Talk:Random password generator

Older thread
What's the real main article for this page? Examples is a redirect page.

Also, these code fragments are very poor. They seed the random number generator based on the time of day, so if I know the server's time of day when the account was created, I know the password! -- Mikeblas 01:07, 3 February 2006 (UTC)


 * I rewrote the article using the code fragments as examples of what not to do. No offense intended to the original submitter; these are all too common mistakes and that is why i think this article is needed. --agr 23:00, 19 February 2006 (UTC)

In Section "Naive Approach"
The paragraph about the problems with the C standard library random number generator is irrelevant. For generation of an ASCII password, as long as the possible range of outputs is larger than the number of acceptable ASCII characters - from decimal 33 to decimal 126 - the absolute size of the output is unimportant. The random number will be modded by 94 anyway. The small number of possible outputs of the C standard library rand function is indeed important - but only when the full range of numbers is used, such as in a cryptographic hash. It need not be mentioned here, and is in fact misleading and confusing when it is. What is significant is the potential size of the seed - since the generator is deterministic up to seed choice, an attacker who knew the algorithm for generating the password from a given random number could simply test the results of all possible seed values, if the maximum seed size is small. -- GFett (talk) 18:43, 7 September 2008 (UTC)

Even if this section were to stay, the introduction seems very biased to me. And it seems very ambiguous: what is a "naive programmer"? Who decides who is one and who isn't? Could "unexperienced" substitute for "naive" here? To become philosophical: What is naive? Who decides...? etc. You catch my drift. --MIB4u (talk) 03:39, 6 October 2008 (UTC)


 * I tried to clarify what naive means here. I'd be interested in opinions on whether the code examples should stay.--agr (talk) 18:04, 16 October 2008 (UTC)
 * I think these code examples are good. Also, I think in this context a "naive programmer" would be a programmer who uses code that has similar issues that are displayed in the examples.Smittycity42 (talk) 22:32, 27 March 2011 (UTC)


 * I like the code of what not to do. I would also like additional examples of what should be done.  The word "naive" describes to me a normal first try without knowledge.  Some call that "hacking".  I think hacking should be encouraged.  Hacking anything is a good start as you will make mistakes. I find I learn much from my mistakes.

Thank you to all this article's authors. BTW is there a case for changing this article's title to Random Password Generator Software or Programming? - Cheers, John S Woler (talk) 15:15, 27 March 2013 (UTC)


 * Is this "naive approach" section needed at all? Why would we want to describe a solution that is obviously invalid? I'd just delete this section and leave a short paragraph about caveats of the implementation with no code samples. If we post bad code samples, it's guaranteed someone will eventually take and use them... Pawel Krawczyk (talk) 09:23, 14 April 2015 (UTC)

Password generator programs and Web sites
The subject of password generation and web sites was briefly touched upon. But it fails to mention some sites attempt to track users, or inventory the usage, allow the webpages to be cached, or use unsecure forms of scripting or third party tools...

Also, it seems that websites which only offer a secure connection and no login are rare. The following site is secure, non-tracking, etc, and gives pseudo-random passwords freely. Should it's URL be included in the "External links" section? https://www.grc.com/passwords.htm —Preceding unsigned comment added by 64.231.103.110 (talk) 17:05, 10 September 2009 (UTC)


 * I think the link should be listed, not only is it a good place to get a strong password, they even explain how those particular passwords are generated.Smittycity42 (talk) 22:27, 27 March 2011 (UTC)

If I wanted to phish passwords, I'd simply set up a password generator site, store all generated passwords, and after some collecting ... try them at the Top 100 sites like Amazon, eBay, etc. Seriously: Generate your passwords yourself! Most passwords are not cracked, because they are too short, but because they are shared among sites, or easily collected like I described. — Preceding unsigned comment added by 79.197.66.117 (talk) 12:38, 12 May 2013 (UTC)

Non-alphanumerical!
Hey what is Non-alphanumerical in passwords§♦javascript:insertTags('%E2%99%A6',,) —Preceding unsigned comment added by 76.0.43.217 (talk) 22:50, 3 March 2010 (UTC)

Python code snippit
I noticed that the python code snippet that samples the OS entropy pool will never use the same character twice. I'm pretty sure this is bad as this reduces the search space for a brute force attack. By my calculation the search space is reduced from $$62^{10} $$ to $$62! / (62 - 10)!$$ or $$8.4\times10^{17}$$ to $$3.9\times10^{17}$$. Not all that bad, but if you use this to make a large password (say 62 chars long which is the largest you can do with this snippet without breaking as there are only 62 unique chars available) then the difference starts to matter as it is ≈$$10^{111}$$(allows duplicates) to ≈$$10^{85}$$. I'll gladly contribute a new snippet as soon as a finish it.Smittycity42 (talk) 10:44, 23 March 2011 (UTC)

As Promised:

import random, string myrg = random.SystemRandom length = 100 alphabet = string.letters + string.digits pw = str.join(myrg.choice(alphabet) for _ in xrange(length)) print pw
 * 1) !/usr/bin/python

If there are no objections in a few days I will go ahead and edit the page.Smittycity42 (talk) 22:04, 27 March 2011 (UTC)

What is the meaning of "sufficiently difficult to guess?"
"'In fact there is no need at all for a password to have been produced by a perfectly random process: it just needs to be sufficiently difficult to guess.' [Comment preserved for discussion.]"

a) Not true for all situations, and therefore it seems likely to mislead many readers. Who can say what constitutes "sufficiently difficult to guess," in which applications, and for how long, given the increasing sophistication of cracking tools? The truth of the argument is dependent on one's understanding and/or definition of "sufficiency." Humans are notoriously poor at estimating what others can't guess, and this includes many tools to simulate randomness. If one can determine the means of generation, one can reverse engineer it. I'm in favor of clarifying, amending or deleting that remark. (It's practical truth is outweighed by the number of possible false interpretations.)

b) There are numerous articles in wikipedia on "pseudorandom number generation" (I count four articles on the topic).  Is there an argument for renaming this article "Pseudorandom password generation"? (i.e., is "computational true randomness" possible?) This article dangerously conflates mechanical (true) random generation with pseudo-random computational processes, often in the same paragraph. Some elucidatation seems useful, perhaps by adding a subheading or changing the name?  Question certainty (talk) 23:22, 23 February 2014 (UTC)


 * I tend to agree that the comment is out of place and should be removed. It looks like original research, since it needs to be qualified to make any real sense.
 * I disagree with a renaming using the word "Pseudorandom", since the article does cover the use of true randomness, albeit poorly. The "Random" in the title is similarly unsuitable, which I imagine is what you noticed.  I would also suggest "generation" in place of "generator". What about "Secure password generation"? —Quondum 23:47, 23 February 2014 (UTC)

srand(rand);
What does this do? rand creates a random number and the next random number follows on from this srand(rand); creates another random number, then sets the start the be the value it was going to start from anyway so srand(rand) is equivalent to rand [citation needed] 87.102.44.18 (talk) 14:35, 11 January 2016 (UTC)