Random Password Generator
86 views
Skip to first unread message
Daniel Kelly
Jan 29, 2025, 9:26:14 AMJan 29
to pwm-general
Hi Jason
We are planning on using your project for a number of schools. All looks good so far, however the Random Passwords generator doesn't seem to take into account the Seed List as far as I can see. The passwords generated all seem to be very complicated.
The lists I am using are: https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/pwm/wordlist-giant.zip (although I have tried all sorts of lists, and also switching some settings on and off and restoring defaults)
The lists seem to be applied if I look at the logs.
Any help would be gratefully received. Thanks in advance
Kind regards
Dan K
Jason Rivard
Jan 30, 2025, 7:02:03 PMJan 30
to pwm-general
The random password generator is complex. First keep in mind that the password must conform to the user's password policy. Use the admin -> user debug screen to see the effective password policy for the user. No matter the seedlist, the password must conform to that policy.
Second, the seedlist as a concept is a bad idea left over from an earlier era. I don't recommend it's use. The idea is that you would use an actual language dictionary wordlist (not a password wordlist like your using). The seedlist would have a word like a 'horse' in it, and the generator would mutate it slightly to make a memorable password but one that was slightly modified so it wouldn't be in the wordlist.
If you look at the contents of the wordlist your using (the wordlist-giant.zip) the vast majority of the words it it are going to be seeming random gibberish because they are from password cracks, not an an english or other language dictionary.
The idea of using known values or slightly mutated known values for a password is a really bad idea from a contemporary security perspective, and thus having completely random values not sourced from a seedlist is a much much better approach. The seedlist feature is only there for legacy reasons and should be considered deprecated, and is in fact removed from the yet unreleased post v2 codebase. I'll make it a point to update the help in v2.x to make it clear this is a deprecated feature.
Note: If you watch the TRACE level log messages you can get a bit more perspective on how the random generator is working.
Daniel Kelly
Feb 3, 2025, 7:54:05 AMFeb 3
to pwm-general
Hi Jason
Thanks for the explanation about the password generator and seedlists. I get why the shift towards fully random passwords makes sense from a security standpoint.
That said, in a school environment, we have to balance security with usability, especially for younger students. If their passwords are too complex or random, it leads to constant login issues and a lot of time spent on resets. So we need a way to generate simpler but still secure passwords that work within our policy.
I’ve tried different configurations, including changing wordlists and seedlists, but no matter what I do, the generator doesn’t seem to produce usable results. It either fails to generate passwords or gives ones that don’t fit our needs.
Would it be possible to introduce a regex-based function so we can define password structures that meet both security and usability needs? That way, we’d have more control over how passwords are generated without relying on deprecated features.
Also, we’re trying to move away from storing student passwords in spreadsheets for security reasons, so having a built-in solution that works reliably would be really helpful.
Would love to hear your feedback on that idea, do you have any suggestions on how we can make this work?
Thanks in advance
That said, in a school environment, we have to balance security with usability, especially for younger students. If their passwords are too complex or random, it leads to constant login issues and a lot of time spent on resets. So we need a way to generate simpler but still secure passwords that work within our policy.
I’ve tried different configurations, including changing wordlists and seedlists, but no matter what I do, the generator doesn’t seem to produce usable results. It either fails to generate passwords or gives ones that don’t fit our needs.
Would it be possible to introduce a regex-based function so we can define password structures that meet both security and usability needs? That way, we’d have more control over how passwords are generated without relying on deprecated features.
Also, we’re trying to move away from storing student passwords in spreadsheets for security reasons, so having a built-in solution that works reliably would be really helpful.
Would love to hear your feedback on that idea, do you have any suggestions on how we can make this work?
Thanks in advance
Dan
Jason Rivard
Feb 5, 2025, 9:50:22 PMFeb 5
to pwm-general
Hi Dan, I've thought some about your problem but I haven't come up with any interesting answers.
You may be best of with generating passwords with some other tool and using the helpdesk to set them. I guess you could also write your own javascript generator and add it to the password change screen, but that would require some development work on your part.
Daniel Kelly
Feb 6, 2025, 4:40:05 AMFeb 6
to pwm-general
Thanks Jason
Yep I think we may just have to educate teaching staff to set complex (enough) passwords for the students and be done with it.
Thanks for your consideration and thanks for a really great project you provide
Kind regards
Dan K
Reply all
Reply to author
Forward
0 new messages