwords on any system are revealed by these simple predictable methods.

One other point very much affects the limits for practical passwords. If there is no explicit site policy against writing passwords down, then options are much greater. I believe a man's wallet or women's purse generally have a high degree of security in most business environments, while still being readily accessible, to the proper owner. High quality locked filing cabinets and desk drawers will also do, if only the password owner has the keys. Safes and safety deposit boxes have uses, but nor for ordinary, day to day passwords. To be considered secure, the list must stay in the wallet or purse or other secure location except when it is actually being used.

The account names the passwords are for should not be identified and the computer or system the password is for should be something physical or a simple numbering scheme from oldest to newest system. Physical location, brands, or models may be OK. IP addresses and hostnames should never be used. If you follow these guidelines, even if a list is lost or stolen, the chances are slim that anyone will make use of it. You will still need to promptly change all the passwords as a precaution.

If the list belongs to technical staff it will have root or administrator passwords on it. If any computers are identified by hostname that should be sufficient for any adversary with access to the inside, or who can get through the firewall. I can't think of a worse way to identify a computer than by IP address, especially when root, wheel, and administrator passwords are involved. Prior to the Internet, the large majority or security breaches and crimes were caused by employees. An employee is in by far the best postition both to steal a poorly protected password list, and to make improper use of it.

Words Only

Each of the following creates passwords by almost randomly selecting 2 to 5 character words from a list of words and names. See the Password Generator Words Only Instructions for a technical discussion of how to control the randomness of the selection.

Weak 10 characters, the shortest allowed Words Only password. Note that nine odds are set to .99. This effectively eliminates two five character words in one password (less than 13 characters). This eliminates what I thought would be "too easy" passwords in the shorter passwords. This also reduces the number of possible passwords. Reset it to .001 to eliminate this feature. A determined cracker with access to an array of hacked computers or a computer lab could get these with patience. There are 4.24 trillion 10 character passwords that can be made from the list used. At a million cracks a second this would take 1.61 months. The raw list would require 42 terabytes of disk space.
Moderately Weak 11 characters: As technology moves on, these are likely to be crackable by an increasingly wide assortment of adversaries. Nine odds are set to .99 (see previous). NSA can probably get these today without much effort. There are 63.5 trillion 11 character passwords that can be made from the list, and cracking them all at 1 million hashes a second would thak 2 years. The raw data would require 698 terabytes.
Strong Nine odds are set to .99 (see "Weak"). 12 characters will be rather more of a task for NSA today and most of the rest can forget about it. There are 1,172 trillion 12 character passwords that can be made from the list and at 1 million hashes per second this would take 37.2 years. The raw data would require 14,062 terabytes for disk storage.
Very Strong 13 to 15 characters: It's doubtful even NSA could crack the 13 character passwords and 15 characters is far beyond the reach of any foreseeable technology

There are two caveates on all these passwords. They are not made of 10 to 15 individual random characters (though sometimes it may look that way) but words and names. There is always a possibility that a known phrase like "tobetruetoyou" will appear. Never use one of these. There is also the possibility of an attacker using only the most common words and names, and assembling the easiest passwords of the various lengths. If you can't find a password in the first group presented to you, then you are looking for an easy password, and the odds shift toward the attacker. If it takes you 10 screens of 10 character Words Only passwords, to find an acceptable password, you are misusing the tool, and greatly increasing the likelihood that your password can be cracked.

In condidering the resources required to crack these passwords, it is always useful to remember that password cracking is a problem that scales well and fairly easily with parallel processing. The times given can be greatly reduced by any one with access to a array of computers or computers much faster than desktop systems. An array could be composed of all the computers previously compromised by a potential attacker via internet attacks, the desktop computers in a business that shuts down for the night, or anyone with access to a computer lab off hours. On a UNIX computer, a task run at the lowest priority ("nice -n 19) will be almost entirely unnoticable to an interactive user since such a task defers to all other requests for computer resources. Unless an interactive user runs a system monitor that shows CPU at 100%, such a task is unlikely to be detected, since every thing feels normal. Such a task can still easily use 70 - 95% of the computer's resorces depending on what type of tasks the user performs. Similar considerations apply to 8 and 9 character passwords from the full keyboard.

I consider 10 to 11 character Words Only passwords somewhat "borderline" in that an attacker with much more than a single desktop system may be able to get them with a custom, programmed dictionary attack. Of course the attacker must suspect such passwords are in use before they can even consider the approriate attack. Crackers using traditional dictionary attacks or any variation on a brute force attack should not be able to get any of these passwords.

The 10 chracter passwords represent about 1% of the possible fully random lower case passwords of similar length. I have not done the calculations for the longer passwords.

I chose to include the disk space requirements for 10 - 12 character passwords. With unmodified tools currently available these lists would first need to be written to disk. This disk space requirements show that certainly beyond 10 characters this will not generally be feasible, and very few potential attackers would have even the disk space required for 10 charactera passwords. The sizes are just for the passwords, without separators such as spaces or newlines and does not consider compression since the list must first be made before it can be compressed.

Any attacker with the resources to serious consider attacking these passwords would most likely have the resorces to modify existing cracking tools, assuming they are not already using their own tools unknown to others, so that the list would never be written to disk. The computer resources to create one of these passwords in miniscule to that required to hash the password. The logical approach would be to tie a front end generator directly into the cracking tool and pass the passwords in memory one at at time as needed to the cracking tool.

I have not done the calculations for the longer passwords. Most of the calculation is done by a program, but one key piece has not been automated. I'll provide the numbers after this last piece is programmed.

Word Like

Nearly all pattern control characters represent a single character (possibly modified by a numeric suffix) but there are four special pattern control characters that may represent up to three characters, without any numeric modifier. These are 'W', 'w', 'e', and 'E'. Each of these is comparable to a consonant, except that the common two and three consonant character sequences that often begin and end English words, have been added to the consonants to form arrays containing both single and multi character sequences. The w's are word beginnings and the e's are word endings; switching the order creates nonsense sequences that defeat the purpose of using these sequences. The upper case W and E may contain an upper case character but if present, it will always be the first character in a W sequence and the last character in an E sequence.

The simplest pseudo word sequence is the "cvc" sequence that was the premise on which my first password generator was built and is discussed in various places, including below. "cvc" stands for consonant, vowel, consonant, but is so fundamental to this Password Generator and discussed so many places that below, it will simply be referred to as a cvc sequence, and assumed that the reader understands. There are probably more three letter English words that fit this pattern than any other. Mostly we are looking for slightly more ambitious pseudo words so we start with "wve" which is an obvious variation on cvc. Sometimes there are two vowels in the middle which can be represented by "vv", "vv0", or "v2". With "vv" there will always be two vowels. With default zero odds there is about a 25% chance of a second vowel with "vv0". With default nine odds there is about a 50% chance there will be a second vowel with "v2". The pseudo word structure can be extended by adding a additional consonant and vowel after the first vowel. In its simplest form this looks like "wvcve". Most (not all) of the 'e' consonant sequences work in the middle of words as well as at the end so an alternate pattern could be "wveve". Alternatively the middle consonant could be randomized with any of "cc", "cc0", or "c2", with the same odds applicable as discussed with vowels.

The 'w' and 'e' pattern characters should never be followed by a numeric modifier. At best it will create 2 consonants, which would be better and more reliably acomplished with a 'C' or 'c' followed by an numeric modifier. At worst it will created completely unpronounceable gibersh, i.e., a long not random consonat strings with no vowels. If you want random leters use 'L' or 'l' with numeric modifiers see Mixed Structrue below.

Thus some additional pseudo word patterns are "wv2ev2e", "wvv0c2vv0e", "wvv0cc0vv0e", "wvv0evv0e", or "wv2c2v2e" and some others. We can return to cvc and make cvcvc which is mostly pronounceable and can be varied in most of the ways that the wve patterns can, plus some others. For this discussion we will work with wve patterns. The leading and trailing 'w" and 'e' could easily be replaced by 'W' and 'E' or a center 'c' by 'C'. Any or all of the lower case pattern letters could be replaced with their upper case counterparts, but all uppercase pattern letters leads to nearly random case which is very hard to remember.

An easy to remember pattern that runs counter to the normal capitalization trends is "wVv0c2Vv0e" where the first or only vowel in each position could be upper case. Another variation is wvV0cvV0e where the optional vowel might be upper case. With defualt settings, this makes an upper case vowel less likely. Force mixed case could be set to force at least one upper case vowel, and also force at least one double vowel sequence. With the first pattern, force mixed case would assure an upper case vowel, without changing the odds on a two vowel sequence.

You should nearly always add either or both digits and symbols. There are two reasons, character diversity for strength, and length so that the the 'w' and 'e' pattern characters are not forced to provide multi character sequences to make up the password's minimum length. "wve" might be forced to yield a 7 character password but there are less than 200 possibilities. A seven character password created from "cccvccc" has 320 million possibilities. Some examples follow:

WvevEsd A basic pseudo word pattern, followed by 1 symbol and 1 digit. Force mixed case is set so at least one end will be upper case.
WvEs2d1 Simplest pseudo word pattern, 1 or 2 symbols, and 1 or more digits. Force mixed case is set so either or both the first and last letter will be upper case.
Wvv0enn0cvC A pseudo word start, with 1 or 2 non letters, and a cvc end. Force mixed case is set so either or both the first and last character will be upper case. Force digit is set so there will be 1 or 2 digits or a digit and symbol.
Wvv0evv0Esd A pseudo word sequence described above with a symbol and one digit end. Force mixed case is set so either or both the first and last letter will be upper case.
Wvcn2cvE 1 or 2 non letters separate two simplified pseudo word sequences Force mixed case is set so either or both the first and last character will will be upper case. Force digit is set so there will be one or two digits, or a digit and a symbol in either order.

Care must always be used in estimating the strength of any password with a control pattern containing a 'w' or 'e'. Where 2 and 3 character sequences appear at the 'w' and 'e' locations the passwords are somewhat stronger than if only a single character had been selected, but are not nearly as strong as the password's length would suggest. The extra characters do throw a curve into the crackers efforts. Correctly estimating the strength of these passwords is not straight forward as when each character is selected independently (somewhat like the true word based passwords).

I think the correct way to calculate the strength of the password would be to treat these multi character sequences as a single character, with the number of possibilities equal to the number of unique entries in the array from which the sequence was drawn. As I won't divulge the number of array elements others cannot accurately estimate these password's strength, and I won't provide this either as that would be the same as identifying the number of array elements.

There is another problem suggested above. The control pattern must provide sufficient length to meet the password's minimum length requirement, with each 'w' and 'e' providing only one character of the password's length. All the sample patterns meet this requirement. If the 'w' and 'e' must provide more that one character, then a situation similar to the less than 200 that looks like 320 million arises. It's not likely to be this extreme, if you've been at all careful in your pattern design, but comming up even one character short will significantly weaken the password, though there will be no way to know this. You must understand how many characters the control patterns provide.

Even if everything is done right, the Password Evaluator, greatly over estimates the strength of these passwords because it has no way of knowing the letters were supplied in groups rather than individually. Removing the extra characters will provide a slightly low but more accurate estimate of the password's strength. I've seen a pseudo word password drop from a 13 to a 6 strength rating when the three extra letters were removed. That's 7 orders of magnitude or a ten million times difference. This overestimates the difference because crackers are not generally prepared for 12 character passwords.

Pronounceable Bits

Pronounceable bits comes from a consonant, vowel, consonant sequence which is almost alway pronounceable in the English language. This is denoted as cvc and is how it will be referred to for the rest of the discussion. How long and how many bits? That will depend on both the type of characters used in a password, and the person who has to do the remembering, and if there is a site policy prohibiting writing down passwords.

Since we are talking about pronounceable bits we will start with letters. If a truly pronounceable letter sequence is used, there is almost no limit to how long the sequence can be. From the Words Only password generator, which shares the user interface with the pattern password generator, but has entirely independent logic for creating passwords, I've learned that even 15 character sequences can be manageable, and 12 is often quite comfortable. In any batch of 10 twelve character passwords, I find that there are typically 1 to 3 that are just too awkward regardless of the effort you put into it. At the other end 2 to 4 are are quite easy to pronounce once you figure out which pieces to put together and where to place the accents. That leaves 3 to 7 that have a valid pronunciation but it may be awkward or diffcult. I'd focus on the easily pronouncable ones. Rarely you get one that is genuinely funny in its absurd meaningless or self contradiction.

But those all start with words that are almost by definition pronounceable. When working with random letters, the chances of getting a pronounceable sequence drop fairly quickly with the length. cvc is pronounceable in the upper 90% range. Any of the letters can be doubled with a pretty good chance of getting something pronounceable, and all can be doubled with a modest chance of a pronounceable result. A zero after a pattern character means, with default settings, there is a 25% chance of a corresponding character and a 2 after a character guarantees at least one with a 50% chance of the second. Thus 'v2' is twice as likely to produce two vowels as 'vv0'.

In the following sequences the ones at the beginning are most likely to produce pronounceable bits, and the ones at the end least likely: cvv0c, cc0vc, cvcc0, cv2c, c2vc, cvc2, cc0vv0c, cvv0cc0, cc0v2c, cv2cc0, c2v2c, cv2c2, cc0vcc0, c2vcc0, cc0vc2, c2v2c, cv2c2, cc0vv0cc0, cc0v2cc0, c2v2cc0, c2vv0c2, cc0v2c2, c2v2c2. Of course the flip side is the first six patterns are limited to a maximum of four characters, while the last six can create six character patterns.

The cvcvc variation borders on pseudo word territory. I could enumerate all the variations on this but obviously they would start at six characters and end with 10. I think a double vowel is very slightly more likely to be pronounceable than a doubled consonant. I have no reason to believe that a doubled leading consonant is any more likely to be pronounceable than a trailing consonant but always put these first in the previous list just to be consistent. The large majority of 3 and 4 character patterns will be pronounceable. A fair number of 5 and 6 letter sequences will be pronounceable, but as you get to 10 letters only a very few will be pronounceable.

I don't know what the largest meaningless digit string that we can easily remember is but I'm reasonably sure its between 3 and 6 digits. Most of us know our phone number and social security number, and these are longer than 6 characters, but there is good reason for learning and remembering both of these. On the other hand, I'd bet most of us don't know our driver license number, or even our car's license plate number if it still new and not a vanity plate.

Of course the nature of the number greatly affects how easy it is to remember. I still remember my last phone number. It had an easy exchange and the last four digits were successive multiples of a single digit. Even after 11 years I sometimes have trouble with my current phone number. The exchange is a large 3 digit prime number, and the smallest number the seven digits are divisible by is 103. Of course repeats (111111) and sequences (123456) are not meaningless. Generally these and the alternate sequences (2468, acegi, adgjl) should be avoided. On the other hand, a sequence of three digits, that's no more than 25% of the password, and is not at the end of the password probably won't give most crackers a useful advantage. That means it is part of 12 character password. I get uneasy with a three character sequence in a 10 character number, but it also depends on how the rest of the password is built.

Except for the Words Only type passwords, which get their strength from length, every password should contain at least one digit, and arguably two is better. Generally you do not want short numeric strings at the end of short or medium length passwords. BUT if the rest of your password has no relationship to any dictionary word this should not matter. With longish passwords, say 10 and longer there should be no problem with digit strings of any length at the end of the password, provided they are not much over half the total password. Since there are less digits than any other character type, except when distinguishing between vowels and consonants, it's probably not a good idea to have a large majority of a password made up of the weakest character type.

A quick look at the following two numbers, 248163264 and 392781243, probably won't reveal them as sequences but they certainly are. Take a suitable three to five digits out of these and the relationship probably will be pretty obscure, but to anyone with any interest in numerical relationships, will likely to be much easier to remember than a pseudo random sequence of equal length. Probably better from a password perspective are pseudo random sequences that don't have a real relationship but are easier to remember because of a limited relationship. There is nothing that I know of that gives 306 any special properties, but two of the three digits do have a relationship, whereas its hard to see much of any relationship in 174. Learning to spot and pick the displayed passwords that have some kind of meaning or just seem easier to remember, is an important part of using pattern based passwords.

The control character for digits is 'd'. As with letters 'dd0' and 'd2' may both produce one or two digits with 'd2' being twice as likely to. A 'd5' will produce anything from 1 to 5 digits with the distribution of different lengths pretty equal, provided the d5 doesn't come at the end of the control pattern and get truncated by a maximum length that does not a allow all 5 to appear. A 'd1' creates one or more digit. Typically a few are produced but occasionally a freakishly long string will result. Raising the one odds above the default .6 can quickly create much longer strings. Generally the '1' modifier should be reserved for use on the last two controll pattern characters, unless you lower the one odds. If it is used on the first control pattern character with the default odds, occasionally you will see a password that is all that first type of character that the 1 modified. As the one odds approach 1.0, such as 0.99999999, the resulting strings are naturally very long, and normally controlled by the maximum password length. Before I set a password length limit of 500 characters, I created a password well over 2 million characters. This practically locked up the computer for almost half an hour and crashed the browser. I recovered the password from the browser cache.

For the purposes of the password generator, I'm going to lump all symbols and punctuation together and simply refer to them as symbols. There are no separate arrays for punctuation and symbols, and the control character for both is 's'. All passwords should have at least on symbol; arguably 2 is better. Symbols are the hardest characters to remember because they have no obvious relationships to other symbols or to other characters. More that three symbols in a password is going to make it hard to remember and to type. I find that mentally pronouncing the name of the symbol is the best way to help remember them: slash, period, dash, pound, at sign, percent, equals, etc.

Most often non letters are used to separate cvc sequences and variants. 'n' stands for all non letters which combines digits with symbols. There are 33 symbols including the space, but only 10 digits. By default password generator uses three digit sets to get an almost equal chance of getting a digit or symbol. This is user controlable. Values outside the range of 1 to 6 don't make much sense.

If we move the non letters around this may allow cvc to run into another cvc, creating cvccvc, which looks a lot like the 'cvcvc' pattern and even more like the output of some of it's variants would look. It's not as visually distinctive as separating the two cvc groups, nor likely to be quite as pronounceable, but that is part of the price we pay as we seek unpredictability. Remember from the General Discussion above, out goal is unpredictability, not necessarily randomness or complexity, though sufficiently strong passwords that won't be brute force, dictionary, or programatically attacked will necessarily have some degree of both randomness and complexity.

d0d0cvcd0d0cvcd0d0 This will always have 6 letters in two cvc sequences and 2 digits. The already low zero odds are lowered from .25 to .05 to allow 2 digit sequences at the tail end. The two digits are most often separated but can appear as a pair at the front middle or end. A minimum length of 8 assures any password without 2 digits is discarded. The default max zero count prevents more than two digits. The strength rating based on length and character diversity is identical to the original State Department passwords, but there are 6 times as many possibile passwords.
n0n0cvcn0n0cvcn0n0 This will always have 6 letters in two cvc sequences and 2 non letters. The already low zero odds are lowered from .25 to .05 to allow 2 non letter sequences at the tail end. The two non letters are most often separated but may be paired at the front middle or end. A minimum length of 8 assures any password without 2 non letters is discarded. The default max zero count prevents more than two non letters. Force digit and symbol are both set so there will allways be one of each. Both the strength rating based on length and character diversity is higher and the number of password patterns is much higher than the original State Department passwords
cvCnnCvc 8 characters: two cvc's separated by 2 non letters. Optionally upper casing the inner consonates plus allowing symbols or digits makes these much stronger than the State Department originals.
cv2CnnCv2c Like the previous pattern with optional double vowels. Force mixed case and force digit are set. There can be 1 or 2 digits or a digit and symbol in either order.
dsCvv0cvv0C Fixed digit and symbol precede a cvcvc variant where either or both vowels may be doubled. Force mixed case is set assuring either or both the first and or last letter are upper case.
cvcvcsdd 8 characters: pseudo word followed by one symbol and two digits.
dncvcvcnd 9 characters: pseudo word surrounded by symmetrical symbols and digits.
CvcncvCn 8 characters: cvc and nonletter repeats, outer consonants optionally upper case. Both force digit and symbol are set so there will always be one of each in either order.
nCvcL0cvCn Non letters flank 2 cvc sequences, optionally separated by fully random letter. Force mixed case, digit, and symbol all set. There will always be one digit and one symbol. There will be one to three upper case letters, at either end and perhaps in the middle.
cvcL0nn0L0cvc Simple cvc ends surround 2 random letters, with one or two non letters. Force mixed case is set and only the random letters can be upper case; at least one must appear as upper case despite the zero odds. Force digit is set so there will be 1 or 2 digits or a digit and symbol in either order.
L0cvcnn0cvcL0 Optional fully randon letters flank 2 cvc sequences with 1 or 2 non letters between. Force mixed case is set so at least one of the random letters will appear as upper case.
Cc0vcc0n2Cc0vcc0 This is the default pattern. A standard cvcddcvd pattern is varied with four optional lower case consonants, but at most 2 can appear. 2 digits are replaced by one or two non letters and the leading consonant in each group may be upper case. At its simplest it may be 6 lower case letters and a digit. It can also be 10 characters with mixed case and two symbols or a digit and a symbol.
cvcAAAcvc 9 characters. Simple cvc sequences flank three apparently random characters. Force mixed case, force digit, and force symbol are all set so the middle will be one upper case letter, one digit and one symbol, in any order.
Cvv0c0Csd1 A short normally 4 character pseudo word followed by a symbol and one or more digits. Zero odds are raised from .25 to .65 making selection of an optional character very likely but maximum zero characters is reduced to 1 so only one optional character can be used. The length range is increased to 9 to 12 (from the default 7 to 10).
Cvv0c0Csd3Cvv0c0C Two 3 to 5 character letter sequences, most of which can be pronounced, surround a symbol and 1 to 3 digits. Any or all four of the end consonants may be upper case. One odds are increased from .25 to .65 almost assuring the selection of optional characters but only 2 of the four optional characters can be used so there will never be more than 8 letters. Length range is increased from the default 7 to 10 up to 9 to 12. These are strong passwords with decent memorability characteristics.

Mixed Structure

I use "Mixed Structure" to mean patterns where groups or individual types of characters are arranged in some kind of sequence, but any letter patterns do not attempt attempt to create pronounceable strings. 'L' and 'l' for and any letter, optionally upper or lower case only respectively, are used rather than 'c' or 'v' since these are the core components of pronounceable sequences. This is step closer to random. Patterns can be fixed length, rigidly structured or fairly amorphous where a potentially quite variable length of one type of character is followed by another variable length different type of character, possibly with some kind of fixed sequence between. These are probably best explained by examples.

lllsdddsllls 12 characters: 3 letters, 3 digits, 3 letters, each followed by a symbol
L0l0dddsdddl0L0 A symmetric pattern with asymmetrical results. From the middle a single symbol is surrounded 2 groups of 3 numbers. The outer ends are two optional letters, the outermost letter may be upper case. Zero odds are increased from .25 to .6 so the optional letters are much more likely to appear but the max zero characters limits the optional characters that appear to 2.
lllLsddd 8 characters. 4 letters, the last of which may be upper case followed by 1 symbol and 3 digits
dsLllllL 8 characters. A digit and symbol followed by 6 letters. The first and last letter may be upper case. Force mixed case is set so one letter must be upper case.
Llll0l0ss0dddd0d0 3 to 5 letters, 1 or 2 symbols, 3 to 5 digits. Zero odds are increased from .25 to .4 and maximum zero characters is increased to three. The pattern appears to allow 12 characters but 5 are optional and only 3 optional characters are allowed so the maximum length is actually 10. It could be as short as 7 if no optional characters are selected. The first letter may be upper case.
Ll6ss0d9 A highly variable pattern that anticipates truncation. 2 to 7 letters the first of which may be upper case. 1 or 2 symbols and 1 to 9 digits. The pattern could produce from 4 to 18 characters but the default minimum length of 7 and maximum length of 10 are left in place.
Ll1s2d9 2 to 10 letters (the password maximum length), the first of which may be upper case. 1 or 2 symbols, with nominally 1 to 9 digits, but with even the minimum number of letters and symbols there is only room for 7 digits as the default maximum length of 10 is in place. This is a case where 1 numeric modifier is used on the second pattern character. An occasional password is all letters with no room for symbols or digits.
Ll1sd1Ll1 An optionally upper case letter followed by 1 or more letters, 1 symbol, 1 or more digits, another optionally upper case letter, and 1 or more letters. Force mixed case is set so there will be at least one uppercase letter. With three 1 modifiers, this is a highly variable pattern. Some 7 character passwords use the last pattern characterr, and rarely, the second letter consumes the passwords entire 10 character limit. I increased the length range to 15 to 20, and on the first try got a 16 character password with two prounceable 7 letter sequences separated by a single symbol and digit.


Here we get to true random passwords. The choices are largely limited to what character set are we using, how long are the passwords, and how many.

aaaaaaaa 8 characters with lower case letters only. Digit count is set to one to prevent over representing digits.
AAAAAAA1 7 to 10 characters from the full keyboard including mixed case. Digit count is set to 1 to prevent over representing digits.
A1 Very large (64 characters) passwords using the full character set. Digit count set to 1 to avoid over representing digits. One odds to set to 0.999999 to insure a long character sequence. Both minimum and maximum length are set to 64. I set the minimum length to 1 manually, and in over a dozen tries all were 64 characters. If I kept trying, eventually a short string would show up.
h1 Long (30 character hexadecimal paswords.
h1 Random 8 digit hex numbers. NOT intended as passwords.
d1 Random 6 digit numbers. NOT intended as passwords.
l1 10 to 13 character lowercase letters only. One odds are upped to .8 and length settings changed.
L1 9 t0 12 character mixed case letters. One odds are upped to .8 and length settings changed. Forced mixed case is set to force an upper case character so it's not entirely random.
m1 10 to 13 character lower case only, alphanumeric. One odds are set to .8 and length settings changed.
M1 9 to 12 character mixed case alphanumeric. One odds are set to .8 and length settings changed. Forced mixed case is set to insure an upper case letter so it's not truly random.

transparent spacer

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in (or These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of (or cgi-bin/ from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.

Home >
How-To >
Good Passwords >

What's New
Email address

Copyright © 2000-2014, George Shaffer. Terms and Conditions of Use.