[hide] Passwords, don't you just love them? No? We're told that we need to have 'strong' passwords, and we must have a different one for every occasion. Oh, and never write them down! How on earth are we meant to remember all those nasty numbers, letters (upper and lower case) and those pesky 'special' characters?
OK, well here's a password generator which will give you strong passwords, but try remembering them! One thing this generator does is to show you the number of permutations the selected character set or sets give you for your chosen password length. This number is a direct measure of the strength of the password - the bigger the better. The results are very revealing.
Let's set the password length to 8 characters, and we'll use upper and lower case characters, numbers and special characters (the standard 'strong' password requirement). If we do NOT have to use at least one of each type, the number of permutations is 1.370114370683136x1015. Now, if we require at least one of each type of character, the number of permutations GOES DOWN to 5.0859343988172814. So, requiring one of each type of character REDUCES the strength of the password!
Now the second point. Again, let's look at upper and lower case characters, numbers and special characters, and explore what happens to the number of permutations (rounded to 2 decimal places) when we vary the length of the password. Starting with 8 characters and going up by 8 each time, here are the results:
|Number of Characters||Number of permutations|
Now let's try keeping the password length fixed at 16 characters and varying the included character sets. Note that we are using 16 characters in our special character set. Using a password length of 16 characters, and rounding the number of permutations to two places of decimals:
|Character sets||Number of permutations|
|ABC or abc or (123 and *!#)
|(ABC or abc) and 123
|(ABC or abc) and *!#
|(ABC and abc) or [(ABC or abc) and 123 and *!#]
|ABC and abc and 123
|ABC and abc and *!#
|ABC and abc and 123 and *!#
So, comparing these two tables, the length of the password is clearly more important in determining its strength than the included character sets. All this messing about with special characters does very little to enhance security. What DOES make a big difference is to increase the length of the password. "But," I hear you ask, "it's difficult enough to remember an 8-character password. How do we remember a 32-character one?"
The simple answer is unusual but memorable phrases. For example: "Five baboons have arrived and it is only Thursday". This phrase has 49 upper and lower case characters, giving 1.21x1084 permutations - that's strong! Here are a few more examples along with the numbers of permutations for their length and character sets:
|Granny ate 27 bananas||4.37x1037|
|Teach a person to fish||5.65x1037|
|Green Hills Satanic Mills||7.94x1042|
|My first house was number 124||9.34x1051|
|Email - this is my special padlock||2.02x1062|
Note: for the astute matathematicians amongst you, you will have noticed that the number of permutations quoted for the phrases are slightly lower than the correct figure because the space character is not included as a separate character in the calculations. However, this means that the passwords are, in fact, stronger than the quoted values.
So, my contention is that it's better to have a long simple password than a short complex one, and the long simple ones can be highly memorable. So, you can either make them up yourself, or use a generator to append random words, either with or without special characters as delimiters, and with optional character substitution:
Here is a password generator that will give you strong complex passwords of any length between 8 and 100 characters. There's also a random word generator for more memorable passwords, either with or without delimiters. You can create passwords of up to five concatenated words. Note we have used British English spelling, so for those of you that spell "customiSe" "customiZe" or "colour" "color" etc. simply make the appropriate substitutions. We have a database of over 20,000 words which are selected at random. A very small number of the combinations may be offensive to some people. If so, just rapidly regenerate the passwords.
You can optionally generate a one-way hash of the password using the PHP PASSWORD_DEFAULT constant. Have fun.