Wednesday, July 23, 2008

Password Generator part 2

In a previous post, I mentioned that I had designed a simple password generator for use with the myriad of websites on which I have accounts. Rather that store passwords and carry them around with me, I've decided to carry around the code for a password generator in my head, so that I can generate difficult-to-guess passwords using a few easy to remember pieces of information. Namely these are a reusable master password, my username on the site, and the domain name of the site (like for example).

The generator algorithm takes these three pieces of information as strings of text (ASCII characters to be exact), and uses them to populate three pseudo-random data streams (I used ARC4 for the pseudo-random algorithm because it is easy to memorize). These three streams are combined to create the characters in the password. For more details, see the list of steps in the first post about the password generator, or better yet, take a look at the source code.

I have uploaded the password generator here, so if you'd like to use it, feel free.

In order to account for some websites which do not allow special characters or passwords that are thirty characters long, I created a settings file which has special rules for some websites. If there are any websites that you would like me to add to the settings, please let me know in the comments.

Now for a disclaimer: I'm not entirely sure that these passwords would stand up to cryptanalysis. It might be possible to figure out the inputs (the three secrets). So I recommend just using it for websites which are not too sensitive. I'm just using it on social news websites at the moment.

Someday this might all be made unnecessary through the use of OpenID or some other authentication solution. I'm looking forward to it.


Unknown said...

I just signed up for a service with OpenID and it makes me happy. I hope to see more stuff using it in the future so I don't have to open KeePass every time I want to comment on a blog or something.

Jeff Scudder said...

Nifty, which one was it? It seems like right now, there are more people becoming OpenID providers than consumers. Because the problem is that you have to trust the other website's accounts system. You know, Blogger accepts OpenIDs from some providers for comments.