Password generator

About the forum and SS64 (errata, changes, feedback, suggestions.)
Post Reply
Posts: 1
Joined: 2024-Apr-18, 4:53 pm

Password generator

Post by abis »

Hello Simon, first of all to appreciate your passion and work!
I also have a suggestion for the password generation project, which I can say is very useful, only that nowadays, most of those who offer services, the password also requires a special character.
I also recommended in an email the generation of the password in the form of groups, delimited by the character "-" and then the password would include this requirement.
For example: a1B2c-3D4e5-F6g7H

All the best!
User avatar
Simon Sheppard
Posts: 194
Joined: 2021-Jul-10, 7:46 pm

Re: Password generator

Post by Simon Sheppard »

I'm sure it wouldn't be too hard to save the page and add a couple of Mid$ functions to the JavaScript to do that.

There are however some reasons to avoid having fixed place-holders in a password. Firstly, should one of your passwords ever be involved in a data breach, then those dashes could act as a signature of how/where the password was generated. i.e. they would know that password has been made using the SS64 generator. Attackers could then try to run a rainbow table attack against the SS64 password generator to try and find out your master password.

Without any identifying dashes they would have no way of knowing how/where the password was generated.

A second reason is that a perfect password should not be identifiable as a password, if an attacker obtains an encrypted database from some website and is trying to decrypt all the passwords, then having the decrypted password look just as random as an encrypted one makes it far harder to identify.

e.g. if you were trying to decrypt an encrypted and hashed database and saw the following results, which ones look most like a valid password?


I know that Microsoft use dashes in their product keys, and I'm guessing that is partly to identify them as Microsoft keys. Everyone already knows that Microsoft keys are generated by Microsoft so it's not quite the same situation.

Another problem is that for every website which insists on adding a 'special' character to every password, there will be another that forbids them.

So I think it's better to just add them manually only when needed. If you do that in a consistent way then it is not a big deal: try a login with the generated password, if it fails, add the special character to the end and you should get in.
Post Reply