Need a little direction on how to … classily… generate a complex password.
Since different sites have different requirements (some allow special characters, some don’t. Some want digits, some don’t) I have created a little program that will generate really complex passwords.
Now I want to give the user the ability to choose what he / she / it (have to be p.c., don’tcha know) wants in their passwords, which I have done with checkboxes.
It isn’t as graceful as I know it can be, so I am wondering if anyone can suggest a nice way to do this.
Create arrays of the various types (numbers, symbols, upper letters, lower letters, both upper and lower letters), then using Crypto.GenerateRandomBytes to select the right number of elements from each into its own array, then shuffle the array.
And rely on the user to make whatever substitutions are necessary. For example, if you include “^” in your symbols, but the user’s use case doesn’t allow it, they are capable of substituting some symbol that they can use.
I am kind of doing that; instead of using the Crypto.GenerateRandombytes, I’m using
System.Random.InRange, where the generation of a random Character is based on that.
As well, I try to look for previously used characters to try and keep from generating something like
az1Gb22 (where 22 is two separate generations of something Random(ish)). The textArea I have allows the user to copy what has been generated to remove something they can’t or don’t want.
GenerateRandomBytes is considered cryptographically secure whereas System.Random is not.
If it is known that you are preventing duplicate characters, you are actually cutting down the number of possibilities that a brute-force attacker would have to try. Let the randomness do its thing.
I looked at the language reference for Crypto, as well as going to their website, and looked at the documentation there.
I don’t think this is something I need. I am generating random passwords for someone who, lets say wants a password for their website username / password. Which is why I just want to generate gibberish.
I have a password storage program that encrypts in AES-256, where they can be stored, but just to generate something why would I use crypto, and all that entails.
System .Random gives you pseudo-random numbers. That is, it uses a table to return a series of a values that appear to be random, but given the same seed, are repeatable. Someone seeing your algorithm, and using various starting seeds, would be able to reproduce the passwords your app is generating.
If the point is security, using System.Random is not the way to do it.
However, you can combine the two to produce a secure password. Use System.Random to generate X character, then use Crypto.GenerateRandomBytes to change the seed. Produce X more characters, then change the seed again. Repeat.
That is pretty much what I am doing. The only real difference is that when the user says "hey I want to have, for example, only uppercase and digits, they select the appropriate checkboxes, and only those are generated.
I didn’t think I was doing it the best way possible, which is why I asked the question.