Random password generator: Difference between revisions

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
VisualWikitext
imported>VulcanSphere
Adding screenshot of example (Bitwarden)
 
imported>Duckmather
remove unsourced/OR claims
 
Line 1: Line 1:
{{Short description|Program that generates password from random number generator}}
{{Short description|Program that generates password from random number generator}}
{{Multiple issues|
[[File:Bitwarden Desktop 2024.12.1 password generator screenshot.webp|thumb|upright=1.2|Random password generator in [[Bitwarden]]]]
{{Original research|article|date=August 2008}}
A '''random password generator''' is a [[Computer software|software]] program or [[Computer hardware|hardware]] device that takes input from a [[random]] or [[pseudo-random]] number generator and automatically generates a [[password]].
{{More citations|date=April 2024}}
}}
[[File:Bitwarden Desktop 2024.12.1 password generator screenshot.webp|thumb|upright=1.2|Random password generator in [[Bitwarden]], here certain parameters can be adjusted from length to complexity]]
A '''random password generator''' is a [[Computer software|software]] program or [[Computer hardware|hardware]] device that takes input from a [[random]] or [[pseudo-random]] number generator and automatically generates a [[password]]. Random passwords can be generated manually, using simple sources of randomness such as [[Diceware|dice]] or [[Coin|coins]], or they can be generated using a computer.


While there are many examples of "random" password generator programs available on the Internet, generating randomness can be tricky, and many programs do not generate random characters in a way that ensures strong security. A common recommendation is to use [[open source]] security tools where possible, since they allow independent checks on the quality of the methods used. Simply generating a password at random does not ensure the password is a strong password, because it is possible, although highly unlikely, to generate an easily guessed or cracked password. In fact, there is no need at all for a password to have been produced by a perfectly random process: it just needs to be sufficiently difficult to guess.
[[Mnemonic]] hashes, which reversibly convert random strings into more memorable passwords, can substantially improve the ease of memorization. As the [[hash (computing)|hash]] can be processed by a computer to recover the original 60-bit string, it has at least as much information content as the original string.<ref name="memorize">{{cite book |last1=Ghazvininejad |first1=Marjan |last2=Knight |first2=Kevin |title=Proceedings of the 2015 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies |chapter=How to Memorize a Random 60-Bit String |date=May–June 2015 |volume=Proceedings of the 2015 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies |pages=1569–1575 |doi=10.3115/v1/N15-1180 |chapter-url=https://www.isi.edu/natural-language/mt/memorize-random-60.pdf |location=Denver, Colorado |publisher=Association for Computational Linguistics |s2cid=8028691 }}</ref>
 
A password generator can be part of a [[password manager]]. When a [[password policy]] enforces complex rules, it can be easier to use a password generator based on that set of rules than to manually create passwords.
 
Long strings of random characters are difficult for most people to memorize. [[Mnemonic]] hashes, which reversibly convert random strings into more memorable passwords, can substantially improve the ease of memorization. As the [[hash (computing)|hash]] can be processed by a computer to recover the original 60-bit string, it has at least as much information content as the original string.<ref name=memorize>{{cite book |last1=Ghazvininejad |first1=Marjan |last2=Knight |first2=Kevin |title=Proceedings of the 2015 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies |chapter=How to Memorize a Random 60-Bit String |date=May–June 2015 |volume=Proceedings of the 2015 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies |pages=1569–1575 |doi=10.3115/v1/N15-1180 |chapter-url=https://www.isi.edu/natural-language/mt/memorize-random-60.pdf |location=Denver, Colorado |publisher=Association for Computational Linguistics |s2cid=8028691 }}</ref> Similar techniques are used in [[memory sport]].


==Password type and strength==
==Password type and strength==
{{duplication|section=yes|dupe=Password strength|date=August 2018}}
{{Main|Password strength}}
 
{{Empty section|date=August 2025}}
Random password generators normally output a string of symbols of specified length. These can be individual characters from some character set, syllables designed to form pronounceable passwords, or words from some word list to form a [[passphrase]]. The program can be customized to ensure the resulting password complies with the local password policy, say by always producing a mix of letters, numbers and special characters. Such policies typically reduce strength slightly below the formula that follows, because symbols are no longer independently produced.{{Citation needed|date=April 2024}}
 
The [[Password strength]] of a random password against a particular attack ([[brute-force search]]), can be calculated by computing the [[information entropy]] of the random process that produced it. If each symbol in the password is produced independently and with uniform probability, the entropy in bits is given by the formula <math display="inline">H = L\,\log_2 N</math>, where ''N'' is the number of possible symbols and ''L'' is the number of symbols in the password. The function log<sub>2</sub> is the [[binary logarithm|base-2 logarithm]]. ''H'' is typically measured in [[bit]]s.<ref>Schneier, B: ''Applied Cryptography'', Second edition, page 233 ff.  John Wiley and Sons.</ref><ref name="NIST">{{cite journal | url = http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf | title = Electronic Authentication Guideline | year = 2006 | publisher = NIST | doi = 10.6028/NIST.SP.800-63v1.0.2 | last1 = Burr | first1 = W. E. | last2 = Dodson | first2 = D. F. | last3 = Polk | first3 = W. T. }}</ref>
 
Any password generator is limited by the state space of the pseudo-random number generator used if it is based on one. Thus a password generated using a 32-bit generator is limited to 32 bits entropy, regardless of the number of characters the password contains.{{Citation needed|date=April 2024}}


==Websites==
==Websites==
A large number of password generator programs and websites are available on the Internet. Their quality varies and can be hard to assess if there is no clear description of the source of randomness that is used and if source code is not provided to allow claims to be checked. Furthermore, and probably most importantly, transmitting candidate passwords over the Internet raises obvious security concerns, particularly if the connection to the password generation site's program is not properly secured or if the site is compromised in some way. Without a [[secure channel]], it is not possible to prevent eavesdropping, especially over public networks such as the [[Internet]]. A possible solution to this issue is to generate the password using a client-side programming language such as JavaScript. The advantage of this approach is that the generated password stays in the client computer and is not transmitted to or from an external server.{{Original research inline|date=April 2024}}
=== Web Cryptography API ===
=== Web Cryptography API ===
The '''[[Web Cryptography API]]''' is the [[World Wide Web Consortium]]’s (W3C) recommendation for a low-level interface that would increase the security of [[Web application|web applications]] by allowing them to perform [[Cryptography|cryptographic functions]] without having to access raw keying material. The Web Crypto API provides a reliable way to generate passwords using the <code>crypto.getRandomValues()</code> method. Here is the simple Javascript code that generate the strong password using web crypto API.<ref>{{Cite web |title=Generate a Secure Random Password Using Web Crypto API and Javascript |url=https://gist.github.com/fearspear/4d757e956b0ff92ad0412691fbfc322f |access-date=2024-01-06 |website=github.com}}</ref><ref>{{Cite web |title=Step-by-step process of creating a robust password using Web Crypto API |url=https://passwordlab.io/blog/step-by-step-process-of-creating-a-robust-password-using-web-crypto-api |access-date=2024-01-06 |website=passwordlab.io}}</ref>
The '''[[Web Cryptography API]]''' is the [[World Wide Web Consortium]]’s (W3C) recommendation for a low-level interface that would increase the security of [[Web application|web applications]] by allowing them to perform [[Cryptography|cryptographic functions]] without having to access raw keying material. The Web Crypto API provides a reliable way to generate passwords using the <code>crypto.getRandomValues()</code> method. Here is the simple Javascript code that generate the strong password using web crypto API.<ref>{{Cite web |title=Generate a Secure Random Password Using Web Crypto API and Javascript |url=https://gist.github.com/fearspear/4d757e956b0ff92ad0412691fbfc322f |access-date=2024-01-06 |website=github.com}}</ref><ref>{{Cite web |title=Step-by-step process of creating a robust password using Web Crypto API |url=https://passwordlab.io/blog/step-by-step-process-of-creating-a-robust-password-using-web-crypto-api |access-date=2024-01-06 |website=passwordlab.io}}</ref>
Line 34: Line 19:


==Mechanical methods==
==Mechanical methods==
Yet another method is to use physical devices such as [[dice]] to generate the randomness. One simple way to do this uses a 6 by 6 table of characters. The first die roll selects a row in the table and the second a column. So, for example, a roll of 2 followed by a roll of 4 would select the letter ''"j"'' from the [[transposition cipher#Fractionation|fractionation]] table below.<ref>Levine, John R., Ed.: ''Internet Secrets'', Second edition, page 831 ff.  John Wiley and Sons.</ref> To generate upper/lower case characters or some symbols a coin flip can be used, heads capital, tails lower case. If a digit was selected in the dice rolls, a heads coin flip might select the symbol above it on a standard keyboard, such as the '$' above the '4' instead of '4'.
Yet another method is to use physical devices such as [[dice]] to generate the randomness. One simple way to do this uses a 6 by 6 table of characters. The first die roll selects a row in the table and the second a column. So, for example, a roll of 2 followed by a roll of 4 would select the letter ''"j"'' from the [[transposition cipher#Fractionation|fractionation]] table below.<ref>Levine, John R., Ed.: ''Internet Secrets'', Second edition, page 831 ff.  John Wiley and Sons.</ref>  
:{| class="wikitable"
:{| class="wikitable"
!
!

Latest revision as of 11:57, 9 August 2025

Template:Short description

File:Bitwarden Desktop 2024.12.1 password generator screenshot.webp
Random password generator in Bitwarden

A random password generator is a software program or hardware device that takes input from a random or pseudo-random number generator and automatically generates a password.

Mnemonic hashes, which reversibly convert random strings into more memorable passwords, can substantially improve the ease of memorization. As the hash can be processed by a computer to recover the original 60-bit string, it has at least as much information content as the original string.[1]

Password type and strength

Script error: No such module "Labelled list hatnote". Template:Empty section

Websites

Web Cryptography API

The Web Cryptography API is the World Wide Web Consortium’s (W3C) recommendation for a low-level interface that would increase the security of web applications by allowing them to perform cryptographic functions without having to access raw keying material. The Web Crypto API provides a reliable way to generate passwords using the crypto.getRandomValues() method. Here is the simple Javascript code that generate the strong password using web crypto API.[2][3]

FIPS 181 standard

Many computer systems already have an application (typically named "apg") to implement the password generator standard FIPS 181.[4] FIPS 181—Automated Password Generator—describes a standard process for converting random bits (from a hardware random number generator) into somewhat pronounceable "words" suitable for a passphrase.[5] However, in 1994 an attack on the FIPS 181 algorithm was discovered, such that an attacker can expect, on average, to break into 1% of accounts that have passwords based on the algorithm, after searching just 1.6 million passwords. This is due to the non-uniformity in the distribution of passwords generated, which can be addressed by using longer passwords or by modifying the algorithm.[6][7]

Mechanical methods

Yet another method is to use physical devices such as dice to generate the randomness. One simple way to do this uses a 6 by 6 table of characters. The first die roll selects a row in the table and the second a column. So, for example, a roll of 2 followed by a roll of 4 would select the letter "j" from the fractionation table below.[8]

1 2 3 4 5 6
1 a b c d e f
2 g h i j k l
3 m n o p q r
4 s t u v w x
5 y z 0 1 2 3
6 4 5 6 7 8 9

See also

References

<templatestyles src="Reflist/styles.css" />

  1. Script error: No such module "citation/CS1".
  2. Script error: No such module "citation/CS1".
  3. Script error: No such module "citation/CS1".
  4. Script error: No such module "citation/CS1".
  5. NIST. Automated Password Generator standard FIPS 181
  6. Script error: No such module "citation/CS1".
  7. Script error: No such module "Citation/CS1".
  8. Levine, John R., Ed.: Internet Secrets, Second edition, page 831 ff. John Wiley and Sons.

Script error: No such module "Check for unknown parameters".

External links

Retrieved from "http://debianws.lexgopc.com/wiki143/index.php?title=Random_password_generator&oldid=5625602"