PasswordGen

By Sarah Dean
Last updated: 6th April 2005

Description
Download
Notes
TODO List
Known Bugs
Credits
Appendix A: Version History
Appendix B: PGP Public Key

Description

PasswordGen is a password generation program to create secure passwords based on password length, or password strength.

Screenshots of PasswordGen are available.

Please email any bug reports, feature requests, comments, etc to me at sdean12@softhome.net

The latest version (as of 6th April 2005) is v2.51.

The latest version is always available at: http://www.SDean12.org/PasswordGen.htm

Download

Download latest stable PasswordGen (v2.51) executables and source. (Note: The Delphi Components package is required for in order to compile the source code)

Hashes and PGP signatures of the PasswordGen software, as downloaded, are available here

A beta version of the development version of PasswordGen (v2.75) can also be downloaded. Note: This link may not work. If it doesn't, and you can download the stable version, a beta version of the next version has not yet been released. The beta version is unsupported, but please feel free to email me if you have any comments on it.

Notes

Please, do read the documentation in this file before emailing me! I know it's not much, and only really covers the basics, but...
Pretty much everything in PasswordGen works as it seems, so I won't go into too much detail as to how everything works. Besides, who reads manuals anyway? ;) Anything you're not too sure of, just make an educated guess; you'll probably be right!
PasswordGen does not write anything to the Windows registry (for those that are interested), and stores all it's settings in "PasswordGen.INI".
The RNG used to generate passwords is user selectable between either:

Mouse movement - The user moves the mouse, the LSB of the mouse position within the sensitive area is polled periodically, and samples are only taken if the mouse has moved. See the Delphi Components for further information.
The Microsoft CryptoAPI

This software is limited to generating passwords with a maximum of ((1024-1)*8) = 8184 bits entropy. This is due to a limitation of the HugeInt library. Having said that, it's pretty unlikely that many people will be able to remember such a long password anyway, so...!
When generating passwords, PasswordGen obtains random data and then converts it into base "n" (where "n" is the number of characters in the user selected set of password characters). This base "n" representation of the random data is then mapped onto the user's password character set, and displayed.
When generating passwords, the number of random bits that the system requires will be the number of bits required to generate the password, rounded up to the nearest multiple of 8. This is why you may be asked to generate (for example) 128 bits of random data using the mouse movement RNG, when you only asked for a 121 bit password.
After generating each password, the password generated is checked against the user specified constraints (e.g. must not start with a space, must have at least one character from each set of standard characters, etc). If the password fails this check, it is discarded and a new password generated in it's place.
Because of the way in which generated passwords are checked against user constraints, the length of time required to generate a password may vary, depending on the random data used.
The addition of speech synthesis (to read out passwords generated) would be fairly straightforward to add, but it is unlikely this will ever happen as such functionality doesn't appear to be particularly useful. If you really want this added, email me; I get enough requests, I'll consider adding it.
Legal stuff:

I retain all rights to this software
You are free to distribute this software, although no charge may be made of any kind for doing so (that includes any fees for copying and/or the distribution media)
If you distribute this software, this file must be included with it, intact and unmodified.
Any software derived from any part of PasswordGen and/or it's source code is to be released as freeware with full source code
Blah, blah, blah ... you use this software at your own risk ... blah, blah ... author takes no responsibility ... blah, blah ... (i.e. the usual disclaimers, etc.)

TODO List

Sort out my PGP installation so that I can specify a PGP signature that can be used to check the authenticity of the packages.
The source code could do with a little tidying up...
Support for creating Diceware passwords.(See the Diceware FAQ for further information)
Add on option such that PasswordGen doesn't save it's settings to a "PasswordGen.ini" file; and prompt the use to overwrite any such file which may exist if they don't want to save their settings.
etc, etc...

Known Bugs

Bugs with v2.51:

None known of at present

Credits

Thanks go to:

OT, for whom the program was originally developed, and who gave me vast amounts of feedback and suggestions for improvement.
Massimo Maria Ghisalberti (obyou@tin.it, nissl@tin.it (personal)), who ported the Microsoft CryptoAPI libraries to Delphi, which are now part of the JEDI project (http://www.delphi-jedi.org/)
The Graphical Gnome (uddf@gnomehome.demon.nl), who maintains the Unofficial Delphi Developers FAQ, and from where I obtained the HugeInt library (http://www.gnomehome.demon.nl/uddf/)

Appendix A: Version History

v2.51 (6th April 2005)

Updated URL

v2.50 (2nd May 2004)

It is strongly recommended that anyone using a previous version of PasswordGen upgrade to this latest version immediatly.

I recently discovered a major flaw in the "HugeInt" maths library PasswordGen was previously using. PasswordGen now uses a completely new library, which has been completely written from scratch, for all such calculations. "HugeInt" has now been completely removed, and no longer forms any part of PasswordGen.

Explanation: The "HugeInt" library (see the Unofficial Delphi Developers FAQ, where I originally obtained the HugeInt library from (http://www.gnomehome.demon.nl/uddf/); maintained by The Graphical Gnome (uddf@gnomehome.demon.nl) does NOT operate as it is supposed to. For example, the number E2C4A6886A4C2E0F (hex), divided by 11 (hex) should give: Quotient: D56DC9E9CD74E00 (hex), and Remainder: F (hex). "HugeInt" returned: Quotient: D56DC9E9CD74E (hex) and Remainder: F (hex) - a significant difference.

This had the effect of converting purely random data into an incorrect ASCII representation.

Putting it another way, previous versions of PasswordGen should NOT be relied upon to generate secure passwords.

Looking on the bright side, a side effect of this change is that PasswordGen now generates passwords much, much faster...

v2.00 (10th March 2004)

First public release
RNG changed to give the user two different options:

Mouse RNG - random data is generated by the user mouse movement
OS RNG (Microsoft CryptoAPI) - random data is generated by the Microsoft CryptoAPI

v1.00 (15th June 2003) - Initial release

Release restricted to a few people only.

Appendix B: PGP Public Key

To send PGP encrypted email to me, please feel free to use the following PGP public key block:

Email me at: sdean12@softhome.net

Return to the main page page