Pattern based password generator

Having to deal with changing passwords on multiple computers every three or four weeks, resulted in me making a password generator to speed up the process. Making a password generator is trivial, however, making one that generates meaningfull passwords is another issue.  Another challenge is security and true randomness vs deterministic randomness. In this post, I present a small utility that adresses these issues while at the same time being simple to use. 

Why bother making a password generator?
A good strategy against hackers is to have strong passwords that is hard to guess or crack using brute-force techniques. To make sure users are creating strong passwords, network admins usually require that passwords are matching some predefined pattern including letters, numbers and symbols. I would actually claim that, nearly everybody, are using some word (combined with digits) that gives them some meaning. The exception is auto-generated system passwords (like isp’s, web hosts etc.) that usually look like a nightmare. To aid the generation of meaningful passwords, I found several open source dictionaries and combined them into one large dictionary (I will even dare to say that it’s among the biggest with over 130 thousand words)

The motivation for making my own generator, is simply because I dont want to waste time finding something new each time. I don’t do something stupid as changing a single digit or character either, making the password extremely predictive. However, this is a good opportunity to also learn and understand the inner workings of linear congruential generators (also called recurrence equations). So my requirement is pretty simple; generate unique, meaningfull, but safe passwords.
This resulted in me making a generator with the following features:

  • It  generates variable length passwords (*, 5, 7, 9, 14 characters)
  • It generates safe passwords, containing letters, numbers and symbols
  • It’s able to run in 6 different modes: simple, medium or strong random passwords, dictionary words, hex code and pattern based passwords
  • It’s able to create meaningfull passwords based on patterns of any length & combination
  • Uses a large dictionary based on open source resources freely available on the net (currently 132542 uniqe words).
  • Parts of the words can be extracted or split, hence decreasing the probability of brute-forcing dictioary words

The generator has the following security features:

  • It uses Java’s SecureRandom class capable of generating true random 160 bits seed data created using the SHA-1 algorithm. SecureRandom is a  cryptographically strong RNG that follows the IEEE P1363 standard.
  • Re-seeding on every generation call

 An extra note on security:
SecureRandom was chosen in order to keep the generator simple and portable. While fixing several issues of the regular Random class, SecureRandom still uses a deterministic  algorithm for generating numbers. The latter, means that it possible to reverse-engineer the algorithm by simply analysing its output (LCG Cracking). In a more advanced application where a higher level of security would be required, it’s adviced to use a non-linear algorithm such as AES (also used in WPA2). Trying to reverse-engineer a AES based number generator means trying to break the AES Block Cipher encryption, which is nearly impossible. A good open source framework providing AES is the Uncommons-Maths library.

The generator accepts the following pattern expressions:

  • d : digit
  • l:    lower case letter
  • L:  upper case letter
  • s:   symbol
  • w: lower case dictionary word as in: java
  • W: dictionary word as in: Java

Using the pattern

  • “wdd” (lower case word with two digits behind) would then generate something like: “consol69″
  • “WdsdL” (a word with a uppercase first character, a digit, a symbol, a second digit and a uppercase letter) would generate something like : “Doom6#9C”

Use of the generator:

PasswordGenerator pg = new PasswordGenerator()
String password = pg.generate(<your pattern>);

More examples in the source code.

Download: The source code (incl. the dictionary) is provided as is, use it as it suits you.

This entry was posted in Algorithms, Java and tagged , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>