secret phrase | This is your real password, the string that only you know. You can leave this blank, as long as host name is also not blank. |
host name | This is the host name of the site or other unique string you can associate with whatever you want to generate the password for. You can leave this blank, as long as secret phrase is also not blank. |
password length | How many characters you want the password to be. If you set it to anything greater than 100 it will be reset to 100. |
password | This is the generated password. You can double click to select it and right click to copy it onto the clipboard. If you specified a large length it is possible that not all of the characters will be displayed BUT when you copy the string to the clipboard all the characters will be copied, even though you cannot see them in the form. |
Generate Password | Click the button to generate the password |
Clear Form | Click this button to clear all the fields but the length field. You should do this after copying the password to the clipboard. |
My first solution was genpass, a very simple MS Windows program that generates a pseudo-random string (the password) based on an input passphrase. But times change and not all of my computers ran Windows so my second solution was a Perl script that implemented the same algorithm. Running the Perl script was not that easy so this is my third solution, a JavaScript script that I can run from my browser.
I am not a cryptographer and I am pretty sure that the algorithm I use to generate the password is not cryptographically secure which means that with enough samples a cryptographer could figure out the secret phrase string. I did consider creating a MD5 or SHA1 hash but decided to maintain consistency with my existing tools. My goal was to make the password hard to guess, if the CIA, NSA, FBI or some foreign government has hacked into all the web sites where I have passwords, gathered up my passwords and analyzed them to figure out what my secret phrase is I have bigger things to worry about then the security of my bank accounts or my blog postings.
Some examples:
secret phrase | host name | hash |
secret | www.mybank.com | nmlGZi9775P4c21O |
secret | www.amazon.com | R1PK8m6439d9gV53 |
secret | www.linkedin.com | T3Nb118664ZJ9g7q |
secret | www.my_broker | K4IW7u4421148Ml4 |
secret | www.newyorktimes.com | 6D33b0pNnMk3uyx7 |
Some of the systems that I access require that I change passwords every 30 days or so. And of course require that the new password be "very" different from all previous passwords. For those I just use something associated with the date. I haven't had a problem so far.
More examples:
secret phrase | host name | hash |
secret | www.pia.com-jan | 194866wKzIHvVD3S |
secret | www.pia.com-feb | Q1KN6m74398Ff5C3 |
secret | www.pia.com-mar | 6L73yISwVe533P8o |
secret | www.pia.com-apr | ihc6EUO33q188l4k |
There are a couple of sites that require the letters, numbers, and symbols. The original MS Windows program has that capability but I almost never used it so I dropped it from the Perl script and this JavaScript version. Instead for those sites I just add a dash (-) character before the last password character, that is ihc6EUO33q188l4k would be entered as ihc6EUO33q188l4-k. You of course can pick your own solution.
This script may protect you from key logging software since you are not typing the password. It will not protect you from software that also monitors the clipboard and will not protect you from other ways of discovering the password. The only purpose of this script is to generate non-random hard to guess password strings
You can obviously run the script from its current location or you can create an html file on your system that contains the following script and have your browser display that file.
<!-- genpass_javascript.html begins here --> |