Passwords

tl;dr: Click here

So I spend a lot of time at work generating passwords. Temporary user account passwords, passwords for new servers, routers, switches, VPN encryption secrets, passwords for system accounts to connect some application to the LDAP server. It used to be that I ran Linux on my desktop, and a local copy of pwgen did a fantastic job of generating some sequence of random characters that was reasonably memorable (because humans suck at generating random passwords!).

Unfortunately, I now work somewhere where I run OS X on my desktop, and I’ve never bothered to track down some copy of pwgen that’s been compiled for that platform. And I want to use passphrases more, and I always forget the pwgen options anyway. So, the other morning it annoyed me sufficiently that I spent a couple of hours writing a Sensible Password Generator: a fast password generator for people who do this a lot – aka sysadmins.

Why is this different to the bazillion other password generators out there?

• It’s fast. There’s no options, nothing to click, there’s no ads. You load the 16kB page over HTTPS, and you get a wide selection of passwords in different formats: select the one you want and you’re done.
• It looks reasonably pretty. Um, it’s a list of passwords on a page.
• Download the code and verify it, and run it locally if you don’t trust me. It’s just a couple of short .php scripts and some word lists.
• Released under the GPL, so feel free to make changes.
• User passwords are derived from the pwgen algorithm [PDF] via the excellent pwgen-php library, so they’re reasonably pronounceable. Machine passwords are entirely random, again via pwgen-php. Passphrases are selected at random using one of several word lists of varying complexity, so you can choose (or mix-and-match) depending on your security requirements.
• Password/passphrase generation uses PHP’s mt_rand() function.
• See the README for instructions on generating your own word lists.

You get:

• End-user passwords: link to the password generator from end-user documentation or password advice – it’s simple enough people can’t go wrong. Passwords are of the strength recommended by the Australian DSD [PDF pp194] for use by end-users to protect information classified up to Secret – they balance security against sufficiently-simple-people-won’t-write-them-down.
• Temporary passwords: simple passwords for temporary use as shared secret, that you might read out over the phone to a user (for example). Better than “changeme” or “password1”.
• Machine passwords: Complex, random passwords for use on machine accounts, VPN secrets etc where they will rarely get seen by humans.
• Passphrases, simple to complex: If passphrases are your thing (and they should be!) we have passphrases.

Um, I think that just about sums up the feature-set. It’s a password generator! It makes passwords!

:)