FF-pwgen - screenshots
computing tab (portrait)
You can enter you own password in the text field at top and then press "check my password" (this will compute entropy based on the current app settings)
In the gray field the password will appear (you will see green bars during password generation).
To generate a new password, you either do the shake gesture or press the button Generate password Each new run will first clear the clipboard - so if you need a password, be sure that you have it inserted somewhere before generating a new one.
The generation of memorizable password can take some time because 2 large dictionaries are used to generate them. You will see the progress with appearing questions marks to show you, how much auf the password is already calculated.
Note:The entropy bar has 3 different colors: red=poor orange=medium green=good. You will see very seldom good quality on your password (even on the generated ones). However, you should definitely avoid the red bar.
Here you control the general settings which influence the entropy and therefore the strength of the generated password.
First chose between the weaker memorizable (pieces of real words) or the pure random paranoid mode
You can enable "avoid human error" which removes a bunch of chars which could be mistaken (you need this for transmission over phone or when the password is written down before it can be entered)
Next you can control the length of the password (more = better), note that for memorizable password this defines the minimum length as the generate algorithm tend to produce somewhat longer passwords.
With entropy mode you control how strong the password will be:
Use "user" if you want to use you own settings, you can also see the chars the algorithm would use to create the password.
You will see this screen when choosing entropy user in the settings tab and then tap on the detail button. Please note that some options automatically activate / deactivate other options, because that is the way they work (e.g.: if you enable IOS (which means: all chars on all 3 different keyboard views on the standard keyboard) special + numeric digits will automatically be enabled and can not be disabled)
here is a description of each setting
- letter case
choose letter case
- use digits
allow digits (0-9)
- special chars
allow special chars like *&+-$
allow all chars on IOS keyboard
- all printable
allow all chars with out special meaning
The settings of "avoid human error" in the settings tabs will influence the resulting alphabet.
In the bottom of the screen, you see all chars which can be used to construct the password.
computing tab (landscape)
When you are in the first view (compute tab) then is view is shown if you move your device to landscape mode. The goal of this view is show the weakness of human generated passwords.
You can enter only a password in portrait mode.
Enter a password in the compute view in portrait mode and then turn you device to landscape mode to bring this view up. The main purpose is to compute the entropy of human generated password with a different algorithm, which computes a far lower entropy value for human passwords, The following rules will apply:
- first char has value of 4 entropy bits
- 2-8th char has a value of 2 entropy bits each
- 9-20th char has a value of 1.5 entropy bits each
- 21th- char has a value of 1 entropy bit each
- if different cases are used (a-z AND A-Z), 6bits added to entropy
- if special chars are used, 5bits added to entropy
- if numerical digits are used, 4bits added to entropy
(This will greatly decrease the calculated entropy, you can check this by flipping the switch in the bottom. If you enable the password is human generated switch, the above algorithm is used, if its disabled, the entropy is calculated based on the current settings)
Because humans tend to pick complete words with only one Letter changed in case and maybe a date (or part of date) appended these passwords are easily guessed by dictionary attacks with some basic permutation. Please don't fool you, even a password like Pr0d@dm!n should be considered very weak - as soon as it constructed by "real" words, you can should consider it immediately cracked no matter how fancy you try to hide the different chars with "substitutes".
If a password is human generated and easy to remember, it is normally easy to crack - yes there are exceptions from this rule, but again, just don't believe every human can create and then remember strong passwords. Normally there is a high chance to either find the password with dictionary/permutation attacks or social engineering (eg. name of kids/spouse with birthday added)