In my recent post introducing bytekit, I described a tiny little PWA designed to help me and other developers. Here I am going to introduce a new feature: generating passwords and secrets.

It may sound odd to use an online tool for something as sensitive as password. The good thing is that https://bytekit.app/password-generator has the necessary properties to make it trustworthy.

  1. It runs inside browser.
  2. It does not send data anywhere - this can be verified.
  3. It is https://codeberg.org/vyskocilm/bytekit Free Software, so the source code can be inspected.
  4. Anyone can deploy the static binary or a container quay.io/vyskocilm/bytekit himself.

How to generate a secure password

In a not-so-good days of enterprise systems a few rules were made mandatory.

  1. Passwords must have a minimum length
  2. Passwords must contains D digits and S special characters
  3. One must change your password every M months
  4. The system remembers all previous passwords, so it’ll reject too similar new passwords. This is very secure, indeed.

Xkcd made them obsolete.

Password Strength

In fact the sane rules are

  1. Passwords must be stored in a password manager
  2. It prevents a phishing attempts among others
  3. Passwords must be randomly generated (ie no admin, 12345, or a password or a football)
  4. Passwords must not be reused
  5. The password manager is typically protected by a master password and this is where xkcd comes into a place.
  6. Use https://haveibeenpwned.com/ and https://haveibeenpwned.com/Passwords to verify your email and a password.

Algorithms

So to make the traditional enterprise systems happy as well as readers of xkcd and to enjoy a bit of coding, https://bytekit.app/password-generator generates 4 types of passwords at once.

  1. random is password which has uppercases, lowercases, digits and symbols. Password rules are respected.
  2. wovel-consontant-wovel is a simplified version of A Random Word Generator For Pronounceable Passwords National Technical Information Service (NTIS) AD-A-017676, which aims to generate memorable passwords. Now is deprecated. The wovel consonant tries to generate readable passwords using a simplified algorithm. In a reality they’re not if a password is long enough. Rules are respected by placing digits and special characters to random places in a generated string.
  3. koremutake generated passwords based on algorithm from shorl and apg-go and its predefined syllables. Bytekit randomly switches between all lowecase, all uppercase or first uppercase for each syllable. Rules are respected by placing digits and special characters to random places in a generated string.
  4. xkcd - the recommended algorithm for passwords intended to be memorized. The CorrectHorseBatteryStaple from xkcd: Password Strength is an example of great and safe password. Except not this one, because it has been breached 150 times already (lower case variant more than 4000 times) and today it is very likely be a part of a dictionary. Rules related to digits and specials are ignored in this case.

When in doubt use a random option or xkcd if special characters or digits does not matter.

Password Rules

Many sites require passwords to follow specific rules. To avoid implementing many HTML controls, I use a simple algorithm that tries to identify rules in plain English and apply them. The best results are when each rule is on its own line, like the placeholder.

It works by searching for numbers or well known word numbers like zero and then within three words long window some keyword is searched. The “Password must have three digits” will find a number 3 and a keyword digits, so minimal number of digits is set to 3.

The parseRules and TestParse can shed more light to anyone interested.