Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

comment on

( [id://3333]=superdoc: print w/replies, xml ) Need Help??
This algorithm produces 2*20*6*20*6*10*20*6*20*6*20 or around 82 billion permutations so it is quite feasible to brute force it though quite time consuming.

If all passwords don't have to be exactly the same length (just within a range), it's possible to modify your algorithm slightly, keeping the same principle, by allowing a vowel to be a dipthong and/or allowing a consonant to be a blend, at random. This will throw off the odd-even pattern, while still leaving something more likely to be pronounceable than an entirely random string.

srand( time() ^ ($$ + ($$ << 15)) ); my @v = ( 'a', 'e', 'i', 'o', 'u', 'y'); #, 'ai', 'ou', 'oo', 'ee', 'oi'); my @c = ( 'b', 'c', 'd', 'f', 'g', 'h', 'j', 'k', 'l', 'm', 'n', 'p', 'q', 'r', 's', 't', 'v', 'w', 'x', 'z'); $nc = @c; # Number of consonants excluding blends. # (Some of the blends are not good endings.) @c = (@c, 'bl', 'br', 'tr', 'st', 'dr', 'th', 'ch', 'sh'); my @d = (0..9, '_', '-', '.'); my $length = 10; # This is a minimum. my ($flip, $str) = (0,''); for ( 1 .. ($length - 1) ) { $flip++; if ($flip%2) { if ($flip==$length-1) { $str .= $c[rand($nc)]; } else { $str .= $c[rand(@c)]; } } else { $str .= $v[rand(@v)]; } } my $re; my $digitpos = rand(5)+3; foreach (1..$digitpos) { $re .= "."; } $str =~ s/($re)/$1 . $d[rand(@d)]/e; $str = ucfirst $str; print "$str\n";

Results...

  • Vedos5titem
  • Rif7yfadrom
  • Cajy1dugec
  • Kunory7trir
  • Zih4ychusyv
  • Meb9rishystil
  • Brucuce4chyv
  • Nob0achuchew
  • Buq6ehiqor
  • Lybru-bexuk

So the question is, how secure are these passwords with that modification? Well, if the person doing the brute-forcing knows exactly how you generate them, or has seen a good number of them, they're not much better, because there's not enough variation. Adding in a bunch of different blends and dipthongs would probably help a bit. What would help more would be using several different algorithms and alternating between them at random -- so that one time you might get one like the above, and another time you might get "ad-hoc(Variable)17" or "e.g.{Sputnik}82" and yet another time you might get "f0rtu1t10us_gr33nh0us3" or "m4rg1n_bl4sph3my". (Update: those patterns are not as hard to brute-force as the one above, but they were intended only as quick examples.)

Any one of those patterns could be brute-forced, but trying to code a general case that takes in all of them could be just about as bad as doing each one of them in turn; with a dozen different such patterns, that could get prohibitive. If you want to be sure that they have to do them in turn (rather than coding a general case of some kind), throw in one pattern that generates fairly lengthy stuff like "running-implicit-tomorrow-wet-Howard" and "chortle-wax-Susan-dromedary-green". That makes for a very nice pessimal case when the algorithm trying to break it also has to deal with the possibilities inherent in the other patterns. Oh, and make sure your wordlist is large and undisclosed. (The wordlist can be disclosed if it is seriously large, e.g., if you scan in the OED.)

Of course, if they can get what they want by compromising only any one password, then you have to make sure each and every one of the patterns has a certain minimum of resistance to brute-forcing. Your exact threshhold will depend on your circumstances.

 --jonadab


In reply to Re: Random string generator by jonadab
in thread Random string generator by ibanix

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (8)
As of 2024-03-29 13:21 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found