RLPassWeb is designed to create so-called "natural language" passwords for user accounts. These passwords are designed to be phonetically easy to pronounce, and can be associated into memory as "words" that can be more easily remembered than completely random passwords. RLPassWeb gives you four options for doing this, progressively harder to guess: consonant/vowel pairs, passwords based on standard english consonant/vowel patterns, letter-pair variations, and random alphabetic/alphanumeric passwords, as well as providing completely random and numeric passwords. RLPassWeb litterally stands for Real Language Passwords for the Web.
Please note that while these passwords are easy to remember, they are also more vulnerable to attack, because they are not as random - anything with a pattern to it can be broken. In passwords, the less of a pattern there is to it, the more bits of entropy it has - and the more bits of entropy in a password, the harder it is to guess. An average english word, according to prevailing theories, has about 1.3 bits of entropy per letter - in contrast, Version 1 passwords would have about 3.4 bits of entropy per letter, and the random algorithm would have about 6.5 bits of entropy (the most secure method, using all 128 characters in the ASCII character set and true-random number source, such as random.org, should yield a theoretical maximum of 7 bits per letter) according to Shannon's logarithmic entropy formula.
That being said, these algorithms will defeat a dictionary-word and dictionary-variation search, which are the most common types of hacking password attacks - however, as noted earlier, by only using 26 letters instead of the full 128-character ASCII set, you are still reducing the amount of randomness, and therefore the number of tries needed to guess your password with an optimized brute-force cracker, which can be a problem for generating passwords for encryption (note, however, that it is still fairly strong against a completely linear brute-force attempt). To combat this, use the optiuons to insert numbers or capital letters, or if you're really paranoid, try a random generator (such as the "random" option below), or an easier-to-remember high-entropy method such as Diceware.
However, if you simply need a password for your email or other online accounts, natural-language passwords should be more than enough for everyday use - and, in combination with other words or methods, can be used to make easier-to-remember but still secure passwords for uses such as PGP encryption. Note, however, that for higher-security applications, such as a Mac OS X root password, that only allow 8 characters, you should use a higher-entropy method than RLPassWeb for a safe password.
Maybe. For maximum security, I would recommend that you change your password on your online accounts fairly frequently - about every 2 to 4 months. The jury's still out on whether it's safe to write passwords down - if you're not using the password for high-security applications, and don't worry about people going through your pockets at night, a scrap of paper in your wallet is probably secure enough, and there are also a plethora of applications that will encrypt your passwords under one master key - just remember, though, that if you're really worried about someone finding your password, memorization is the most foolproof method - until you forget.
©2001 Theta Pi Software
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
Send Secure Email to Theta Pi
- Added upper/lower case options
- Added new pattern-based algorithm
- Added random password generators
- Added rudimentary tutorial on password security
- Quick fix to allow copying the password to the clipboard (as opposed to saving it as a text file)
- First Release (AppleScript) as RLPassword