2023-11-08

Password Generator

This page generates 12-character "pronounceable" passwords in your browser using Javascript. (I increased from 8 to 12 because of recent advances in password cracking.) Pick one and transform it by inserting capitalization, digits, and punctuation.

...

To add this function to your own web page, first copy "gpw.js", and then view the source of this web page to see how to invoke it.

Once gpw.js is loaded on your device, it generates passwords locally on your device, without accessing the Internet.

The source of randomness for this generator is the Javascript function Math.random(). Feel free to view source and copy and modify the code as necessary for your needs. Please

History

This password generator is modeled after Morrie Gasser's original generator described in

except that Morrie's used a second-order approximation to English and this generator uses a third-order approximation. A descendant of Gasser's generator was added to the Multics operating system by Project Guardian in the mid 1970s, and I believe Digital's VMS added a similar feature in the 80s. FIPS Standard 181 describes a similar digraph-based generator, derived from Gasser's.

[FIPS Standard 181 has been withdrawn without a replacement. Weaknesses in Gasser-like password generators were found in the 1990s. See "A New Attack on Random Pronounceable Password Generators" (1994) by Ravi Ganesan and Chris Davies.]

The first digraph-based password generator I know of was written by Daniel J. Edwards about 1965 for MIT's CTSS timesharing system. Over the years I have implemented versions of this code in Multics PL/I, Tandem TAL, C/C++, Java, and JavaScript.

The JavaScript code has also been packaged as an iPhone web app. Visit the page using Safari on your iPhone, click the "box with an arrow" at the bottom of the screen, and click "add to home screen." A GPW icon will appear on your phone: clicking it will generate ten passwords and display a button to generate more. This web application will cache on your phone and can be used even without network connectivity.

(21 Jan 2013) James Pearson used my JavaScript function to generate multi-word passphrases. An online demo is at https://changedmy.name/pronounceable-password-generator/ Source is on Github: https://github.com/xiongchiamiov/pronounceable-password-generator

(25 Jan 2016) I get mail occasionally from people that point out that some passwords are short. This can happen if the input dictionary contains some digraphs that only appear at the end of a word, such as "fy" and "qs". The algorithm gets "trapped." You could generate your own dictionary with extra words to prevent this, if you think it is a problem.

General

The best way to use generated passwords is to modify them in ways known only to you. Make some letters capital, or insert punctuation and numbers, in order to use a larger alphabet. You could also generate two passwords and combine them.

If you wish to secure extremely valuable assets, consider using better sources of randomness, longer passwords, or stronger methods than passwords. See RFC 4086, Randomness Requirements for Security, D. Eastlake, 3rd, J. Schiller, S. Crocker. June 2005.

Reusing passwords is very risky. Generate fresh ones for each need and store a list in an encrypted file. (Static or reusable passwords are obsolete. If you have a choice of authentication methods, look for a stronger method than passwords.)