Random Password Generator
Introduction: A random password generator is a software program or hardware tool that receives input from a random or pseudo-random number generator and automatically creates a password. Random passwords can be generated manually, doing easy sources of randomness such as dice or money, or they can be generated utilizing a computer.
While there are many cases of "random" password generator programs available on the Internet, generating randomness can be complicated and many programs do not make random characters in a way that secures strong security.
A common recommendation is to use open source security tools where possible since they allow independent checks on the quality of the methods used. Note that easily creating a password at random does not guarantee the password is strong, because it is likely, although extremely unlikely, to create an easily selected or cracked password. There is no need at all for a password to have been created by a perfectly random method: it just needs to be enough difficult to guess.
A password generator can be a bit of a password manager. When a password policy makes complex rules, it can be more comfortable to use a password generator based on that set of laws than to manually create passwords.
Large strings of random characters are difficult for the largest people to learn. Mnemonic hashes, which reversibly convert random strings into more memorable passwords, can substantially improve the ease of memorization. As the hash can be processed by a computer to recover the original 60-bit string, it has at least as much information content as the original string.[1] Similar techniques are used in memory sport.
Type and strength of password generated
Random password generators normally output a string of symbols of specified length. These can be individual characters from some character set, syllables designed to form pronounceable passwords, or words from some word list to form a passphrase.
The program can be customized to ensure the resulting password complies with the local password policy, say by always producing a mix of letters, numbers and special characters. Such policies typically reduce strength slightly below the formula that follows, because symbols are no longer independently produced.
The Password strength of a random password against a particular attack (brute-force search), can be calculated by computing the information entropy of the random process that produced it. If each symbol in the password is produced independently and with uniform probability, the entropy in bits is given by the formula Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly.
The strength of a password is a function of length, complexity, and unpredictability. Using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls. The effectiveness of a password of a given strength is strongly determined by the design and implementation of the factors (knowledge, ownership, inherence). The first factor is the main focus in this article.
The rate at which an attacker can submit guessed passwords to the system is a key factor in determining system security. Some systems impose a time-out of several seconds after a small number (e.g. three) of failed password entry attempts. In the absence of other vulnerabilities, such systems can be effectively secured with relatively simple passwords. However, the system must store information about the user's passwords in some form and if that information is stolen, say by breaching system security, the user's passwords can be at risk.
Password generator programs and websites
A large number of password generator programs and websites are available on the Internet. Their quality varies and can be hard to assess if there is no clear description of the source of randomness that is used and if source code is not provided to allow claims to be checked. Furthermore, and probably most importantly, transmitting candidate passwords over the Internet raises obvious security concerns, particularly if the connection to the password generation site's program is not properly secured or if the site is compromised in some way.
Without a secure channel, it is not possible to prevent eavesdropping, especially over public networks such as the Internet. A possible solution to this issue is to generate the password using a client-side programming language such as JavaScript. The advantage of this approach is that the generated password stays in the client computer and is not transmitted to or from an external server.