Ask HN: Dictionary based password generator source code – useful or useless?
For example, it creates '312Hesitent-Boxes', '646Nifty.Brains!'.
These passwords are sufficient for many websites requirements, but more-over, they are easyier to spell and type.
The issue is, since a Chrome App is basically just a zipped up JavaScript/HTML folder, it's trivial to get the list of words and then generate every possible combination of numbers+punctuation+words - that's still a lot of words, but nothing that couldn't be generated into a table with that much effort.
Question is, does the ability to predict every password easily make such a tool useless? Or are we more common sense based and know that we could use these passwords on sites that lock/restrict accounts when they hit incorrect passwords, have two-factor, IP locks, non-predictable usernames etc...
6 comments
[ 3.2 ms ] story [ 27.9 ms ] threadEven if you only use a relatively small dictionary (of 32,000 words). Just picking two words at random is a billion combinations. Throw in some different punctuation symbols, plus a 3 digit number and that's over a trillion password combinations.
Any password throttling only helps, but you cannot rely on every website using it.
edit: Just a reminder: check your randomness source for security!
This should be your first thought when doing ANYTHING security-related.
Agreed.
Transliterating words to latin characters from a user's foreign language is a great way to add words not usually found in dictionaries. (eg If you speak Greek, French or Japanese, take a couple of books and transliterate them, remove 10% most and less common words, remove any words between 1-3 and 8+ chars and you should be gold.) You can create or find dictionaries like this for different languages and provide them for users to choose/download from.
Open sourcing your app would be a great way to get help and ideas from others.