Password Generator

This page generates 12-character "pronounceable" passwords in your browser using Javascript. (I increased from 8 to 12 because of recent advances in password cracking.) Pick one and transform it by inserting capitalization, digits, and punctuation.

...

To add this function to your own web page, first copy "gpw.js", and then view the source of this web page to see how to invoke it.

The source of randomness for this generator is the Javascript function Math.random(). Feel free to view source and copy and modify the code as necessary for your needs. Please

History

This password generator is modeled after Morrie Gasser's original generator described in

except that Morrie's used a second-order approximation to English and this generator uses a third-order approximation. A descendant of Gasser's generator was added to the Multics operating system by Project Guardian in the mid 1970s, and I believe Digital's VMS added a similar feature in the 80s. FIPS Standard 181 describes a similar digraph-based generator, derived from Gasser's.

The first digraph-based password generator I know of was written by Daniel J. Edwards about 1965 for MIT's CTSS timesharing system. Over the years I have implemented versions in Multics PL/I, Tandem TAL, C/C++, Java, and JavaScript.

The JavaScript code has also been packaged as an iPhone web app. Visit the page using Safari on your iPhone, click the "box with an arrow" at the bottom of the screen, and click "add to home screen." A GPW icon will appear on your phone: clicking it will generate ten passwords and display a button to generate more. This web application will cache on your phone and can be used even without network connectivity.

(21 Jan 2013) James Pearson used my JavaScript function to generate multi-word passphrases. An online demo is at http://changedmy.name/pronounceable-password-generator/ Source is on Github: https://github.com/xiongchiamiov/pronounceable-password-generator

General

The best way to use generated passwords is to modify them in ways known only to you. Make some letters capital, or insert punctuation and numbers, in order to use a larger alphabet. You could also generate two passwords and combine them.

If you wish to secure extremely valuable assets, consider using better sources of randomness, longer passwords, or stronger methods than passwords. See RFC 4086, Randomness Requirements for Security, D. Eastlake, 3rd, J. Schiller, S. Crocker. June 2005.

Reusing passwords is very risky. Generate fresh ones for each need and store a list in an encrypted file. (Static or reusable passwords are obsolete. If you have a choice of authentication methods, look for a stronger method than passwords.)