Random password generator

A random password generator is a software program or hardware device that takes input from a random or pseudo-random number generator and automatically generates a password.

Mnemonic hashes, which reversibly convert random strings into more memorable passwords, can substantially improve the ease of memorization. As the hash can be processed by a computer to recover the original 60-bit string, it has at least as much information content as the original string.^[1]

Password type and strength

Websites

Web Cryptography API

The Web Cryptography API is the World Wide Web Consortium’s (W3C) recommendation for a low-level interface that would increase the security of web applications by allowing them to perform cryptographic functions without having to access raw keying material. The Web Crypto API provides a reliable way to generate passwords using the crypto.getRandomValues() method. Here is the simple Javascript code that generate the strong password using web crypto API.^[2]^[3]

FIPS 181 standard

Many computer systems already have an application (typically named "apg") to implement the password generator standard FIPS 181.^[4] FIPS 181—Automated Password Generator—describes a standard process for converting random bits (from a hardware random number generator) into somewhat pronounceable "words" suitable for a passphrase.^[5] However, in 1994 an attack on the FIPS 181 algorithm was discovered, such that an attacker can expect, on average, to break into 1% of accounts that have passwords based on the algorithm, after searching just 1.6 million passwords. This is due to the non-uniformity in the distribution of passwords generated, which can be addressed by using longer passwords or by modifying the algorithm.^[6]^[7]

Mechanical methods

Yet another method is to use physical devices such as dice to generate the randomness. One simple way to do this uses a 6 by 6 table of characters. The first die roll selects a row in the table and the second a column. So, for example, a roll of 2 followed by a roll of 4 would select the letter "j" from the fractionation table below.^[8]

	1	2	3	4	5	6
1	a	b	c	d	e	f
2	g	h	i	j	k	l
3	m	n	o	p	q	r
4	s	t	u	v	w	x
5	y	z	0	1	2	3
6	4	5	6	7	8	9

References

^ Ghazvininejad, Marjan; Knight, Kevin (May–June 2015). "How to Memorize a Random 60-Bit String" (PDF). Proceedings of the 2015 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies. Vol. Proceedings of the 2015 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies. Denver, Colorado: Association for Computational Linguistics. pp. 1569–1575. doi:10.3115/v1/N15-1180. S2CID 8028691.
^ "Generate a Secure Random Password Using Web Crypto API and Javascript". github.com. Retrieved 2024-01-06.
^ "Step-by-step process of creating a robust password using Web Crypto API". passwordlab.io. Retrieved 2024-01-06.
^ "StrongPasswords – Community Help Wiki". help.ubuntu.com. Retrieved 2016-03-25.
^ NIST. Automated Password Generator standard FIPS 181
^ Shay, Richard; Kelley, Patrick Gage; Komanduri, Saranga; Mazurek, Michelle L.; Ur, Blase; Vidas, Timothy; Bauer, Lujo; Christin, Nicolas; Cranor, Lorrie Faith (2012). Correct horse battery staple: Exploring the usability of system-assigned passphrases (PDF). SOUPS '12 Proceedings of the Eighth Symposium on Usable Privacy and Security. doi:10.1145/2335356.2335366.
^ Ganesan, Ravi; Davies, Chris (1994). "A New Attack on Random Pronounceable Password Generators" (PDF). Proceedings of the 17th {NIST}-{NCSC} National Computer Security Conference. NIST: 184–197. Retrieved 2014-12-17.
^ Levine, John R., Ed.: Internet Secrets, Second edition, page 831 ff. John Wiley and Sons.

External links

Cryptographically Secure Random number on Windows without using CryptoAPI from MSDN
RFC 4086 on Randomness Recommendations for Security (Replaces earlier RFC 1750.)

[memorize-1] Ghazvininejad, Marjan; Knight, Kevin (May–June 2015). "How to Memorize a Random 60-Bit String" (PDF). Proceedings of the 2015 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies. Vol. Proceedings of the 2015 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies. Denver, Colorado: Association for Computational Linguistics. pp. 1569–1575. doi:10.3115/v1/N15-1180. S2CID 8028691.

[2] "Generate a Secure Random Password Using Web Crypto API and Javascript". github.com. Retrieved 2024-01-06.

[3] "Step-by-step process of creating a robust password using Web Crypto API". passwordlab.io. Retrieved 2024-01-06.

[4] "StrongPasswords – Community Help Wiki". help.ubuntu.com. Retrieved 2016-03-25.

[5] NIST. Automated Password Generator standard FIPS 181

[6] Shay, Richard; Kelley, Patrick Gage; Komanduri, Saranga; Mazurek, Michelle L.; Ur, Blase; Vidas, Timothy; Bauer, Lujo; Christin, Nicolas; Cranor, Lorrie Faith (2012). Correct horse battery staple: Exploring the usability of system-assigned passphrases (PDF). SOUPS '12 Proceedings of the Eighth Symposium on Usable Privacy and Security. doi:10.1145/2335356.2335366.

[7] Ganesan, Ravi; Davies, Chris (1994). "A New Attack on Random Pronounceable Password Generators" (PDF). Proceedings of the 17th {NIST}-{NCSC} National Computer Security Conference. NIST: 184–197. Retrieved 2014-12-17.

[8] Levine, John R., Ed.: Internet Secrets, Second edition, page 831 ff. John Wiley and Sons.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]