Help and FAQ for a password generator page

This is a description, explanation and FAQ for this page. The page itself may be used either at this site or as a local copy.


Generally, password card is a safe and simple way to keep all your passwords at your wallet or your PC.

Everyone knows that password must be complex enough, to be hard to pick. Simple passwords can be picked by program using a dictionary, in worst case they can be even guessed by people, who knows something about you. Strong randomly generated password is not strong, if it's written at the back of your mouse pad or at the sheet of paper at your wallet. And the worst thing about passwords is that you have to maintain unique passwords for each of the places you visit, as password leaks from weakly secured forum may expose to attacker all of your personal data, including your blogs, e-mail, messengers, whatsoever, even if you chose a strongest password at the world.

You can try to obey these rules, but in a short time you'll finally fail to memorize all of these uber-strong symbol chains and face the same problem - how to maintain multiple different strong passwords without keeping them open-text at some file of your PC or at the sheet of paper? Maybe you'll choose to put them to a document, which is stored at your computer in encrypted form by some special software (protected by master password, or by some key), but the problem is dramatized by the fact, that outside your home you may have no safe access to PC with such software. That really hurts, but the solution is, actually, is simple.

Password card is a symbol matrix, generated locally (it means that nothing is transferred by your computer to network) on the base of master password by simple and effective software. Matrix is not reversible back to password due to some mathematical reasons.

Implementation details (ask wikipedia about words in italic, if they're not familiar):

Basically, this implementation gets a MD5 hash of a password and uses it to seed the 128-bit pseudo-random number generator, which produces a data to fill the password card. As easy as that.

All computations are made at this page itself, ABSOLUTELY NOTHING is transferred to server. That's the reason, why this page lays at open HTTP web site - there's just nothing to expose to malicious persons.

Since MD5 is irreversible (there's no way to compute back the initial sequence, for which the hash is made for) the only way to crack it is to use a brute force, i.e. to pick the password, using a dictionary attack or MD5 hash database. For those who wonders what's that - hash database is, naturally, a database of MD5 hashes for different passwords, known to dictionary. The reason to maintain them is that picking a generated hash from the database is much faster than hash computations for each password at the dictionary. Does it affect you? No, since it's impossible to recalculate the hash based on the matrix, as it's used only to seed the pseudo-random number generator, i.e. to set the starting point in a 128 bit random sequence. Even if the attacker could get the sequence exactly, it would take ethernity to scan the sequence, find where is it from and thus find a seeding value. "Even if" at this case means that we don't get a whole number of the sequence to pick the char, we get only a remainder of division by valid character amount. If leaves no chance to restore the sequence.

So, after all, you may be pretty sure, that your master password is secured enough to make a password card absolutely useless for password decryption means. Your password is absolutely safe, unless you reveal it somehow else.

Practical usage of this card is simple and takes few steps:

For the most practical use, just copy this page to your computer or PDA (iPhone is ok) and use it offline whenever you want.

Finally, just remember the origin site: It's easy to remember, and it always has the most recently updated copy of this password generator.

Changes at 2.0

The most significant change is that now encoded password is no more located at the text line of <input> tag, to stop browsers from caching form data.
Also, radio buttons with character sets are now replaced to checkboxes with partial sets, as a most practical solution.
Character set compilation was fixed to eliminate duplicate characters, if they appear in custom set.
Finally, I've also made some form redesign to make it more compact and moved help page from embedded hidden HTML code to this page.


Q: I've seen such kind of pages before, why do you need one more?
A: Well, the main reason is that if I need some small utility, I just make it myself instead of long search on the net. maybe it doesn't save much of my time, but it usually saves my nerves, as third-party programs usually lack some functionality I need and contain bugs which won't be fixed quickly, since most of them have closed code. If I make it myself, I'm pretty sure it does what I want it to do.
That's the reason, but I also have to mention differences, which I noticed, when I got this question and checked similar pages. I'll outline several main flaws, which I've noticed.

So, when I saw all of these, I've decided that time spent on this generator is definitely not lost. How'd you think?

Q: What if attacker attempts to use a dictionary attack against the generator?
A: To make such attack successful, attacker also has to pick a secondary password for each of the master passwords he tries to pick. Even if attacker got a stolen password hash database from the hacked resource, it would be a very hard task even with weak password pair. If there was no leak from resource, or at least one of the passwords is strong, it's virtually impossible.

Q: Okay, it works for PC and PDA, but it's not convenient for mobile phones, any chance to make it better?
A: I plan to make a Java mobile application which does the same, but in easier manner, with no table and extra stuff, just the encoder. Since I'd like to have it for myself, yes, there is a good chance.

Password generator (version 2.0)