GeodSoft Password Generator Instructions

		GeodSoft

Password.pl Instructions

Pattern Formation


  c: lower case consonant
  v: lower case vowel
  l: lower case letter
  w: lower case consonants plus common 2 and 3
     character consonant sequences that start words
  e: lower case consonants plus common 2 and 3
     character consonant sequences that end words
  C: mixed case consonant
  V: mixed case vowel
  L: mixed case letter
  W: mixed case consonants plus common 2 and 3
     character consonant sequences that start words.
     Only the first character may be upper case.
  E: mixed case consonants plus common 2 and 3
     character consonant sequences that end words.
     Only the last character may be upper case.
  d: digit
  s: symbol or punctuation
  n: non letter, i.e. digit, symbol or punctuation
  m: alphanumeric, lower case letters only
  M: alphanumeric, mixed case letters
  a: any character, lower case letters only
  A: any character, mixed case letters
  h: hexadecimal (0-9, a-f)
  0: zero or one of the preceding character type
  1: one or more of the preceding character type
2-9: one to the specified number of the preceding
     character type

Each alphabetic pattern control character is a key which selects an array of possible values from which one or more characters will be pseudo randomly selected. The w, W, e and E pattern characters may result in 1, 2 or 3 character sequences for each pattern character; if the maximum password length does not allow sufficient length, truncation will occur. All pattern control characters except w, W, e and E define a single password character. The entire pattern is processed unless the maximum password length is reached first, at which point the password is truncated. If the pattern is processed and the minimum length is not reached, the password is discarded, and a new cycle started. The digits are numeric modifiers of the preceding pattern control character, and determin if or how many of the type of character represented by the pattern character are included. The user has complete control over the probability each numeric modifier represents.

How Many

Determines how many passwords will be displayed. Valid values are 1 - 1000; the default is 10. Invalid values will be set to the minimum, default or maximum, depending on what is entered. I have the high limit mostly for administrators who want to make a list of passwords they can assign their users as they need them, or pick and choose from over a period of time, for their own use. If you print 1000 or 5000, especially if you use different patterns, you can go a long time without coming back. Even on the remote chance someone was sniffing between GeodSoft and your computer, all they will see is a very long list of what may be passwords. The chances that they will get associated with you and the sniffer will know which ones you've used, or be in a position to use the entire list as a cracking dictionary on computers you use is awfully small.

I've had the 1000 limit and the instructions mentioning it going back to the original password generator. It's hardly ever been used. I included most of the preceding paragraph in "What's New" and within a day two morons set the limit to 1000 and start clicking away on submit. With 5 to 10 seconds between clicks, it was obvious they could not possibly be cutting and pasting or saving in any fashion, or even looking at the individual passwords. They were just watching a pagefull of passwords change in response to their infantile urges. Put something in "instructions" and the large majority of people won't read it. Put the same thing some place prominent, and someone who wouldn't dream of reading instructions, thinks it gives them license to abuse the system.

Display Across

A 1 causes the displayed passwords to be printed across the page in rows. A 0 will cause passwords to be printed in a single column. Valid values are 0 and 1 defaulted to 1.

Maximum zero characters

Sets an upper limit to the number of characters specified by a pattern control character followed by zero that will be output in the resulting passwords. The default is 2. If the pattern contains more than 2 zero characters, the maximum must be increased to the actual number for there to be any possibility that all can actually appear. The low zero limit combined with the relatively low odds on zero characters provides a way to introduce comparatively small variations to a password pattern.

Zero odds

Sets the odds for a pattern control character followed by a zero to be output. The default is .25 or 1 in 4. If the maximum number of zero characters have already been output, the odds are not used; no more zero characters are output. Before displaying a zero character a random number between 0 and 1 is generated. If it is less than the Zero odds, the character is output, otherwise it is skipped. Useful values range from .1 to .9 which are from 1 in 10 to 9 in 10 or very rarely to nearly always. Values less than 0 or 1 and greater are never and always and therefore not useful; they are restored to the default if entered.

One odds

Sets the odds for more than one of the preceding pattern character type to be output. One of the appropriate character type is output and then a random number between 0 and 1 is generated. If the number is less than the "One odds" another character is output and an new random number generated. The loop continues until a random number is greater than or equal to the "One odds" or the maximum password length is reached. The default is .6 or 6 in 10. At the default, unless minimum or maximum password length impose a constraint, the number of pattern characters is mostly low (1 - 3) but very long sequences are occasionally produced. Values less than 0 or 1 and greater are never and always and therefore not useful; they are restored to the default if entered.

2 through 9 odds

Sets the odds for more than one of the preceding pattern character type to be output. After the first appropriate character type is output, a loop constant is calculated. The loop constant is calculated as the provided value divided by (numeric modifier less 1). The loop constant is subtracted from 1 on the first loop and from the saved result on each successive loop (decreasing the odds on each pass). A random number between 0 and 1 is generated and if the result is less than the calculated result (1 - loop constant, etc.) the loop continues until a random number is greater than the shrinking odds or the maximum password length is reached. The default .5 produces a fairly even distribution of character lengths from 1 to the maximum allowed by the numeric modifier of 2 through 9 over all values of 2 through 9. Thus with d2 there is an even chance of the second digit being generated, password length restraints allowing. Smaller numbers (but not less than 0) force a clustering of longer output strings and larger numbers (less than the numeric modifier) generate more shorter strings. Values less than 0 or 9 and greater are not useful; they are restored to the default if entered.

Minimum password length

Sets the minimum length in characters of the displayed passwords. If the pattern cannot create passwords at least as long as the minimum length, no passwords are output. Any numeric value greater than or equal to 1 and less than or equal to the maximum length is valid. 7 is the default minimum length.

Maximum password length

Sets the maximum password length in characters of the displayed passwords. Password output is terminated as soon as the maximum length is reached, truncating any password that otherwise might have been longer. Any numeric value greater than or equal to 1 is valid. 10 is the default maximum length.

Force Mixed Case

A 1 forces the displayed passwords to contain both upper and lower case letters; no passwords are output if the pattern contains no mixed case type pattern control characters (C, V, L, W, E, M or A). Valid values are 0 and 1 defaulted to 0. There should be two or more of the mixed case control characters in the pattern if force mixed case is set. If there is only one mixed case pattern control character and force mixed case is set, the mixed case character position will always be upper case. Though the resulting passwords may appear more complex, forcing mixed case actually reduces the number of passwords that a control pattern can generate.

Force a Digit

A 1 forces the displayed passwords to contain at least one digit; no passwords are output if the pattern contains no digit type pattern control characters (d, n, a and A). Valid values are 0 and 1 defaulted to 0. There should be two or more of the n, a or A pattern control characters and no d's if force a digit is on. If there is only one of the n, a or A control characters and force a digit is set, the output character will always be a digit. Though the resulting passwords may appear more complex, forcing a digit actually reduces the number of passwords that a control pattern can generate. If one or more d type pattern control characters is present, this option has no effect.

Force a Symbol

A 1 forces the displayed passwords to contain at least one symbol or punctuation character; no passwords are output if the pattern contains no symbol type pattern control characters (s, n, a and A). Valid values are 0 and 1 defaulted to 0. There should be two or more of the n, a or A pattern control characters and no s's if force a symbol is on. If there is only one of the n, a or A control characters and force a symbol is set, the output character will always be a symbol or punctuation character. Though the resulting passwords may appear more complex, forcing a symbol actually reduces the number of passwords that a control pattern can generate. If one or more s type pattern control characters is present, this option has no effect.

Digit sets per symbols

Determines the number of digit sets that are placed into arrays containing digits as well as symbols and punctuation. The default is 3. A standard keyboard has 10 digits and 32 symbols and punctuation characters. If an array is initialized with 1 of each, symbols and punctuation are about 3 times as likely to appear as a digit. By using 3 digit sets, a digit has an about equal chance of being included but each digit is three times more likely to appear than any specific symbol or punctuation character. Valid values are any numeric greater than or equal to 1; large values will suppress any symbols or punctuation characters. This is only relevant if the pattern contains one or more of the following characters: a, A or n.

Word Only Passwords

Words only is a completely new feature of passwords.pl. Feature is the wrong word. Words Only is an entirely new password generator, with totally independent logic, that simply shares the user interface of the pattern based password generator. Though it uses multiple dictionary words to create passwords, at 11 characters and longer, few if any cracking tools will be able to break these passwords, except in the freakishly rare circumstances when a common phrase is formed.

Unlike the pattern based password generator, which creates it's passwords one character at a time, Words Only randomly draws from a list of two through five character words and names. In test runs it created 2 duplicate passwords in one million 11 character passwords and 14 duplicate passwords in ten million 12 character passwords.

Like the pattern based password generator, little in Words Only is truly random. There is not an equal distribution of words of the various lengths. The list used is made from English dictionaries and common U.S. names which means many names of non English origin. There are well over 100 times as many five letter words as two letter words and more than twice as many five letter words as four letter words. There more than four times as many four letter words as three letter words.

There are two very different ways to select the words. Dump all the words into a common pool and draw randomly from it or to dump the words into pools of all the same size words, and decide randomly which length you want and then randomly select a word from the selected length pool. Both have problems. From the single pool you will see very few two letter words, and at 10 characters, many passwords with two five letter words. From the separate pools you will get a gross over representation of short words. If you want the maximum diversity there are about 400 times as many 10 letter passwords made of 5 two character words as there are of 2 five character words, despite the greatly larger number of five letter words, but the overall character sequence will be almost random, defeating the purpose for using words in the first place.

In order to better meet length restraints placed on the passwords, and provide a greater diversity than the common pool approach would provide, I chose a variation on the separate pools approach. The selection is not truly random. Fewer three, and many fewer two letter words are selected than a truly random selection would allow. But many more of both are included than if a combined pool had been used.

There is also logic to prevent endless loops if the minimum and maximum lengths are the same. This is not a problem when building passwords a character at a time but when using words limited to two characters or longer this can be a problem. Any time the assembled words create a password one character shorter than the required length, the password cannot be created and potentially there is an infinite loop. You could recognize the situation, discard the password, and start over. Or you could recognize the situation, and add a random character to complete the password. Since I am trying to created strong, all lower case passwords, I chose to add the letter, and randomly add it between the last two words, or at the end. Though some of the other passwords may be very awkward to pronounce, this is the only time that a truly unpronounceable password is likely to be created. There is no control over this function, except to choose minimum and maximum lengths that are at least one character different.

Password Lengths

Users can easily control the length range of the Words Only passwords in the same manner as any other, by setting the minimum and maximum password lengths. There is a restriction not applied in the pattern password generator. No Words Only password can be less than 10 characters long. Setting the minimum length to any number less than 10, automatically results in the default 11 to 12 character length. You can get 10 character passwords by setting both the minimum and maximum lengths to 10. When there is only a one or two character difference between the minimum and maximum lengths, the longer length will be heavily favored. If the spread is larger, the shorter lengths will be favored. If the spread exceeds 5 characters, you will probably never see the maximum length.

Two Character Words

You can change the frequency of two and three character words by changing the Zero and One odds. About two thirds (.65) of the two character words are discarded before they are selected. If you set Zero Odds around .01, two character words will be selected as frequently as four or five character words. If you set this somewhere over .9, two character words would be selected about as often as if they were in a common pool.

Three Character Words

Three character words are discarded just over one third (.35) of the times they would otherwise be selected. If you set One Odds around .01, three character words will be selected about as often as four and five character words. If you set One Odds somewhere between .7 and .9, three character words will be selected about as often as if they were in a common pool.

Five Character Words

The "2 through 9 odds" setting of .99 effectively eliminates the selection of a second five character word in passwords less than 13 characters. By setting this to .01 or lower you effectively remove this restraint. There is no restriction on multiple 5 character words in passwords 13 characters and longer.

Other Options

The "How many passwords?" and "Display across? (0 or 1)" options work as normal. The other options "Maximum zero characters," and the four options at the bottom of the right column, "Force Mixed Case (0 or 1)," "Force a Digit (0 or 1)," "Force a Symbol (0 or 1)," and "Digit sets per symbols" have no effect on Words Only passwords.

Top of Page - Site Map

Home >
How-To >
Good Passwords >
instruct.htm

What's New
How-To
Opinion
Book

Email address

Site map:
Home
What's New
About GeodSoft
- Large Web Project
- Designing GeodSoft
- Building GeodSoft
How-To
- Style Sheets (CSS)
- Time Synchronization
- Secure Shell (SSH)
- 10 Security Steps
- Good Passwords
- - Password Basics
- - Cracking Passwords
- - Password Advice
- - Password Research
- - Cracking Dictionaries
- - Advice Revisited
- - Human Passwords
- - Password Generators
- - Using a Generator
- - Password Security
- - Password Management
- - Windows Weaknesses
- - Common Passwords
- - Password Footnotes
- Dual Boot Open Source
- Harden OpenBSD
- Intrusion Detection
Reviews & Commentary
- Bogus PHP Bug
- Product Packages
- Software Licenses
- Corel Linux
- Open Source Limits
- Server Comparison
Book: Assn. Webs
- Introduction
- Network & Web Basics
- Assn. Computer Security
- Publishing Myth
Terms of Use
Privacy Policy

Password Generator
Password Evaluator