This project is driven by two ideas:
- a simple password generator that creates passwords that are easy to remember but hard for a computer to crack
- a program that can be run by any language
Many password generators create passwords that are completely random such as $bL^G+g74rmt5xHz. This password has 16 characters and was created by randomly selecting a character from a pool of letters. The pool containing the uppercase and lowercase letters, digits, and a subset of symbols (#%-*^!+?@=&_$) for a total of 75 characters. This means that there are 75^16 or 1002259575761854648590087890625 possible 16 character passwords. The password strength can be represented the number of bits needed to represent the number of possible passwords. 75^16 is 99 bits. This is an incredibly strong password (arguably too strong, more on that later). The issue is, it is very hard for a person to remember this password. Say something about password managers A better approach to strong passwords is to create it out of real words. A password such as snap.have.root.tallF8 is much easier for a human to remember since Explanation. The way this password is generated is using a list of words, n words are selected delimited by periods followed by a capital letter and a digit. There are two approaches to calculating the strength of this password. Lets say a person is trying to crack this password using a brute force approach. Assuming that there are still 75 possible choices for each character, a 21 character password has 75^21 or 2378408954200494918040931224822998046875 possible combinations and 130 bits of security. Now lets say that the person knows the format, word list, and that 4 words were used. If there are 2000 words to choose from, 2000^4*26*10 combinations or 4160000000000000 combinations are possible with a strength of 51 bits.
- Easy to memorize
- Fast to type in a phone or other reduced keyboard
- Contains at least one uppercase letter, lowercase letter, digit, and symbol
The passwords generated by this project are formatted in the pattern: n number of words delimited by periods followed by an uppercase letter then a digit. Sample passwords:
see.voice.basis.fairG9swear.bothL0playP4photo.thumb.focus.turn.venue.hint.legal.sink.media.loanB0
This format was inspired by this xkcd comic.
I improved that format by adding periods after each word and adding a capitol letter and digit to the end. This makes sure the password will meet requirements of stricter websites as long as at least two words are used.
This table shows how long to crack a password of different strengths at different hash rates.
| Bits | 10 H/s | 1KH/s | 1Mh/s | 50 GH/s GTX1080 | 632GH/s AWS | 1EH/s |
|---|---|---|---|---|---|---|
| 10 | 51 s | 0.5 s | 0 s | 0 s | 0 s | 0 s |
| 20 | 14 h | 9 m | 0.5 s | 0 s | 0 s | 0 s |
| 30 | 1.7 y | 6 d | 9 m | 0.01 s | 0 s | 0 s |
| 40 | 1,742 y | 17 y | 6 d | 11 s | 1 s | 0 s |
| 50 | - | 17,839 y | 18 y | 3 h | 15 m | 0 s |
| 60 | - | - | 18,266 y | 133 d | 11 d | 0.576 s |
| 70 | - | - | - | 374 y | 30 y | 10 m |
| 80 | - | - | - | 383,085 y | 30,307 y | 7 d |
| 90 | - | - | - | - | - | 20 y |
| 100 | - | - | - | - | - | 20,085 y |
- A brute force attack is used
- On average, half the total number of passwords will need to be checked before the solution is found
With some passwords the time to crack will be much less if they contain common words or phrases and the cracking algorithm is smart enough to search for them. That is why it is more accurate to say a password from this project with 4 words from a list of 2000 has 51 rather than 130 bits of security.
Long (8 words) offline, Short (3 words)
| Raw Strength | Format Strength | |
|---|---|---|
| Short | 105 bits | 40 bits |
| Long | 270 bits | 95 bits |
Assuming 2000 word lexicon with average word length of 4.3 characters
Biggest threat to this type of password is knowledge of its format. Reduces passwords strength significantly. But using long passwords for online accounts can be annoying and sometime infeasible with limits on password length. Long passwords should be used offline since their format could be known and exploited. Even if the attacker knows the format they would still have 95 bits of security. Online short passwords can be used since if the online password database was leaked, the format of your password would be unknown and would therefore have 105 bits of security.
Power of password attacks vs. knowledge of password format
To use this repo, create a file named "words.txt" and populate it with the words to be used for password generation delimited by a newline. Then use make to build the script from any program. Scripts can be run using the respective languages command.
| Language | Password Generator | Variable password length | Parses command line arguments | Handles incorrect arguments |
|---|---|---|---|---|
| Bash | ☑ | ☑ | ☑ | ☑ |
| C | ☑ | ☑ | ☑ | ☑ |
| C# | ||||
| Dart | ☑ | ☑ | ☑ | ☑ |
| Go | ||||
| Groovy | ||||
| Java | ☑ | ☑ | ☑ | ☑ |
| JavaScript | ||||
| Kotlin | ||||
| Matlab | ||||
| Objective-C | ||||
| Perl | ||||
| PHP | ☑ | ☑ | ☑ | ☑ |
| Powershell | ☑ | ☑ | ☑ | ☑ |
| Python | ☑ | ☑ | ☑ | ☑ |
| R | ||||
| Ruby | ☑ | ☑ | ☑ | ☑ |
| Rust | ||||
| Swift | ☑ | ☑ | ||
| Tcl | ☑ | ☑ | ☑ | ☑ |
| TypeScript | ||||
| VBA |