RLPassWeb 1.2 - Natural Language Password Generator

The Program

Passwords

Number of passwords to generate: Note: slower computers may want to generate less than 100 passwords at a go (50 for longer passwords)

Length

Length of password in characters: Note: Version 2 Passwords should be limited to a length of 15 characters to work properly - for the other algorithms, you can set this to any length that you desire - however, some algorithms generate pairs of letters, and will round the number of letters up to the nearest even value.

Settings

Include lowercase letters in password? (1=yes/0=no) Including lower-case letters improves the security of your passwords. Note that if you are using Algorithm 4, entering a "2" here also includes numbers.

Include numbers at the end of the password? Including numbers improves the security of your password. Not used in Version 2.

For version 2 only: select a bitpattern.

0. CVCCVVCCVVCCVVC - recommended for longer passwords
1. CVCCVCCVCCVCCVC
2. CVCCCVCCVCCCVCV
3. CVCCCVCCVCVCCVC
4. CVCVCCVVCCVCCVC
5. VCVCCCVCCVCVVCV
6. VCCVVCVCCVVCVCC - recommended for shorter passwords

The bitpattern determines the proportion and order of vowels and consonants according to a standardized pattern derived from simlar patterns in common english words. Be careful when using this algorithm, as it may have a greater likelihood of generating actual dictionary words than the other algorithms, and may have lower entropy overall.

Algorithms

- this is the original version of RLPassWeb. This generates a Natural Language password consisting of consonant/vowel pairs, producing words that sound more syllographic than standard English. For added security, you can also include lowercase letters and append numbers. This algorithm provides a decent level of security for the casual user. This algorithm uses the lowercase and number inclusion settings. Provides from 3.3 to 5.3 bits of entropy per character.

- this version of RLPassWeb generates passwords using patterns based on the distribution of consonants and vowels in English-language words. This may or may not generate passwords that are more English-sounding than Version 1 or Version 4 passwords. However, because the results are based on patterns, they are less random than Versions 3 or 4, but more random than Version 1 if a potential attack is unaware of the pattern used to generate the password. This algorithm uses the lowercase and bitpattern settings, and works for up to 15-character passwords.

- A revamped version of the first algorithm designed for more accurate-sounding word creation by using varying pairs of vowels and consonants. This algorithm can switch cases, but does not append numbers. Provides slightly higher entropy than Version 1.

- Completely random alphabetic/alphanumeric password. Should be the most random/most secure of the alphabetic algorithms. Options: lowercase bit set to 0 - all-caps alphabetic; set to 1 - upper/lower case alphabetic; set to 2 - multicase/alphanumeric. This algorithm uses the lowercase setting. Provides from 4.7 to 6 bits of entropy.

- not a natural language generator. Generates a sequence of numbers for resettable combination locks and keypad systems. Not very secure if used for other purposes.

- not a natural language generator. Generates a completely random password with upper and lower-case letters, numbers, and special characters. Provides 6.5 bits of entropy (maximum per character possible is 7).

Use Compact Version

Passwords

RLPassWeb Info

What is RLPassWeb?

RLPassWeb is designed to create so-called "natural language" passwords for user accounts. These passwords are designed to be phonetically easy to pronounce, and can be associated into memory as "words" that can be more easily remembered than completely random passwords. RLPassWeb gives you four options for doing this, progressively harder to guess: consonant/vowel pairs, passwords based on standard english consonant/vowel patterns, letter-pair variations, and random alphabetic/alphanumeric passwords, as well as providing completely random and numeric passwords. RLPassWeb litterally stands for Real Language Passwords for the Web.

How secure are the passwords RLPassWeb generates?

Please note that while these passwords are easy to remember, they are also more vulnerable to attack, because they are not as random - anything with a pattern to it can be broken. In passwords, the less of a pattern there is to it, the more bits of entropy it has - and the more bits of entropy in a password, the harder it is to guess. An average english word, according to prevailing theories, has about 1.3 bits of entropy per letter - in contrast, Version 1 passwords would have about 3.4 bits of entropy per letter, and the random algorithm would have about 6.5 bits of entropy (the most secure method, using all 128 characters in the ASCII character set and true-random number source, such as random.org, should yield a theoretical maximum of 7 bits per letter) according to Shannon's logarithmic entropy formula.

That being said, these algorithms will defeat a dictionary-word and dictionary-variation search, which are the most common types of hacking password attacks - however, as noted earlier, by only using 26 letters instead of the full 128-character ASCII set, you are still reducing the amount of randomness, and therefore the number of tries needed to guess your password with an optimized brute-force cracker, which can be a problem for generating passwords for encryption (note, however, that it is still fairly strong against a completely linear brute-force attempt). To combat this, use the optiuons to insert numbers or capital letters, or if you're really paranoid, try a random generator (such as the "random" option below), or an easier-to-remember high-entropy method such as Diceware.

However, if you simply need a password for your email or other online accounts, natural-language passwords should be more than enough for everyday use - and, in combination with other words or methods, can be used to make easier-to-remember but still secure passwords for uses such as PGP encryption. Note, however, that for higher-security applications, such as a Mac OS X root password, that only allow 8 characters, you should use a higher-entropy method than RLPassWeb for a safe password.

So, I have a new password. Am I secure now?

Maybe. For maximum security, I would recommend that you change your password on your online accounts fairly frequently - about every 2 to 4 months. The jury's still out on whether it's safe to write passwords down - if you're not using the password for high-security applications, and don't worry about people going through your pockets at night, a scrap of paper in your wallet is probably secure enough, and there are also a plethora of applications that will encrypt your passwords under one master key - just remember, though, that if you're really worried about someone finding your password, memorization is the most foolproof method - until you forget.

What license is this program distributed under?

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

Send Secure Email to Theta Pi

Change Log

v1.2
- Added new algorithm based on alternating syllabic pairs
- Added new numeric passcode generator
- Added the capability to generate multiple passwords at once
- Rewrote the tutorial in a more accurate manner
- Swatted some off-by-one bugs

v1.1
- Rewrite of core code in Javascript, released as a Web application
- Added upper/lower case options
- Added new pattern-based algorithm
- Added random password generators
- Added rudimentary tutorial on password security

v1.0.1
- Quick fix to allow copying the password to the clipboard (as opposed to saving it as a text file)

v1.0
- First Release (AppleScript) as RLPassword