yapg.js v1.0.0
Yet another password generator
Based on this Computerphile video.
But why though?
Passwords. We all love them and we all hate them. They're not the best security practice in this day and age but due to the way the Internet took shape, we're stuck with them. And ultimately, the company with the best security systems in place cannot save themselves from Kevin who still has 123456 as his account password. Luckily he doesn't have moderating privileges, or does he?
Password are meant to do one thing: keep your stuff safe. Yet the security of a password always depends on the person who chooses the password. Passwords are a trade-off between what humans like me and you find easy to remember and the hard reality of letter combinations that actually keep your account safe. Because let's be honest, we all would love to have password as our password but unfortunately only %Xg9'Tz<")@Y;v;J can keep you truly safe.
Or can it?
It is possible to keep a password memorable while also having it provide excellent security. This application is meant to produce passwords to serve exactly that purpose. To explain how and why it works, we have to understand how passwords get cracked. Let me introduce you to the two main ways of guessing passwords.
Brute-force attack
This is what you as a normal (or experienced, I don't discriminate) user would consider the classic approach to cracking passwords: testing every single combination there is.
Now this seems horribly inefficient, but by guessing the type of characters (numerals, lowercase, uppercase, special…) and limiting the assumed size of the password, one can save a lot of calculation cycles cracking a password. Additionally, computational power has been on an exponential rise ever since the dawn of technology. Operations per second are still rising, so more passwords can be guessed and tried every second.
And yes, that means that your supposedly super strong eight-character mess of a password may not be safe by today's standards.
Dictionary-based attack
Here's the lesser known but not any less dangerous approach to cracking passwords: using a dictionary. Word lists are publicly available online, so why not use them?
If you thought you improved your security by adding another arbitrary word to the name of your dog, then I have to disappoint you unfortunately. Swapped the letter E with the number 3 so you can still guess it? Common permutations aren't secure either and have been considered for a long time before you even thought of upgrading your security. And before you mention it: yes, adding numbers at the start or the end of your password isn't going to make it harder to crack either.
Meeting in the middle
There is a compromise to be made though. Let's reconsider what you want from a password. You want it to be easy to remember but also hard to crack. Seems illogical, doesn't it?
This application aims at providing one solution to this conundrum. I'm not saying it is the solution but it's still an attempt at resolving this conflict. And I just had a few hours to spare to program something, okay?
How it works
Let's take a set amount of words from a list of known words and concatenate them. Now sprinkle some special characters into it at random and we're already done. Seems too easy to be true? Let me explain.
From the preceding headline, we know a few things to avoid when creating passwords.
- using any amount of plain words
- using a limited amount of arbitrary characters
- using common permutations and insertions, like leetspeak etc.
No program can guess character insertions that are just plain random. Let it be a random location within the password or a random character altogether. Since the words used at the beginning of this method are broken up, dictionary attacks become useless. And since there's an unknown mix of randomness and order in the final password, brute force won't work either. A hybrid of both attacks might eventually yield a solution but given how complex cracking such a password can be for a computer, it might not even be cracked until the inevitable heat death of the universe.
And humans get bonus points too. It doesn't require that many random characters in a perfectly fine combination of words to make it nearly impossible to crack. So what you, as a user, have to end up doing is to remember the words the password is based on (easy) and the few special characters provided to you (not as easy but manageable).
From my personal experience, it takes just a few attempts at typing out a password like that until I've memorized it. This was my main motivation to write a program that creates passwords like these for me. It's become an indispensable method for creating passwords for me and I decided to share it with the world.
Installation
Browser
Follow these instructions if you want to use yapg on your website.
<!-- Load the file from source. -->
<script src="/lib/umd/yapg.min.js"></script>
<!-- Then access the password generator class like this. -->
<script>
const { PasswordGenerator } = yapg;
</script>Command line interface
Follow these instructions if you want to use yapg from the command line.
# Globally install the yapg package using npm.
npm i yapg -g
# Access the generator and its help page using the provided command.
yapgNode.JS
Follow these instructions if you want to use yapg in your Node.JS application.
# Locally install the yapg package using npm.
npm i yapgThen import the password generator class as follows.
// Using CommonJS imports.
const { PasswordGenerator } = require("yapg");
// Using ES6 imports.
import { PasswordGenerator } from "yapg";Usage
From the command line
Use yapg -h to view all command options.
Options
-i, --input <file>
File of comma-seperated words to use for password generation.
-o, --output <file>
File to store the generated passwords in.
-c, --chunkSize <chunk size>
Amount of characters that make up a chunk. (default: 4)
-n, --count <password count>
Amount of passwords to generate. (default: 1)
-p, --chunkPercentage <percentage>
Percentage of chunks that should at least be altered. (default: 0.5)
-w, --wordCount <word count>
Amount of words that make up a password. (default: 3)
-h, --help
Displays all options.
In your application
Once you got access to the PasswordGenerator class, you can call the following methods.
Constructor
new PasswordGenerator(dictionary: string[]) => PasswordGenerator
Creates a new password generator with default parameters.
Methods
setChunkSize(newChunkSize: number)
Sets the chunk size for this generator.
setChunkPercentage(newChunkPercentage: number)
Sets the chunk percentage for this generator.
setWordCount(newWordCount: number)
Sets the word count for this generator.
generate() => GeneratedPassword
Generates a new password with the given parameters.
GeneratedPasswordis an interface with two properties.
words: string[]
Words the password is based on.result: string
Generated password.
Static methods
default() => PasswordGenerator
Creates a new password generator using a sample set of commonly used English words.
Word lists
The application comes pre-packaged with word lists that can be used as dictionaries to feed the password generation algorithm. By default, the generator will use a list of the 1,000 most common English words provided by EF.
All provided lists are filtered in a way that only words between four and ten characters are included. This is to drop words that are too short to make a useful password and too long to be remembered. If you want passwords with words longer and shorter than that, you'll have to create word lists yourself.
Furthermore, the list directory houses a few more word lists based on unique words from short stories in the public domain. Its sole purpose is to provide a bit of variety to password generation. Pull requests to include more lists are more than welcome.
| File | Source |
|---|---|
corpus-delicti.txt | The Corpus Delicti, by Melville Davisson Post |
man-and-the-snake.txt | The Man and the Snake, by Ambrose Bierce |
oblong-box.txt | The Oblong Box, by Edgar Allan Poe |
License
MIT.
Special thanks
Gigs for being my constant source of love and motivation. Coffee for being there when times get rough.
7 years ago