human readable password generator

[Lazybones]

We employ a strong password policy at my office and as a sysadmin I need to create new passwords often. The funny thing is that the rules require so many things that I often have trouble coming up with good passwords for things without resorting to variations on combinations that I know work.



There is a password generator for PalmSO that creates human readable passwords. I was wondering if anyone knows of one for windows.



Need to be able to configure it for the following rules

9 characters or greater

must contain letters, numbers and symbols or case variation



The palmOS tool trys to creat a password that looks a little like leat speak but the words are nonsence as well.



Might have to write one my self.

[Thorin]

9 characters or greater

I hate that particular rule  I have some good passwords that are easy for me to remember yet hard to guess, but they're only eight characters long...

[Lazybones]

9 characters or greater

I hate that particular rule  I have some good passwords that are easy for me to remember yet hard to guess, but they're only eight characters long...

Most of my easier to remember ones are 7. But can't use those here.

[Cova]

I've got a few quite strong 6 and 7 character long passwords I use quite often.  The ones that really bug me are places that don't allow symbols and such in passwords.



As for a generator tool, I wrote one a few years back that we use here at NAIT for making all kinds of passwords.  It uses mixed case, numbers, and symbols, and generates a password of any length (it prompts you, defaults to 10 chars).  But its completly random, it doesn't try to make it readable or familiar looking at all.  If you want it, I'll post the code up somewhere.

[Lazybones]

I've got a few quite strong 6 and 7 character long passwords I use quite often.  The ones that really bug me are places that don't allow symbols and such in passwords.



As for a generator tool, I wrote one a few years back that we use here at NAIT for making all kinds of passwords.  It uses mixed case, numbers, and symbols, and generates a password of any length (it prompts you, defaults to 10 chars).  But its completly random, it doesn't try to make it readable or familiar looking at all.  If you want it, I'll post the code up somewhere.

No, I have found many of those, and have even writen one my self.. Someone introduced me to the Palm one and I have to say it makes good passwords you can almost pronounce which is good if you need to describe it over a phone.



An example might be Num0RMits or SwinH@g12 It attempts to put vowels and such in proper places and a little 733t speak.. the full random ones get you XS#>5Wq49 type passwords that no one remembers unless they reuse them everywhere.



Some days its just hard to be creative with them, avoiding dictionary words is hard.

[Lazybones]

Ok, I went and wrote one my self. The password length can be between 4 and 12 char, I did this because drop down lists are easy to select on a portable device and this is a common range of human usable sizes.

I made it as a single xhtml doc using javascript when I realized I could load local html files on my PDA.. Still took some time to come up with the Human readable part, it generates some interesting things sometimes. Un-checking the human readable option will default it back to fully random.

Let me know what you think, by default it creates passwords that will conform to my networks minimum complexity rule, so this might be useful for others who need to create passwords with the same rules.

If you find this useful let me know..

See attached PassGen.zip file

[Tom]

I sometimes like to pick semi random romaji sequences. My current main password is 9 characters long, and is easy enough to remember, just a bunch of syllables, that would normally not appear together in english

[Lazybones]

I sometimes like to pick semi random romaji sequences. My current main password is 9 characters long, and is easy enough to remember, just a bunch of syllables, that would normally not appear together in english

This is more for those of us who admin many systems and need more than one strong password.. Also handy for me as I often have to set default or reset passwords for users. Also our passwords must be changed every 90 days and can not repeat.

[Tom]

I personally would have a tough time remembering the passwords that script generates.. even with the numbers symbols and capitalization off.

[Lazybones]

I personally would have a tough time remembering the passwords that script generates.. even with the numbers symbols and capitalization off.

There not all great, but it does try and make them use English sounding combinations.  If you generate a few you will often find something interesting. The idea is not to use real words that could be in a dictionary while trying to be memorable.  How good they are depends on the length you set as well..

It does what I want, however it may not be of interest to everyone.

[Tom]

It does what I want, however it may not be of interest to everyone.

as with my method

[Adams]

Just FYI http://www.winguides.com/security/password.php.
I use this one. Its not the best but for 8 - 10 character passwords if makes a few good ones then just slightly modify it to suit your needs.

[Lazybones]

Opps, I had included a debug popup in the version I first posted.  Fixed the attached file.

[TheDruid]

Thanks lazy, this will come in handy for me, in the last few months my job has really craked down on our passwords and now our rules include:

1. Minimum of 8 characters in Length

2. The password contains characters from at least three of the following five categories:

        - English uppercase characters (A - Z)
        - English lowercase characters (a - z)
        - Base 10 digits (0 - 9)
        - Non-alphanumeric (For example: !, $, #, or %)
        - Unicode characters

3. The password does not contain three or more characters from the user's account name.

4. Passwords will have an expiry of 30 days and a history of 6 passwords will be kept.

Needless to say im on month 4 right now and starting to run short on passwords

[Lazybones]

Exactly

I am under the following rules:
Contain characters from 3 of the following 4 groups
-Letters Uppercase
-Letters Lowercase
-Numerals
-Symbols

Be significantly different from prior 24 passwords

They must change every 90 days (might be 60)

[Lazybones]

I personally would have a tough time remembering the passwords that script generates.. even with the numbers symbols and capitalization off.

The easiest to read is to just turn off the capitalization.. this will force the format of word num/syb word and it is easier to pick out symbols and numbers from the characters. If you turn both numbers and symbols off there is no separation between the sudo words so they are very hard to read and all the padding will be random characters.

I plan on improving the word generation as it picks some combinations that just don't appear in normal words, it is a work in progress.

Some examples:
No Num, No case, 9 min
fewn*phawz
yuh#tawg&
neey#showc
quoat!quaic
zim%quaub

You can sort of imagine a pronunciation for those and that should make them easier to remember than random characters pairs. Well at least that is the idea anyway.

[Darren Dirt]

...now our rules include:

1. Minimum of 8 characters in Length

2. The password contains characters from at least three of the following five categories:

        - English uppercase characters (A - Z)
        - English lowercase characters (a - z)
        - Base 10 digits (0 - 9)
        - Non-alphanumeric (For example: !, $, #, or %)
        - Unicode characters

3. The password does not contain three or more characters from the user's account name.

4. Passwords will have an expiry of 30 days and a history of 6 passwords will be kept.

Personally, I would be seeking other employment if those kinda rules were en-forced ... that is BEYOND ridiculous, and it obviously would encourage many non-analytical thinkers to simply write down their passwords somewhere near their keyboard

[Lazybones]

...now our rules include:

1. Minimum of 8 characters in Length

2. The password contains characters from at least three of the following five categories:

        - English uppercase characters (A - Z)
        - English lowercase characters (a - z)
        - Base 10 digits (0 - 9)
        - Non-alphanumeric (For example: !, $, #, or %)
        - Unicode characters

3. The password does not contain three or more characters from the user's account name.

4. Passwords will have an expiry of 30 days and a history of 6 passwords will be kept.

Personally, I would be seeking other employment if those kinda rules were en-forced ... that is BEYOND ridiculous, and it obviously would encourage many non-analytical thinkers to simply write down their passwords somewhere near their keyboard

The only part of that rule that is over kill to me is the rotation time of 30 days.. That is simply too often. The other complexity rules are important to reduce brute force attack risks.

[Thorin]

Thanks lazy, this will come in handy for me, in the last few months my job has really craked down on our passwords and now our rules include:

1. Minimum of 8 characters in Length

2. The password contains characters from at least three of the following five categories:

        - English uppercase characters (A - Z)
        - English lowercase characters (a - z)
        - Base 10 digits (0 - 9)
        - Non-alphanumeric (For example: !, $, #, or %)
        - Unicode characters

3. The password does not contain three or more characters from the user's account name.

4. Passwords will have an expiry of 30 days and a history of 6 passwords will be kept.

Needless to say im on month 4 right now and starting to run short on passwords

Betcha some users get around that by putting their first name, some padding, and then a number representing the version of the password they're on.  Users like to do things easy.  For instance,

Thorin01
Thorin02
Thorin03
Thorin04
Thorin05
Thorin06

Or even easier, pick your favourite password.  When it's time to change, change it six times then put it back to the original.

If they're really that paranoid about peoples' passwords, they should invest in fingerprint scanners.  No, wait, those can be defeated with photocopies.  Oh, I know!  We could educate all workers about the risk of letting others see their password.  Since that's really the problem, anyway.  If I never let you know my password, it doesn't matter how often I change it, you can never use it.  Unfortunately, 70% of users are willing to trade their password for a piece of chocolate.  No matter what you do with the password rules short of requiring them to be changed after every challenge, you cannot guard sufficiently against this problem.

Hey, the creators of Shadowrun had this figured out back in 1989.  Even back then, they predicted the Matrix (from Shadowrun, not the movies) would interconnect computers everywhere in a giant grid.  And they made sure to explain that some corporations simply *would not* connect sensitive systems to the Matrix, so that there was no way for a hacker to get at the files on them without explicitly breaking into the compound (hey, this was the basis for an easy half of all runs I ever did...).

[Shayne]

HaHa Thorin nailed my password scheme at upside

[Darren Dirt]

If they're really that paranoid about peoples' passwords, they should invest in fingerprint scanners.  No, wait, those can be defeated with photocopies.  Oh, I know!  We could educate all workers about the risk of letting others see their password.  Since that's really the problem, anyway.  If I never let you know my password, it doesn't matter how often I change it, you can never use it.  Unfortunately, 70% of users are willing to trade their password for a piece of chocolate.

Thanks Thorin, for the past hour I've had the first coupla minutes of "Stairway to Heaven" playing and replaying and REplaying in my noggin'

[Thorin]

Personally, I would be seeking other employment if those kinda rules were en-forced ...

I have to say, password rules is not something that'll make me quit a job...  Bad pay, being expected to work overtime without pay or cause, bad benefits, completely boring work, lack of foreseeable future for the company, lack of future career growth, and lack of trust in management all make my list, but password rules?  Hmm.  I think you might be a bit more fickle than most, Darren