RLPassWeb 1.3

RLPassWeb Instructions

Settings: These should be self-explanatory. You don't need to modify algorithm-specific settings unless you want to use that particular algorithm. The Bitpattern setting determines the proportion and order of vowels and consonants according to a standardized pattern derived from simlar patterns in common english words. Be careful when using this algorithm, as it may have a greater likelihood of generating actual dictionary words than the other algorithms, and may have lower entropy overall.

Algorithms:

Vowel Pair - This is the version of RLPassWeb from the original AppleScript code. This generates a password consisting of consonant/vowel pairs, producing words that are based more on morphemes than phonemes (i.e. more akin to the Japanese way of writing, where each character represents both a consonant and a vowel). This algorithm provides a decent level of security for the casual user. This algorithm uses the lowercase and add character settings. This algorithm also keeps the feature of appending numbers from its predecessor for those who like this, although the option now adds special characters as well. Provides about 3.3-3.6 bits of entropy per character.

Bitpattern - This version of RLPassWeb generates passwords using patterns based on the distribution of consonants and vowels in English-language words. This may or may not generate passwords that are more English-sounding than Vowel-Pair passwords. However, because the results are based on patterns, they are less random than the frequency or syllabic algorithms, but somewhat more random than vowel-pair if a potential attack is unaware of the pattern used to generate the password. This algorithm uses the lowercase and bitpattern settings, and works for up to 15-character passwords.

Phonemic - This algorithm is an advancement on the vowel-pair approach, and is an attempt, similar to the bitpattern, to create passwords that follow the patterns of the English language as closely as possible. Be aware, though, that this algorithm has the highest possibility of any to generate passwords containing actual English words. Because of the way the passwords are generated, each password may have slightly more or less entropy than the vowel-pair method.

Frequency - Another way of trying to create english-sounding words, by using english letter frequency tables (many thanks to these sites for providing this information). Using these tables, the algorithm uses common first and last letters, and calculates the rest of the letters by actual english letter frequency (approx. 1.5 consonants/vowel). This algorithm uses the lowercase setting, and provides entropy roughly equivalent to the vowel-pair algorithm.

Syllabic - A revamped version of the first algorithm designed for more accurate-sounding word creation by using varying pairs of vowels and consonants. This algorithm uses the lowercase function. Provides slightly higher entropy than the vowel-pair algorithm.

Random Alpha - Not a natural language generator. Completely random alphabetic/alphanumeric password. Should be the most random/most secure of the alphabetic algorithms. This algorithm uses the lowercase setting, and can also be set to include numbers from the same setting. Provides from 3.7 to 5 bits of entropy.

Numeric - Not a natural language generator. Generates a sequence of numbers for resettable combination locks and keypad systems, or for use in addition to the other algorithms for creating a complex password. Not very secure if used for other purposes.

Full Random - Not a natural language generator. Generates a completely random password with upper and lower-case letters, numbers, and special characters. Provides approx. 6.5 bits of entropy (maximum per character possible is 7).

RLPassWeb Info

Note: If you are still having trouble remembering passwords generated by this program, you may also want to try MungePass.

What is RLPassWeb?

RLPassWeb creates so-called "natural language" passwords for user accounts. These passwords are designed to be phonetically easy to pronounce, and can be associated into memory as "words" that can be more easily remembered than completely random passwords. RLPassWeb provides a number of different algorithms to achieve this, as well as providing completely random and numeric passwords. RLPassWeb stands for Real Language Passwords for the Web.

How secure are the passwords RLPassWeb generates?

It is important to note that while these passwords are easier to remember, they are technically more vulnerable to attack, because they are not as random - anything that has a pattern to it can be broken more easily. In passwords, the less of a pattern there is to it, the more bits of entropy it has - and the more bits of entropy in a password, the harder it is to guess (i.e, the more tries needed to find the password using a brute-force attempt). An average english word, according to theories put forward by Claude Shannon, has about 1.3 bits of entropy per letter - in contrast, Version 1 passwords would have about 3.4 bits of entropy per letter, according to Shannon's logarithmic entropy formula, and the random algorithm would have about 6.5 bits of entropy (the most secure method, using all 128 characters in the ASCII character set and true-random number source, such as random.org, should yield a theoretical maximum of 7 bits per letter).

That being said, these algorithms will defeat a dictionary-word and dictionary-variation search, which are the most common types of hacking password attacks - however, as noted earlier, by only using 26 letters instead of the full 128-character ASCII set, you are still reducing the amount of randomness, and therefore the number of tries needed to guess your password with an optimized brute-force cracker, which can be a problem for generating passwords for encryption (note, however, that it is still fairly strong against a completely linear brute-force attempt). To combat this, use the options to insert numbers or capital letters, or if you're really paranoid, try a random generator (such as the "random" option below), or an easier-to-remember high-entropy method such as Diceware.

However, if you simply need a password for your email or other general-use accounts, natural-language passwords should be more than enough for everyday use - and, in combination with other words or methods, can be used to make easier-to-remember but still secure passwords for uses such as PGP encryption.

Note, though, that if your password is limited to 8 or less characters, you are much better off using a true- or pseudo-random password generator, as shorter passwords are already easier to crack than longer ones. Also note that then entropy in all of these methods is dependent on the quality of the pseudorandom number generator used in Javascript's Math.random function, and because of this may be somewhat less random than a true-random number source.

So, I have a new password. Am I secure now?

Maybe. For maximum security, I would recommend that you change your password on your online accounts fairly frequently - about every 2 to 4 months. In general, it's not a great idea to write passwords down, and if you do, make sure they are kept on your person at all times, or at the very least out of sight and away from your workstation. There are also many password-safe applications that give you access to your password library from a single master password - the downside of this of course, is that if people find that one password, they have access to all of your other passwords. As RLPassWeb is designed for creating memorable passwords, the best solution is to only store them in your memory, but it still mgiht be prudent to have some sort of backup in case you forget.

Other Sites of Interest

Make New Password - Jonathan Nathan's original implementation of the "phonemic" natural-language algorithm, written in AppleScript.
Strong Password Generator - an entropy-gathering, very strong password generator for high-security applications.
Pseudo-Diceware Passwords - passwords created from word strings.
Two-Factor Authentication - a tutorial on how to use freely available programs to create your own secure two-factor password.
IdleCircuits.com Security Page

License

©2001-04

JavaScript must be enabled to display this email address.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

Send Secure Email to Theta Pi

Change Log

v1.3
- Added new algorithm based on english letter frequency
- Added new algorithm based on english phoneme production
- Fixed the bug where multiple Version 1 passwords would generate incorrectly
- Improved the Add Numbers function for Version 1
- Both versions condensed into one, now using the v12c interface as standard
- Interface tweaked for increased ease of use
- Documentation edited, links to related projects added

v1.2
- Added new algorithm based on alternating syllabic pairs
- Added new numeric passcode generator
- Added the capability to generate multiple passwords at once
- Rewrote the tutorial in a more accurate manner
- Swatted some off-by-one bugs

v1.1
- Rewrite of core code in Javascript, released as a Web application
- Added upper/lower case options
- Added new pattern-based algorithm
- Added random password generators
- Added rudimentary tutorial on password security

v1.0.1
- Quick fix to allow copying the password to the clipboard (as opposed to saving it as a text file)

v1.0
- First Release (AppleScript) as RLPassword