Password Generation Java Script

Instructions:

secret phrase	This is your real password, the string that only you know. You can leave this blank, as long as host name is also not blank.
host name	This is the host name of the site or other unique string you can associate with whatever you want to generate the password for. You can leave this blank, as long as secret phrase is also not blank.
password length	How many characters you want the password to be. If you set it to anything greater than 100 it will be reset to 100.
password	This is the generated password. You can double click to select it and right click to copy it onto the clipboard. If you specified a large length it is possible that not all of the characters will be displayed BUT when you copy the string to the clipboard all the characters will be copied, even though you cannot see them in the form.
Generate Password	Click the button to generate the password
Clear Form	Click this button to clear all the fields but the length field. You should do this after copying the password to the clipboard.

Background:

How many passwords do you have? I have close to 100. Passwords for online stores, passwords for banks, passwords for technical support sites, passwords for all my instant messenger accounts, etc. Good passwords are hard to remember, so I used tricks, replacing certain letters with similar looking numbers, separating words with numbers or symbols. Unfortunately, these are not really good passwords and coming up with a hundred combinations I could remember and keep straight was not easy. So I broke the cardinal rule, used the same password for multiple sites/systems. I also wrote them down, storing them in an encrypted database designed to store passwords. But I routinely use several systems, my home office system, my workplace system and my laptop. So now I needed a copy of the software and its database on all those systems and the problem was keeping the databases up to date and the niggling worry in the back of my mind that the encryption wasn't as good as it claimed.

My first solution was genpass, a very simple MS Windows program that generates a pseudo-random string (the password) based on an input passphrase. But times change and not all of my computers ran Windows so my second solution was a Perl script that implemented the same algorithm. Running the Perl script was not that easy so this is my third solution, a JavaScript script that I can run from my browser.

I am not a cryptographer and I am pretty sure that the algorithm I use to generate the password is not cryptographically secure which means that with enough samples a cryptographer could figure out the secret phrase string. I did consider creating a MD5 or SHA1 hash but decided to maintain consistency with my existing tools. My goal was to make the password hard to guess, if the CIA, NSA, FBI or some foreign government has hacked into all the web sites where I have passwords, gathered up my passwords and analyzed them to figure out what my secret phrase is I have bigger things to worry about then the security of my bank accounts or my blog postings.

Some examples:

secret phrase	host name	hash
secret	www.mybank.com	nmlGZi9775P4c21O
secret	www.amazon.com	R1PK8m6439d9gV53
secret	www.linkedin.com	T3Nb118664ZJ9g7q
secret	www.my_broker	K4IW7u4421148Ml4
secret	www.newyorktimes.com	6D33b0pNnMk3uyx7

Some of the systems that I access require that I change passwords every 30 days or so. And of course require that the new password be "very" different from all previous passwords. For those I just use something associated with the date. I haven't had a problem so far.

More examples:

secret phrase	host name	hash
secret	www.pia.com-jan	194866wKzIHvVD3S
secret	www.pia.com-feb	Q1KN6m74398Ff5C3
secret	www.pia.com-mar	6L73yISwVe533P8o
secret	www.pia.com-apr	ihc6EUO33q188l4k

There are a couple of sites that require the letters, numbers, and symbols. The original MS Windows program has that capability but I almost never used it so I dropped it from the Perl script and this JavaScript version. Instead for those sites I just add a dash (-) character before the last password character, that is ihc6EUO33q188l4k would be entered as ihc6EUO33q188l4-k. You of course can pick your own solution.

This script may protect you from key logging software since you are not typing the password. It will not protect you from software that also monitors the clipboard and will not protect you from other ways of discovering the password. The only purpose of this script is to generate non-random hard to guess password strings

You can obviously run the script from its current location or you can create an html file on your system that contains the following script and have your browser display that file.

genpass_javascript.html

<!-- genpass_javascript.html begins here -->

<head>

<script language = "JavaScript">

<!-- generate password -->

<!-- version 1.0 10-03-16   -->
<!-- version 1.1 10-11-26 Added disclaimer -->


<!-- ndav1@cox.net          -->


<!-- This software is provided on an "AS IS" basis, WITHOUT ANY WARRANTY OR ANY  -->
<!-- SUPPORT OF ANY KIND. The AUTHOR SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES -->
<!-- OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE.  This disclaimer -->
<!-- applies, despite any verbal representations of any kind provided by the  -->
<!-- author or anyone else. -->


<!-- Begin -->

function cleartheform (form) {

form.input1.value = "";

form.input2.value = "";

form.input4.value = "";

}


function generate(form) {

var lowerNibble = new Array (100);

var upperNibble = new Array (100);


phase1 = form.input1.value + form.input2.value;

if (phase1.length < 1)

{

alert('You must provide at least 1 character for either the "secret phrase" or the "host name".');

return;

}


if (form.input3.value > 100)

{

alert ('The algorithm only supports password lengths of up to 100 characters.\nThe length will be reset to 100');

form.input3.value = 100;

}

if (form.input3.value < 1)

{

alert ('Trying to be cute!.\nLength has been reset to 16');

form.input3.value = 16;

}


while (phase1.length < 100)

{

phase1 = phase1 + phase1;

}

phase1 = phase1.substring(0, 100);



offset = 0;

password = "";

for (i = 0; i < 100; i++)

{

c = phase1.charCodeAt(i);

lowerNibble [i] = (c & 0x0F) << 4;

upperNibble [i] = (c & 0xF0) >> 4;

offset = offset + c;

}


password = "";

for (i = 0; i < form.input3.value; i++)

{

temp = lowerNibble [i] | upperNibble [100 - 1 - i];

temp = temp + offset - i;

temp = temp & 0x7F;

if (temp < 0x21) temp = temp | 0x21;

if (temp < 48) temp = temp | 0x30;

if ((temp >  57) && (temp < 65)) temp = temp - 7;

if ((temp > 90) && (temp < 97)) temp = temp - 0x10;

if (temp > 122) temp = temp - 0x10;


if (i % 2 == 0) {

if ((temp > 64) && (temp < 91)) temp = temp + 32;

else if ((temp > 96) && (temp < 123)) temp = temp - 32;

}

password = password + String.fromCharCode(temp);

}

form.input4.value = password;


}

// End -->

</script>

</head>



<center>

<h1>Password Generation Java Script</h1>

</center>

<br><br><br>



<center>

<form>

<table border = 1 cellpadding = 0>

<tr><td><b>secret phrase:</b></td><td><input type="text" name="input1" size=45><br></td></tr>

<tr><td><b>host name:</b></td><td><input type="text" name="input2" size=45 ><br></td></tr>

<tr><td><b>password length:</b></td><td><input type="number" name="input3" size=45 value="16" ><br></td></tr

<tr><td><b>password:</b></td><td><input type="text" name="input4" size=45 ><br></td></tr

<tr><td></td></tr>

</table>

<br></b><input type = "button" value="Generate Password"

onClick = "generate(this.form)">                <input type = "button" value="Clear Form"

onClick = "cleartheform(this.form)">

</form>

</body>

</html>

<!-- genpass_javascript.html ends here -->

This page was last modified on 10-11-26

Send comments and suggestions
to ndav1@cox.net

secret phrase:
host name:
password length:
password: