Random passwords

User-input based random password generator (hashes 1000 mouse events with SHA). After the password is generated, it can be either directly retyped where needed or selected and copied to clipboard. Not officially certified.

Password generation is more difficult than it may look, as a random word that first comes in mind can frequently be possible to guess by an attacker. If some relatively predictable string (year of birth being a classic example, but home town, account name itself or single letter 'P' may not be better) is used, attacker may guess it without any tools. If some dictionary word is used (even with O replaced with 0 or the like), the password may still be recovered using dictionary attack. Hitting randomly the keyboard with one hand is likely to produce something predictable from the keyboard layout like "jklkjh". Following the 2003 Stalling research, as much as 24% of users still use place names, common male and female names, asteroid names, machine names or expected words from myths, legends, Bible, fiction and the like. Such passwords can be relatively easily guessed by trying possible values from a relatively short dictionary.

The best approach is to use completely random passwords, but how to generate them?

Most of the programming languages provide what is often called "random number generator". This generator is usually only pseudo-random, generating the predictable sequence of numbers. Even Java's build-in SecureRandom looks a little bit questionable from its description[1]. Various hardware based random generators may work very well but they are also quite expensive, may degrade over time and cannot be installed as easily as software.

One of the known ways to collect something random is to collect user input. This method is sensitive to the attack of generating these events artificially or capturing them in parallel to the generator, but for that attacker already needs quite deep access to the machine. Operating systems frequently provide some built-in functions to obtain the entropy. We will capture the mouse movements in our applet.

While the input stream may be random, it still can be "biased" even when each bit is independent from the others. 0's or 1's may be dominant, or some transient pattern (mouse moves over adjacent points) may be present. This makes some sequences more probable than others. Such input must be "whitened" before use to obtain data where 0's and 1's are really distributed in random and unpredictable way. There are many ways to "whiten" data in software. The applet code hashes mouse data with SHA algorithm (result then depends on how well SHA is implemented in the standard library). Whitening is described in more details in [2].

In many cases there are additional requirement for the password: it must have at least six symbols, contain both letters and digits and so on. This can be easily achieved by checking the generated password for requirements and, if it does not match, simply generating another one.


  1. 1 SecureRandom explanation at cdigital.com
  2. 2 Wikipedia article on hardware random number generator