Random password generator

A random password generator is a software program or hardware device that takes input from a random or pseudo-random number generator and automatically generates a password.

Mnemonic hashes, which reversibly convert random strings into more memorable passwords, can substantially improve the ease of memorization. As the hash can be processed by a computer to recover the original 60-bit string, it has at least as much information content as the original string.^[1]

Password type and strength

Websites

Web Cryptography API

The Web Cryptography API is the World Wide Web Consortium’s (W3C) recommendation for a low-level interface that would increase the security of web applications by allowing them to perform cryptographic functions without having to access raw keying material. The Web Crypto API provides a reliable way to generate passwords using the crypto.getRandomValues() method. Here is the simple Javascript code that generate the strong password using web crypto API.^[2]^[3]

FIPS 181 standard

Many computer systems already have an application (typically named "apg") to implement the password generator standard FIPS 181.^[4] FIPS 181—Automated Password Generator—describes a standard process for converting random bits (from a hardware random number generator) into somewhat pronounceable "words" suitable for a passphrase.^[5] However, in 1994 an attack on the FIPS 181 algorithm was discovered, such that an attacker can expect, on average, to break into 1% of accounts that have passwords based on the algorithm, after searching just 1.6 million passwords. This is due to the non-uniformity in the distribution of passwords generated, which can be addressed by using longer passwords or by modifying the algorithm.^[6]^[7]

Mechanical methods

Yet another method is to use physical devices such as dice to generate the randomness. One simple way to do this uses a 6 by 6 table of characters. The first die roll selects a row in the table and the second a column. So, for example, a roll of 2 followed by a roll of 4 would select the letter "j" from the fractionation table below.^[8]

	1	2	3	4	5	6
1	a	b	c	d	e	f
2	g	h	i	j	k	l
3	m	n	o	p	q	r
4	s	t	u	v	w	x
5	y	z	0	1	2	3
6	4	5	6	7	8	9

References

^ Ghazvininejad, Marjan; Knight, Kevin (May–June 2015). "How to Memorize a Random 60-Bit String" (PDF). Proceedings of the 2015 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies. Vol. Proceedings of the 2015 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies. Denver, Colorado: Association for Computational Linguistics. pp. 1569–1575. doi:10.3115/v1/N15-1180. S2CID 8028691.
^ "Generate a Secure Random Password Using Web Crypto API and Javascript". github.com. Retrieved 2024-01-06.
^ "Step-by-step process of creating a robust password using Web Crypto API". passwordlab.io. Retrieved 2024-01-06.
^ "StrongPasswords – Community Help Wiki". help.ubuntu.com. Retrieved 2016-03-25.
^ NIST. Automated Password Generator standard FIPS 181
^ Shay, Richard; Kelley, Patrick Gage; Komanduri, Saranga; Mazurek, Michelle L.; Ur, Blase; Vidas, Timothy; Bauer, Lujo; Christin, Nicolas; Cranor, Lorrie Faith (2012). Correct horse battery staple: Exploring the usability of system-assigned passphrases (PDF). SOUPS '12 Proceedings of the Eighth Symposium on Usable Privacy and Security. doi:10.1145/2335356.2335366.
^ Ganesan, Ravi; Davies, Chris (1994). "A New Attack on Random Pronounceable Password Generators" (PDF). Proceedings of the 17th {NIST}-{NCSC} National Computer Security Conference. NIST: 184–197. Retrieved 2014-12-17.
^ Levine, John R., Ed.: Internet Secrets, Second edition, page 831 ff. John Wiley and Sons.