Password Generator Pattern Samples
The Password Generator can create passwords of nearly
any description. Passwords can be completely random, using one of several
character sets, but the real power is in structured passwords that aid in
memorizing them. By structured I mean putting certain kinds of characters
at specific places in the generated passwords. The patterns may be rigid and
entirely deterministic or may be as sloppy as the user wishes. By sloppy
I mean the user can add much or little randomness so that one of a series
or related patterns may be created or the "pattern" can be little more than
a loose selection where certain types of letters might go. Once a choice of
the type of character is made, either by a rigid pattern, or program logic
and probability, the actual character selection is random.
As a side effect of Password Generator's configurability
it can create various "keys", usernames, random numbers in hex and base 10,
and probably several other kinds of semi random strings. It certainly cannot,
as at least one so called password generator claimed, create serial numbers,
the very definition of which requires some degree of sequential progression.
It is not a password safe, and does not integrate with any application to
create or manage a particular type of password. Password Generator is a
general purpose password creator which has been online since March 2001. It
is up to the user to decide what type, and how strong, passwords should be
for various purposes. This page should assist the user in making such
This section is a crash course in some of the key points I make in my long
Passwords Howto section. Those who've read other parts
of the site may know that my first password generator was based on one used in the
in the mid 1980's. This always created passwords in the form of cvc99cvc where cvc
is consonant, vowel, consonant and 99 is any two digits: two easily pronounceable
bits around an easy
to remember 2 digit number. The whole was quite easy to remember and quite strong
for its day. These are probably still better than 99% of the passwords in
use, though if a cracker suspects the pattern is being used, it will take about 7 minutes to crack.
Actually with today's tools, the cracker would have to first create a script to write the
list of possible values to disk. That should take around an hour or so
and perhaps another hour or so to run the script, writing them to disk.
There are two essential concepts that need to be learned from the State Department
work. Memorable passwords can be made from multiple small pieces, each of which
is easy to remember by itself, and the pieces should not be related. The State
Department used very small pieces which were adequate for computers of the time,
and to help overcome user resistance, because the generated passwords were so
different than the single word or name based passwords that most people
automatically select. To create stronger passwords longer and or more pieces
can be used, different types of pieces can be used, and the location of the
pieces can and should be varied.
The question that always needs to be asked first is the combination
of length and character diversity sufficient to stop any brute force
attack, and if this true, then is there any reason to suspect that a
potential attacker can program a dictionary that includes the whole
password. Password hashes are always created from the entire password
(except for Windows up through NT and 2000) and changing any character
anywhere in the password completely changes the hash. The hash is
never assembled from separate bits and pieces (except for Windows up
through NT and 2000). If the answer to the first question is yes,
and no to the second, then you have a strong password.
The question, is the entire password random, is completely meaningless.
It's also largely self defeating. Any random password long enough and with
sufficient character diversity to resist a brute force attack will need
to be written down. It will be very difficult if not impossible to remember.
With effort, if it's used immediately several times, and on a daily
basis, random passwords around 8 characters can be learned. If
you go on a three week vacation and don't use the password, there is
a very good chance you won't remember it, even if you'd been using it
for a year.
Because of the difficulty of typing random passwords into
blind fields, there is a very good chance that such a password will be
stored electronically in plain text on the computer(s) from which it
will be used, so it can be cut and pasted into password fields.
It might be in a word processing document or spreadsheet,
hopefully password protected, It might be stored in a password safe, which
may or may not have a password algorithm stronger than the office
type products. Because most of these are proprietary, you only
have the developers word that they use strong encryptions and
implement it well.
Both using an office application or password safe raise the question
of how strong the master password is, and where it might be stored.
I am often amazed how bad the password choices are that people make.
If you take the password safe approach, your master password is the
key to all your computer accounts. I recently talked with a brilliant,
very successful computer professional who uses the password safe approach.
He admitted that his master password was all numeric. There is less
character diversity in digits than any other character type. If
computer professionals have trouble getting this right, perhaps we shouldn't
expect ordinary users to do better. I have to admit that for the
first half or so of my career, nearly all my passwords appear in my
common password list, even long after I knew about the State Department
The people who make a big deal about how random their password generators
are understand that given sufficient randomness, plus sufficient complexity,
it is possible to guarantee passwords that cannot be cracked. What these
people do not understand, or simply refuse to acknowledge is that the sole
purpose of strong passwords is to prevent potential attackers from
cracking these password, and that strength plus unpredictability are
sufficient to accomplish this. True randomness in not necessary, and
may not even be helpful given its other drawbacks.
A potential cracker has to work with computers and tools available today.
A strong password needs to be able to defeat these and any that are likely
to become available during the expected lifetime of the password. My
updated cracking times table shows how to measure password strength. There
is no right level. Do you want to stop a local script kiddie, a professional
cracker who targets commercial operations for financial gain, or a government
agency like the NSA. Pick the right length and character diversity (complexity)
combination and your password will not fall to a brute force attack.
When you get into passwords around 10 (ll for safety) or more characters from the 95
character set or 14 (15 for safety) or more lower case letters, even
NSA is not going to brute force crack them. It is possible that NSA has
other techniques that depend on knowledge of psychology, plus frequency
of letters, syllables, words, that amount to super sophisticated programmed
attacks the rest of will never know about.
Make some mistakes in creating your password, and your password may
fall to a well designed dictionary attack in a few minutes or less. That's
why it's critical never to use a password that's based on a variation of
any single word, and here word means any single character sequence that has
ever appeared in an publicly available electronic list or that can be
picked off your own hard drive. A potential danger of pattern and word
based passwords, is that you can't be sure the funny sounding password
you just picked isn't a popular slang word in the nearest country
that speaks a different language, or the really random string you just
used isn't actually a reversed, keyboard shifted common word. A password
checker or evaluator should catch the latter, but not the former.
That's why the word based passwords need to be long, so they have have
5, 6, or 7 syllables and the chance of them being meaningful in any language
is infinitesimal. And complex paswords need at least three unrelated
components. You can have a five or six character dictionary word in
a 12 character password, if the rest is unrelated and unpredictable.
There are around 20,000 five letter words and common names in the U.S.
Adding two digits at the end is simple for today's cracking tools. Adding
seven characters of any or all types, when you don't even know where the
word is in relation to the
other letters, simply is not an option, with any publically available
password cracking tool, and 20000 times 2 years sort of puts it out
of reach, even if you know program it. And what if the word is 6
characters instead, or two four character words, or no words?
There are so many ways of putting pieces together, that will defeat any
known cracking tool, that there is no point to, and some very good reasons
for avoiding true randomness. This password generator is meant to help
people find there own way to create strong passwords. In my password how-to
section, as a
I describe a way to make strong passwords from the names, initials, birthdays,
and birth locations of family members. This defies all common advice
on creating passwords, but I challenge anyone to show how to
go about cracking these passwords. Of course if you know these are exactly
the pieces a password was made of, making all possible combinations up to
say 15 characters is probably practical, but I was showing that you could make
unconventional abbreviations from names and places and unconvetional date formats.
In six years I've never received a
single comment on this section.
It's important to make the distinctions between randomness and unpredictability
because many in the computer
field, especially in the area of passwords, have confused means and ends. We want
unpredictability, that is we want passwords a potential adversary cannot predict.
We want passwords for which an adversary cannot develop a method to recreate our passwords.
If our means of creating a password are predictable then an adversary can develop
a method to discover them. If, for example, we use common words, uppercase the
first letter, and add a 1 to the end, an adversary can take a dictionary (electronic
word list) try each base word, uppercase the first letter, append a 1, and both uppercase
and append, to every word in the dictionary and find our password regardless
of what word we chose.
That's what cracking is about, predicting how most people create passwords. Actually
this is known from multiple previous studies. Many people use keyboard sequences like
"qwerty" so enter these and all other known common passwords into a cracking dictionary.
Add normal words and names on which to perform all the common variations people are
known to use. Voila! Most of the passwords on any system are revealed by these simple
One other point very much affects the limits for practical passwords. If there is
no explicit site policy against writing passwords down, then options are much
greater. I believe a man's wallet or women's purse generally have a high degree of
security in most business environments, while still being readily accessible, to
the proper owner. High quality locked filing cabinets and desk drawers will
also do, if only the password owner has the keys. Safes and safety deposit boxes
have uses, but nor for ordinary, day to day passwords. To be considered secure,
the list must stay in the wallet or purse or other secure location except when it
is actually being used.
The account names the
passwords are for should not be identified and the computer or system the
password is for should be something physical or a simple numbering scheme
from oldest to newest system. Physical location, brands, or models may be
OK. IP addresses and hostnames should never be used. If you follow these
guidelines, even if a list is lost or stolen, the chances are slim that
anyone will make use of it. You will still need to promptly change all
the passwords as a precaution.
If the list belongs to technical
staff it will have root or administrator passwords on it. If any computers are
identified by hostname that should be sufficient for any adversary with access
to the inside, or who can get through the firewall. I can't think of a worse
way to identify a computer than by IP address, especially when root, wheel,
and administrator passwords are involved. Prior to the Internet, the large
majority or security breaches and crimes were caused by employees. An employee
is in by far the best postition both to steal a poorly protected password
list, and to make improper use of it.
Each of the following creates passwords by almost randomly selecting
2 to 5 character words from a list of words and names. See the Password
Generator Words Only
Instructions for a technical discussion of how to control the randomness
of the selection.
Weak 10 characters, the shortest allowed Words Only password. Note that nine odds are
set to .99. This effectively eliminates two five character words in one password (less than
13 characters). This eliminates what I thought would be "too easy" passwords in the shorter
passwords. This also reduces the number of possible passwords. Reset it to .001 to eliminate
A determined cracker with access to an array of hacked computers or a computer lab could get
these with patience. There are 4.24 trillion 10 character passwords that can be made from
the list used. At a million cracks a second this would take 1.61 months. The raw list would
require 42 terabytes of disk space.
Moderately Weak 11 characters: As technology moves on, these are
likely to be crackable by an increasingly wide assortment of adversaries. Nine odds
are set to .99 (see previous). NSA can probably get
these today without much effort. There are 63.5 trillion 11 character passwords that can
be made from the list, and cracking them all at 1 million hashes a second would thak 2 years.
The raw data would require 698 terabytes.
Strong Nine odds are set to .99 (see "Weak"). 12 characters will be rather more
of a task for NSA today and most of the rest can forget about it. There are 1,172 trillion
12 character passwords that can be made from the list and at 1 million hashes per second
this would take 37.2 years. The raw data would require 14,062 terabytes for disk storage.
Very Strong 13 to 15 characters: It's doubtful even NSA could crack
the 13 character passwords and 15 characters is far beyond the reach of any foreseeable
There are two caveates on all these passwords. They are not made of 10 to 15 individual
random characters (though sometimes it may look that way) but words and names. There is always
a possibility that a known phrase like "tobetruetoyou" will appear. Never use one of these.
There is also the possibility of an attacker using only the most common words and names, and
assembling the easiest passwords of the various lengths. If you can't find a password in
the first group presented to you, then you are looking for an easy password, and the odds
shift toward the attacker. If it takes you 10 screens of 10 character Words Only passwords,
to find an acceptable password,
you are misusing the tool, and greatly increasing the likelihood that your password can
In condidering the resources required to crack these passwords, it is always useful
to remember that password cracking is a problem that scales well and fairly easily
with parallel processing. The times given can be greatly reduced by any one with
access to a array of computers or computers much faster than desktop systems. An
array could be composed of all the computers previously compromised by a potential
attacker via internet attacks, the desktop computers in a business that shuts down
for the night, or anyone with access to a computer lab off hours. On a UNIX computer,
a task run at the lowest priority ("nice -n 19) will be almost entirely unnoticable
to an interactive user since such a task defers to all other requests for computer
resources. Unless an interactive user runs a system monitor that shows CPU at 100%,
such a task is unlikely to be detected, since
every thing feels normal. Such a task can still easily use 70 - 95% of the computer's
resorces depending on what type of tasks the user performs. Similar considerations
apply to 8 and 9 character passwords from the full keyboard.
I consider 10 to 11
character Words Only passwords somewhat "borderline" in that an attacker with much more than
a single desktop system may be able to get them with a custom,
programmed dictionary attack. Of course the attacker must suspect such passwords
are in use before they can even consider the approriate attack. Crackers
using traditional dictionary attacks or any variation on a brute force
attack should not be able to get any of these passwords.
The 10 chracter passwords represent about 1% of the possible fully random lower
case passwords of similar length. I have not done the calculations for the longer
I chose to include the disk space requirements for 10 - 12 character passwords.
With unmodified tools currently available these lists would first need to be written
to disk. This disk space requirements show that certainly beyond 10 characters
this will not generally be feasible, and very few potential attackers would
have even the disk space required for 10 charactera passwords. The sizes are just
for the passwords, without
separators such as spaces or newlines and does not consider compression since the
list must first be made before it can be compressed.
Any attacker with the resources to serious consider attacking these passwords
would most likely have the resorces to modify existing cracking tools, assuming
they are not already using their own tools unknown to others, so that the list
would never be written to disk. The computer resources to create one of these
passwords in miniscule to that required to hash the password. The logical
approach would be to tie a front end generator directly into the cracking tool
and pass the passwords in memory one at at time as needed to the cracking tool.
I have not done the calculations for the longer passwords. Most of the
calculation is done by a program, but one key piece has not been automated.
I'll provide the numbers after this last piece is programmed.
Nearly all pattern control characters represent a single character (possibly
modified by a numeric suffix) but there are four special pattern control characters
that may represent up to three characters, without any numeric modifier. These
are 'W', 'w', 'e', and 'E'. Each of these is comparable to a consonant, except
that the common two and three consonant character sequences that often begin and
end English words, have been added to the consonants to form arrays containing both single
and multi character sequences. The w's are word beginnings and the e's are word
endings; switching the order creates nonsense sequences that defeat the purpose
of using these sequences. The upper case W and E may contain an upper case character
but if present, it will always be the first character in a W sequence and the
last character in an E sequence.
The simplest pseudo word sequence is
the "cvc" sequence that was the premise on which my first password generator
was built and is discussed in various places, including below. "cvc" stands for
consonant, vowel, consonant, but is so fundamental to this Password Generator
and discussed so many places that below, it will simply be referred to as
a cvc sequence, and assumed that the reader understands. There are probably
more three letter English words that fit this pattern than any other. Mostly
we are looking for slightly more ambitious pseudo words so we start with
"wve" which is an obvious variation on cvc. Sometimes there
are two vowels in the middle which can be represented by "vv", "vv0", or "v2".
With "vv" there will always be two vowels. With default zero odds there is about
a 25% chance of a second vowel with "vv0". With default nine odds there is about
a 50% chance there will be a second vowel with "v2". The pseudo word structure
can be extended by adding a additional consonant and vowel after the first
vowel. In its simplest form this looks like "wvcve". Most (not all) of the 'e' consonant
sequences work in the middle of words as well as at the end so an alternate
pattern could be "wveve". Alternatively the middle consonant could be randomized
with any of "cc", "cc0", or "c2", with the same odds applicable as discussed
The 'w' and 'e' pattern characters should never be followed by
a numeric modifier. At best it will create 2 consonants, which would be
better and more reliably acomplished with a 'C' or 'c' followed by
an numeric modifier. At worst it will created completely unpronounceable
gibersh, i.e., a long not random consonat strings with no vowels.
If you want random leters use 'L' or 'l' with numeric modifiers
see Mixed Structrue below.
Thus some additional pseudo word patterns are "wv2ev2e", "wvv0c2vv0e",
"wvv0cc0vv0e", "wvv0evv0e", or "wv2c2v2e" and some others. We can return
to cvc and make cvcvc which is mostly pronounceable and can be varied
in most of the ways that the wve patterns can, plus some others. For this
discussion we will work with wve patterns. The leading and
trailing 'w" and 'e' could easily be replaced by 'W' and 'E' or a center 'c' by
'C'. Any or all of the lower case pattern letters could be replaced with their
upper case counterparts, but all uppercase pattern letters leads to nearly
random case which is very hard to remember.
An easy to remember pattern
that runs counter to the normal capitalization trends is "wVv0c2Vv0e"
where the first or only vowel in each position could be upper case.
Another variation is wvV0cvV0e where the optional vowel might be
upper case. With defualt settings, this makes an upper case vowel
less likely. Force mixed case could be set to force at least one
upper case vowel, and also force at least one double vowel sequence.
With the first pattern, force mixed case would assure an upper
case vowel, without changing the odds on a two vowel sequence.
You should nearly always add either or both digits and symbols. There
are two reasons, character diversity for strength, and length so that the
the 'w' and 'e' pattern characters are not forced to provide multi character
sequences to make up the password's minimum length. "wve" might be forced
to yield a 7 character password but there are less than 200 possibilities.
A seven character password created from "cccvccc" has 320 million possibilities.
Some examples follow:
WvevEsd A basic pseudo word pattern, followed by 1 symbol and 1 digit. Force
mixed case is set so at least one end will be upper case.
WvEs2d1 Simplest pseudo word pattern, 1 or 2 symbols, and 1 or more digits.
Force mixed case is set so either or both the first and last letter will be
Wvv0enn0cvC A pseudo word start, with 1 or 2 non letters, and a cvc end. Force
mixed case is set so either or both the first and last character will be upper case.
Force digit is set so there will be 1 or 2 digits or a digit and symbol.
Wvv0evv0Esd A pseudo word sequence described above with a symbol and one digit end.
Force mixed case is set so either or both the first and last letter will be upper case.
Wvcn2cvE 1 or 2 non letters separate two simplified pseudo word sequences
Force mixed case is set so either or both the first and last character will
will be upper case. Force digit is set so there will be one or two digits, or
a digit and a symbol in either order.
Care must always be used in estimating the strength of any password with
a control pattern containing a 'w' or 'e'. Where 2 and 3 character sequences
appear at the 'w' and 'e' locations the passwords are somewhat stronger
than if only a single character had been selected, but are not nearly as
strong as the password's length would suggest. The extra characters do
throw a curve into the crackers efforts. Correctly estimating the strength
of these passwords is not straight forward as when each character is selected
independently (somewhat like the true word based passwords).
I think the correct way to calculate the strength of the password would be
to treat these multi character sequences as a single character, with the
number of possibilities equal to the number of unique entries in the array
from which the sequence was drawn. As I won't divulge the number of array
elements others cannot accurately estimate these password's strength, and
I won't provide this either as that would be the same as identifying the
number of array elements.
There is another problem suggested above. The control pattern must
provide sufficient length to meet the password's minimum length requirement,
with each 'w' and 'e' providing only one character of the password's length.
All the sample patterns meet this requirement. If the 'w' and 'e' must
provide more that one character, then a situation similar to
the less than 200 that looks like 320 million arises. It's not likely to
be this extreme, if you've been at all careful in your pattern design, but
comming up even one character short will significantly weaken the password,
though there will be no way to know this. You must understand how many
characters the control patterns provide.
Even if everything is done right,
the Password Evaluator, greatly over estimates the strength of these
passwords because it has no way of knowing the letters were supplied in
groups rather than individually. Removing the extra characters will
provide a slightly low but more accurate estimate of the password's
strength. I've seen a pseudo word password drop from a 13 to a 6 strength
rating when the three extra letters were removed. That's 7 orders of
magnitude or a ten million times difference. This overestimates the
difference because crackers are not generally prepared for 12 character
Pronounceable bits comes from a consonant, vowel, consonant sequence which is almost
alway pronounceable in the English language. This is denoted as cvc and is how it
will be referred to for the rest of the discussion.
How long and how many bits? That will depend on both the type of characters
used in a password, and the person who has to do the remembering, and if
there is a site policy prohibiting writing down passwords.
Since we are talking about pronounceable bits we will start with
letters. If a truly pronounceable
letter sequence is used, there is almost no limit to how long the sequence can
be. From the Words Only password generator, which shares the user interface with
the pattern password generator, but has entirely independent logic for creating
passwords, I've learned that even 15 character sequences can be manageable, and
12 is often quite comfortable. In any batch of 10 twelve character passwords, I
find that there are typically
1 to 3 that are just too awkward regardless of the effort you put into it. At the
other end 2 to 4 are are quite easy to pronounce once you figure out which
pieces to put together and where to place the accents. That leaves 3 to 7 that
have a valid pronunciation but it may be awkward or diffcult. I'd focus on
the easily pronouncable ones. Rarely you get one that is genuinely funny in its
absurd meaningless or self contradiction.
But those all start with words that are almost by definition pronounceable.
When working with random letters, the chances of getting a pronounceable
sequence drop fairly quickly with the length. cvc is pronounceable in the
upper 90% range. Any of the letters can be doubled with a pretty good
chance of getting something pronounceable, and all can be doubled with a
modest chance of a pronounceable result. A zero after a pattern character
means, with default settings, there is a 25% chance of a corresponding character
and a 2 after a character guarantees at least one with a 50% chance of the
second. Thus 'v2' is twice as likely to produce two vowels as 'vv0'.
In the following sequences the ones at the beginning are
most likely to produce pronounceable bits, and the ones at the end least
likely: cvv0c, cc0vc, cvcc0, cv2c, c2vc, cvc2, cc0vv0c, cvv0cc0, cc0v2c,
cv2cc0, c2v2c, cv2c2, cc0vcc0, c2vcc0, cc0vc2, c2v2c, cv2c2, cc0vv0cc0,
cc0v2cc0, c2v2cc0, c2vv0c2, cc0v2c2, c2v2c2. Of course the flip side is the first
six patterns are limited to a maximum of four characters, while the last
six can create six character patterns.
The cvcvc variation borders on pseudo word territory.
I could enumerate all the variations on this but obviously they would
start at six characters and end with 10. I think a double vowel is
very slightly more likely to be pronounceable than a doubled consonant.
I have no reason to believe that a doubled leading consonant is any more
likely to be pronounceable than a trailing consonant but always put these
first in the previous list just to be consistent. The large majority of
3 and 4 character patterns will be pronounceable. A fair number of 5 and
6 letter sequences will be pronounceable, but as you get to 10 letters
only a very few will be pronounceable.
I don't know what the largest meaningless digit string that we can
easily remember is but I'm reasonably sure its between 3 and 6 digits.
Most of us know our phone number and social security number, and these
are longer than 6 characters, but there is good reason for learning and
remembering both of these. On the other hand, I'd bet most of us don't
know our driver license number, or even our car's license plate number
if it still new and not a vanity plate.
Of course the nature of the number greatly affects how easy it is to remember.
I still remember my last phone number. It had an easy exchange and the
last four digits were successive multiples of a single digit. Even after
11 years I sometimes have trouble with my current phone number. The
exchange is a large 3 digit prime number, and the smallest number the
seven digits are divisible by is 103. Of course repeats (111111) and
sequences (123456) are not meaningless. Generally these and the alternate
sequences (2468, acegi, adgjl) should be avoided. On the other hand,
a sequence of three digits, that's no more than 25% of the password,
and is not at the end of the password probably won't give most crackers
a useful advantage. That means it is part of 12
character password. I get uneasy with a three character sequence in a
10 character number, but it also depends on how the rest of the
password is built.
Except for the Words Only type passwords, which
get their strength from length, every password should contain at least
one digit, and arguably two is better. Generally you do not want short numeric strings
at the end of short or medium length passwords. BUT if the rest of your
password has no relationship to any dictionary word this should not matter.
With longish passwords, say 10 and longer there should be no problem with
digit strings of any length at the end of the password, provided they are
not much over half the total password. Since there are less digits than any other
character type, except when distinguishing between vowels and consonants,
it's probably not a good idea to have a large majority of a password made up of the
weakest character type.
A quick look at the following two numbers, 248163264 and 392781243, probably
won't reveal them as sequences but they certainly are. Take a suitable three
to five digits out of these and the relationship probably will be pretty
obscure, but to anyone with any interest in numerical relationships, will
likely to be much easier to remember than a pseudo random sequence of equal
length. Probably better from a password perspective are pseudo random sequences
that don't have a real relationship but are easier to remember because of a
limited relationship. There is nothing that I know of that gives 306 any
special properties, but two of the three digits do have a relationship,
whereas its hard to see much of any relationship in 174. Learning to
spot and pick the displayed passwords that have some kind of meaning
or just seem easier to remember, is an important part of using pattern
The control character for digits is 'd'. As with letters 'dd0' and 'd2'
may both produce one or two digits with 'd2' being twice as likely to. A 'd5'
will produce anything from 1 to 5 digits with the distribution of different
lengths pretty equal, provided the d5 doesn't come at the end of the control
pattern and get truncated by a maximum length that does not a allow all
5 to appear. A 'd1' creates one or more digit. Typically a few are produced
but occasionally a freakishly long string will result. Raising the one odds
above the default .6 can quickly create much longer strings. Generally the
'1' modifier should be reserved for use on the last two controll pattern
characters, unless you lower the one odds. If it is used on the first
control pattern character with the default odds, occasionally
you will see a password that is all that first type of character that the 1
modified. As the one odds approach 1.0, such as 0.99999999, the resulting
strings are naturally very long, and normally controlled by the maximum
password length. Before I set a password length limit of 500 characters, I created
a password well over 2 million characters. This practically locked up the
computer for almost half an hour and crashed the browser. I recovered the
password from the browser cache.
For the purposes of the password generator, I'm going to lump all symbols
and punctuation together and simply refer to them as symbols. There are
no separate arrays for punctuation and symbols, and the control character for
both is 's'. All passwords should have at least on symbol; arguably 2 is better.
Symbols are the hardest characters to remember because they have no obvious
relationships to other symbols or to other characters. More that three symbols
in a password is going to make it hard to remember and to type. I find
that mentally pronouncing the name of the symbol is the best way to help
remember them: slash, period, dash, pound, at sign, percent, equals, etc.
Most often non letters are used to separate cvc sequences and variants.
'n' stands for all non letters which combines digits with symbols. There
are 33 symbols including the space, but only 10 digits. By default password
generator uses three digit sets to get an almost equal chance of getting
a digit or symbol. This is user controlable. Values outside the range of
1 to 6 don't make much sense.
If we move the non letters around this may allow cvc to run into another cvc,
creating cvccvc, which looks a lot like the 'cvcvc' pattern and even more
like the output of some of it's variants would look. It's not
as visually distinctive as separating the two cvc groups, nor likely to be
quite as pronounceable, but that is part of the price we pay as we seek
unpredictability. Remember from the
General Discussion above, out goal is unpredictability,
not necessarily randomness or complexity, though sufficiently strong
passwords that won't be brute force, dictionary, or programatically
attacked will necessarily have some degree of both randomness and complexity.
d0d0cvcd0d0cvcd0d0 This will always have 6 letters in two cvc sequences and 2
digits. The already low zero odds are lowered from .25 to .05 to allow 2 digit sequences at
the tail end. The two digits are most often separated but can appear as a pair
at the front middle or end. A minimum length of 8 assures any password without 2 digits
is discarded. The default max zero count prevents more than two digits. The strength
rating based on length and character diversity is identical to the original State
Department passwords, but there are 6 times as many possibile passwords.
n0n0cvcn0n0cvcn0n0 This will always have 6 letters in two cvc sequences and 2
non letters. The already low zero odds are lowered from .25 to .05 to allow 2 non letter sequences at
the tail end. The two non letters are most often separated but may be paired
at the front middle or end. A minimum length of 8 assures any password without 2 non letters
is discarded. The default max zero count prevents more than two non letters. Force digit and
symbol are both set so there will allways be one of each. Both the strength
rating based on length and character diversity is higher and the number of password patterns
is much higher than the original State Department passwords
cvCnnCvc 8 characters: two cvc's separated by 2 non letters. Optionally upper casing the
inner consonates plus allowing symbols or digits makes these much stronger
than the State Department originals.
cv2CnnCv2c Like the previous pattern with optional double vowels. Force mixed case and
force digit are set. There can be 1 or 2 digits or a digit and symbol in either order.
dsCvv0cvv0C Fixed digit and symbol precede a cvcvc variant where either or
both vowels may be doubled. Force mixed case is set assuring either or both the
first and or last letter are upper case.
cvcvcsdd 8 characters: pseudo word followed by one symbol and two digits.
dncvcvcnd 9 characters: pseudo word surrounded by symmetrical symbols and digits.
CvcncvCn 8 characters: cvc and nonletter repeats, outer consonants optionally upper case.
Both force digit and symbol are set so there will always be one of each in either order.
nCvcL0cvCn Non letters flank 2 cvc sequences, optionally separated by fully random letter.
Force mixed case, digit, and symbol all set. There will always be one digit and one symbol.
There will be one to three upper case letters, at either end and perhaps in the middle.
cvcL0nn0L0cvc Simple cvc ends surround 2 random letters, with one or two non letters.
Force mixed case is set and only the random letters can be upper case; at least one must appear
as upper case despite the zero odds. Force digit is set so there will be 1 or 2 digits or
a digit and symbol in either order.
L0cvcnn0cvcL0 Optional fully randon letters flank 2 cvc sequences with 1 or 2
non letters between. Force mixed case is set so at least one of the random letters
will appear as upper case.
Cc0vcc0n2Cc0vcc0 This is the default pattern. A standard cvcddcvd pattern
is varied with four optional lower case consonants, but at most 2 can appear.
2 digits are replaced by one or two non letters and the leading consonant in each
group may be upper case. At its simplest it may be 6 lower case letters and a digit.
It can also be 10 characters with mixed case and two symbols or a digit and a symbol.
cvcAAAcvc 9 characters. Simple cvc sequences flank three apparently random
characters. Force mixed case, force digit, and force symbol are all set so the middle
will be one upper case letter, one digit and one symbol, in any order.
Cvv0c0Csd1 A short normally 4 character pseudo word followed by a symbol and one or more digits.
Zero odds are raised from .25 to .65 making selection of an optional character very likely but maximum
zero characters is reduced to 1 so only one optional character can be used. The length range is increased
to 9 to 12 (from the default 7 to 10).
Cvv0c0Csd3Cvv0c0C Two 3 to 5 character letter sequences, most of which can be
pronounced, surround a symbol and 1 to 3 digits. Any or all four of the end consonants
may be upper case. One odds are increased from .25 to .65 almost assuring the selection
of optional characters but only 2 of the four optional characters can be used so there
will never be more than 8 letters. Length range is increased from the default 7 to 10
up to 9 to 12. These are strong passwords with decent memorability characteristics.
I use "Mixed Structure" to mean patterns where groups or individual types of characters
are arranged in some kind of sequence, but any letter patterns do not attempt attempt
to create pronounceable strings. 'L' and 'l' for
and any letter, optionally upper or lower case only respectively, are used rather
than 'c' or 'v' since these
are the core components of pronounceable sequences. This is step closer to random.
Patterns can be fixed length, rigidly structured or fairly amorphous where a potentially
quite variable length of one type of character is followed by another variable length
different type of character, possibly with some kind of fixed sequence between.
These are probably best explained by examples.
lllsdddsllls 12 characters: 3 letters, 3 digits, 3 letters, each followed by a
L0l0dddsdddl0L0 A symmetric pattern with asymmetrical results. From the middle a
single symbol is surrounded 2 groups of 3 numbers. The outer ends are two optional
letters, the outermost letter may be upper case. Zero odds are increased from .25
to .6 so the optional letters are much more likely to appear but the max zero characters
limits the optional characters that appear to 2.
lllLsddd 8 characters. 4 letters, the last of which may be upper case followed
by 1 symbol and 3 digits
dsLllllL 8 characters. A digit and symbol followed by 6 letters. The first and
last letter may be upper case. Force mixed case is set so one letter must be upper case.
Llll0l0ss0dddd0d0 3 to 5 letters, 1 or 2 symbols, 3 to 5 digits. Zero odds are
increased from .25 to .4 and maximum zero characters is increased to three. The pattern
appears to allow 12 characters but 5 are optional and only 3 optional characters
are allowed so the maximum length is actually 10. It could be as short as 7 if no
optional characters are selected. The first letter may be upper case.
Ll6ss0d9 A highly variable pattern that anticipates truncation. 2 to 7 letters
the first of which may be upper case. 1 or 2 symbols and 1 to 9 digits. The pattern
could produce from 4 to 18 characters but the default minimum length of 7 and
maximum length of 10 are left in place.
Ll1s2d9 2 to 10 letters (the password maximum length), the first of which
may be upper case. 1 or 2 symbols, with nominally 1 to 9 digits, but with even
the minimum number of letters and symbols there is only room for 7 digits as the
default maximum length of 10 is in place. This is a case where 1 numeric modifier
is used on the second pattern character. An occasional password is all letters
with no room for symbols or digits.
Ll1sd1Ll1 An optionally upper case letter followed by 1 or more letters, 1 symbol,
1 or more digits, another optionally upper case letter, and 1 or more letters. Force mixed
case is set so there will be at least one uppercase letter. With three 1 modifiers, this
is a highly variable pattern. Some 7 character passwords use the last pattern characterr,
and rarely, the second letter consumes the passwords entire 10 character limit.
I increased the length range to 15 to 20, and on the first try got a 16 character
password with two prounceable 7 letter sequences separated by a single symbol
Here we get to true random passwords. The choices are largely limited to what
character set are we using, how long are the passwords, and how many.
aaaaaaaa 8 characters with lower case letters only. Digit count is set to
one to prevent over representing digits.
AAAAAAA1 7 to 10 characters from the full keyboard including mixed case.
Digit count is set to 1 to prevent over representing digits.
A1 Very large (64 characters) passwords using the full character set. Digit count
set to 1 to avoid over representing digits. One odds to set to 0.999999 to insure
a long character sequence. Both minimum and maximum length are set to 64. I set the
minimum length to 1 manually, and in over a dozen tries all were 64 characters. If
I kept trying, eventually a short string would show up.
h1 Long (30 character hexadecimal paswords.
h1 Random 8 digit hex numbers. NOT intended as passwords.
d1 Random 6 digit numbers. NOT intended as passwords.
l1 10 to 13 character lowercase letters only. One odds are upped to .8 and
length settings changed.
L1 9 t0 12 character mixed case letters. One odds are upped to .8 and
length settings changed. Forced mixed case is set to force an upper case character
so it's not entirely random.
m1 10 to 13 character lower case only, alphanumeric. One odds are set to .8
and length settings changed.
M1 9 to 12 character mixed case alphanumeric. One odds are set to .8 and
length settings changed. Forced mixed case is set to insure an upper case letter
so it's not truly random.
Top of Page -
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is