Secure Password Generator

[paulej]

I have been asked many times about creating secure passwords. Passwords do not have to be significantly long to be secure. so, I put together this page that will generate useful and secure passwords for web sites and AES Crypt.

https://secure.packetizer.com/pwgen/

I would welcome any comments, especially if you find an error in the math.

[johnmcloud]

Seems nice, can you post the command-line exe for pwgen?
I have windows and i have try to compile the perl into .exe but without success.
Thanks

Another thing, i think is useful to add another command. Now is
Pwgen lenght
It think is better to do:
Pwgen "lenght" "special character" like:
Pwgen 12 5
Result is a password of 12 letter with 5 special character, the second command can't be > lenght

[paulej]

The function that generates the password strings will select characters at random. If the second argument is '1', it will use special characters. However, I do not and will not force the routine to generate a certain number of special characters. Doing so would mean the result is not entirely random.

Further, I see no real value in the special characters, as I mention on the web page. Many system admins believe that is provides extra security. But, if you do the math, you see the additional security is virtually non-existent. Just one additional alpha-numeric character in the password far exceeds the strength of the same size password that uses special characters. What is important is the "strength" in terms of the number of random bits. (Unicode would help produce shorter passwords with significant strength, but most of us are not able to deal with Unicode character strings right now. I certainly would not have the ability to type in certain characters used in Asia, for example.)

As for getting the pwgen script to work on Windows, it would to work just fine if you do two things:
1) convert the script to have LF/CR at the end (rather than just LF as used on Linux)
2) Install Perl on Windows, including the required Math library for generating random numbers

I'm not sure if the Math library is dependent on Linux's /dev/random or not. You could just change the call to irand() to int(rand()) and use Perl's default pseudo-random number generator. But, I prefer to go with strength and use the better random number generator. That's what is used to generate passwords on the web page.

It would also be fairly easy to create a C version of this program, too. Windows has some crypto APIs for generating random numbers. I used those in AES Crypt for Windows. Given how simple the program is, if you want an exe (versus a Perl script), just re-write it in C.

[johnmcloud]

The second argument seems not work for me. I have try to do:
Pwgen 15 1
The result is a psw with 12 character with no special. If the second argument is 1, it generate always default psw with 12 letter.
What i'm do wrong?
Thanks

[paulej]

The second argument is only used by the function that generates passwords. I didn't write the command-line tool to accept a second argument. If you want to always generate special characters, then change this:

Code: Select all

print GeneratePassword($password_length,0) . "\n";

to this:

Code: Select all

print GeneratePassword($password_length,1) . "\n";

If you really want a command-line argument, then you could change the MAIN routine to look like this:

Code: Select all

#
# MAIN
#
{
    my $password_length;
    my $use_special_characters = 0;

    #
    # Grab the requested password length from the command-line
    #
    if ($#ARGV >= 0)
    {
        $password_length = $ARGV[0];
        if (!($password_length > 0))
        {
            $password_length = $main::default_password_length;
        }
    }
    else
    {
        $password_length = $main::default_password_length;
    }

    #
    # Use special characters?
    #
    if ($#ARGV >= 1)
    {
        if ($ARGV[1] == 1)
        {
            $use_special_characters = 1;
        }
    }

    # We will not utilize special char
    print GeneratePassword($password_length,$use_special_characters) . "\n";
}

As I indicated in on this page, use of special characters provides very little additional strength and adding just one more normal character on most passwords would provide more strength against attacks. I'm not a fan of using special characters given that they're hard for normal users to deal with and they add no significant value.

[johnmcloud]

Good, i have convert the perl into exe but is soo slow to process new password, the original .pl is so fast instead.
I'd like to add this function to my software ( my software now can process file/folder/and text on-the-fly-encryption all with your software ) but i don't know C, if you have some time Paul can you make a binary command-line version of pwgen?
It will be the Icing on the cake

Thanks for your work,
John

[paulej]

As you requested, I created C code to do the same thing. It will work on Linux or Windows. I took the Perl script, C code, 32-bit Linux binary, and 32-bit Windows binary and put it into a ZIP file that can be downloaded from the pwgen page.

[johnmcloud]

I start to work immediately, thanks for the binary and the C code

[MeaganR]

If you've never used an online password manager as part of your online safety program, you've been playing with fire. Do not get burned, because password hacking is relatively simple. I can say that an online password manager can help take the target off your rear.

[paulej]

If you've never used an online password manager as part of your online safety program, you've been playing with fire. Do not get burned, because password hacking is relatively simple. I can say that an online password manager can help take the target off your rear.

I'm not sure if the link above is intended to provide useful information or is just a spam link. However, I'm not very fond of password managers. It's more software that holds data and I have to share that with somebody else.

I prefer Single Pass. With Single Pass, you remember just one password and unique, per-site passwords are created automatically. It's very handy.