Comments on: How To Create Friendlier Random Passwords

By: another1

another1 — Fri, 19 Dec 2008 03:53:12 +0000

most of the people does copy and paste because it makes them feels so nerd…

By: Snapey

Snapey — Wed, 19 Nov 2008 08:49:51 +0000

Why does it have to be a password?

I recently received a letter from the UK NHS and the letter contained two english words that had to be typed in as a combination. Four weeks later I can still remember that combination. When coupled with protection against a brute force attack this can be simple and effective.

Having said that you of course have to be very careful when choosing words at random. Receiving an invitation that advises my pass phrase is stupid moron would not go down to well.

By: cod3.net

cod3.net — Fri, 14 Nov 2008 11:00:58 +0000

instead of your while loop you can use array_rand()
$randomString = array_rand($characters, $length);

By: Roderik

Roderik — Fri, 14 Nov 2008 07:37:04 +0000

How about:


import org.apache.commons.lang.RandomStringUtils;
int size = 8;
String password = RandomStringUtils.random(size, "23467abcdefhjkmnpqrstuvwxyz");

By: craiga

craiga — Fri, 14 Nov 2008 00:19:56 +0000

@AussieJohn: I had the same thought, but the confusion between ‘b’ and ‘d’ seems to be the only one I could find documented. Perhaps it’s the visual similarity of the characters combined with the similar sounds?

@Leo: Oops :) Fixed.

@J. Pluijmers: Absolutely agree. Rather than use CAPTCHA, I’d implement some kind of system to disallow a large number of log in attempts within a period of time, or even lock out accounts once a threshold of bad attempts has been reached.

@boen_robot: Part of the point of these passwords is they’re only used one time. Once the user authenticates with these passwords, they should be forced to enter one of their own choosing.

@myrdhrin: I like the look of that pronounceable password generator. It could easily be extended to take into account the idea I’m suggesting here.

By: AussieJohn

AussieJohn — Thu, 13 Nov 2008 21:26:44 +0000

To be honest, I was joining Craig and only looking at the accessibility point of view. I do agree that this limits the amount of available passwords a lot. When adding in another character to these passwords, e.g. a punctuation symbol, it allows the number of passwords to increase – and increase their general complexity also.

I tend to use a pronounceable password generator as well – I have been using the one at webcogs for a few years now – I generally take one of their words and pre- or append a punctuation symbol and change the case of at least one letter.

By: myrdhrin

myrdhrin — Thu, 13 Nov 2008 19:42:14 +0000

I’m from the philosophy that to be effective a password has to be easy to remember. It does not matter how strong your password generation algorithm is if you have to write it down you it just lost all of it effectiveness.

I published a pronounceable password generator on my website. It generates random passwords with letters, numbers and symbol but still manages to let your pronounce (hence) memorize them. Beats writing them down.

The algorithm is public so you can tweak it to your taste.

anyway… my 2 cents here

Jean-Marc

By: boen_robot

boen_robot — Thu, 13 Nov 2008 16:12:07 +0000

Forigive me for saying this, but I’ve always hated this concept. The random password generation concept that is.

Instead of trying to make users TYPE a random password, I’d much rathar educate them how to COPY it and then promt them to change it on first login. Or better yet, make them create a custom password upon registrations (like most sites do already).

If generating a non-modifiable password is truly the only option, you have a bigger problem on your hands than your users’ acessibility problems.

By: Leo

Leo — Thu, 13 Nov 2008 16:02:58 +0000

Sorry to say but script returns an error

Notice: Undefined offset: 28 in ~ on line 15

// fix
$randomCharacterIndex = rand(0,count($characters)-1)

By: J. Pluijmers

J. Pluijmers — Thu, 13 Nov 2008 15:45:45 +0000

I would strongly advise against usage of these kind of passwords. It doesn’t take that long for a quadcore computer to calculate the 16 milion options and then put an automated free bruteforce tool to work with this data ie: Burp.

If you have to use these kind of credentials I urge you to install some kind of CAPTCHA so automated attacks are unlikely to succeed.

The forced password change might be a solution but a weak one at best. What if a user requested an account but never activates it? Then you still are verry vurnable to brute force.