Password Generator

Your generated password is:

Constraints...

(Trim to character(s)).

Separate words with , , or .

May or must include lower case letters.

May or must include upper case letters.

May or must include numbers.

May or must include non-alphanumeric symbols (

Notes...

Some of these restrictions will effectively reduce your password complexity, since the attacker has a smaller space to work in.

If you keep clicking until you find a password you "like", you will reduce the effectiveness of using a password generator.

About...

For passwords generated by a process that randomly selects a string of symbols of length, L, from a set of N possible symbols, the number of possible passwords can be found by raising the number of symbols to the power L, i.e. NL. Increasing either L or N will strengthen the generated password. The strength of a random password as measured by the information entropy is just the base-2 logarithm or log2 of the number of possible passwords, assuming each symbol in the password is produced independently. Thus a random password's information entropy, H, is given by the formula:

Entropy formula

where N is the number of possible symbols and L is the number of symbols in the password. H is measured in bits. In the last expression, log can be to any base.

Wikipedia contributors, "Password strength," Wikipedia, The Free Encyclopedia, http://en.wikipedia.org/w/index.php?title=Password_strength&oldid=651343933 (accessed March 26, 2015).

Roughly translated, this means that a good password is either made up of a lot of symbols from a small pool, or a smaller number of symbols from a larger pool. Traditionally, the advice for passwords is to make up a "random" word (from a set of upper and lower case letters, and numbers). Unfortunately, humans tend to be quite bad at both picking and remembering random combinations of letters.

Any one who considers arithmetical methods of producing random digits is, of course, in a state of sin.

Von Neumann, John. "Various Techniques Used in Connection with Random Digits." Applied Math Series, no. 12 (1951): 36-38.

There are two separate solutions to these two problems. First, use a better source of randomness.Modern web browsers offer "cryptographic" random numbers, ultimately from external sources of entropy (such as the temperature of the CPU, or the time between keystrokes and mouse movements).

Second, write down your (long and complex) passwords. Again, traditionally, this has not been good advice, but mostly what you need a password for these days is to create an account on a random web site. The "don't write down your password" advice protects you against someone with physical access, but the threat is more likely to either be someone trying to brute force attack the web site login, or to brute force guess the password once they've got a copy of the web site database.

This password generator uses a base list of just over 8000 words. Each word can (on a 50/50 choice) have a first capital letter (so effectively 2 * 8000 = 16000 words). If the additional complexity option is selected, each word has one of the ASCII non-alphabetic characters appended ("!#$%()*+,-./-1234567890:;=?@[\]^_`{|}~" = 39 characters * 16k = 624k). The default number of words is 6, so the possible number of combinations is 68000 * 2 * 39 (= 5*1034) or roughly 114 bits of entropy. An 8 digit random alpha-numeric string has about 40-50 bits of entropy.

A final thought - If you're serious about password security, don't blindly trust a page you've found online....

Random Number Generation Is Too Important to Be Left to Chance

Coveyou, Robert. [Title of article] Studies in Applied Mathematics, no. III (1970): 70-111.

(See also the relevant XKCD)