Hello Simon, first of all to appreciate your passion and work!
I also have a suggestion for the password generation project, which I can say is very useful, only that nowadays, most of those who offer services, the password also requires a special character.
I also recommended in an email the generation of the password in the form of groups, delimited by the character "-" and then the password would include this requirement.
For example: a1B2c-3D4e5-F6g7H
All the best!
Password generator
-
Simon Sheppard
- Posts: 191
- Joined: 2021-Jul-10, 7:46 pm
- Contact:
Re: Password generator
I'm sure it wouldn't be too hard to save the page and add a couple of Mid$ functions to the JavaScript to do that.
There are however some reasons to avoid having fixed place-holders in a password. Firstly, should one of your passwords ever be involved in a data breach, then those dashes could act as a signature of how/where the password was generated. i.e. they would know that password has been made using the SS64 generator. Attackers could then try to run a rainbow table attack against the SS64 password generator to try and find out your master password.
Without any identifying dashes they would have no way of knowing how/where the password was generated.
A second reason is that a perfect password should not be identifiable as a password, if an attacker obtains an encrypted database from some website and is trying to decrypt all the passwords, then having the decrypted password look just as random as an encrypted one makes it far harder to identify.
e.g. if you were trying to decrypt an encrypted and hashed database and saw the following results, which ones look most like a valid password?
GcMoHyfeOeEzgg1
RocawNM8IPGhurm
Limpbizkit1995
zTNacHsGFVrIuKw
a1B2c-3D4e5-F6g7H
aOPeD2UUtEIRjua
I know that Microsoft use dashes in their product keys, and I'm guessing that is partly to identify them as Microsoft keys. Everyone already knows that Microsoft keys are generated by Microsoft so it's not quite the same situation.
Another problem is that for every website which insists on adding a 'special' character to every password, there will be another that forbids them.
So I think it's better to just add them manually only when needed. If you do that in a consistent way then it is not a big deal: try a login with the generated password, if it fails, add the special character to the end and you should get in.
There are however some reasons to avoid having fixed place-holders in a password. Firstly, should one of your passwords ever be involved in a data breach, then those dashes could act as a signature of how/where the password was generated. i.e. they would know that password has been made using the SS64 generator. Attackers could then try to run a rainbow table attack against the SS64 password generator to try and find out your master password.
Without any identifying dashes they would have no way of knowing how/where the password was generated.
A second reason is that a perfect password should not be identifiable as a password, if an attacker obtains an encrypted database from some website and is trying to decrypt all the passwords, then having the decrypted password look just as random as an encrypted one makes it far harder to identify.
e.g. if you were trying to decrypt an encrypted and hashed database and saw the following results, which ones look most like a valid password?
GcMoHyfeOeEzgg1
RocawNM8IPGhurm
Limpbizkit1995
zTNacHsGFVrIuKw
a1B2c-3D4e5-F6g7H
aOPeD2UUtEIRjua
I know that Microsoft use dashes in their product keys, and I'm guessing that is partly to identify them as Microsoft keys. Everyone already knows that Microsoft keys are generated by Microsoft so it's not quite the same situation.
Another problem is that for every website which insists on adding a 'special' character to every password, there will be another that forbids them.
So I think it's better to just add them manually only when needed. If you do that in a consistent way then it is not a big deal: try a login with the generated password, if it fails, add the special character to the end and you should get in.