FF-pwgen: secure passwords

Default settings

The default settings use hi entropy with paranoid mode and 10 chars length (entropy: 66 bits)

Let's check, what this means for an cracker:
2^66 = 73786976294838206464 possibilities
With a current high end graphics card, which can do 200 millions of hashes per second this would result in 11,000 years of computing time, if you must compute all hashes. If you add an additional char (and driving entropy towards to 72) it would be 748,000 years.

jump to top

Settings of FF-pwgen

You will notice that there only few options can be modified in the settings. This is intended: if you start the app without changing anything, there should be no way to generate a weak password. The minimum length password is 8 characters, all other defaults will lead you into a strong password even if you choose the weakest setting (paranoid passwords, length of 8, avoid human error) this will lead to an password with entropy of 48 bits (not good but still better than most human passwords).

If you looking for a convenient way to create weak passwords, this app is may be not for you, sorry.

jump to top

What does avoid human error do ?

If you enable this, some characters will be removed from the list which is used to create a password. These chars are either known to be inter changed with other chars (e.g 0 with O or I with l or |) or have the same type (brackets) - goal was to generate a password which can be given to someone else (e.g. over the phone) and still has a chance to be entered correctly.

Of course this greatly reduces the entropy of your password, you may counter this by increasing password length.

jump to top

What is the differences between memorizable / paranoid ?

jump to top

What options of FF-pwgen make passwords weaker?

All settings, which decrease the size of the alphabet (the basis of allowed chars to construct the password) will decrease overall entropy. If you disallow the use of numerical digits you get a lower entropy because the number of chars shrinks which the generator can choose to create a password.

If you enable avoid human error you will see a large drop in entropy because most of special chars are gone and even some of the normal letters (e.g. O,l,I) are removed. Note that "avoid human error" will be enforced when you use "memorizable passwords", this may lead to passwords which may be not so memorizable, but you can recreate until you get one that you like.

jump to top

How can I see, what chars are current valid for passwords creation due my selections?

A short description what the current entropy mode will allow is directly below the entropy mode selection button (settings tab).

However, this don't shows you how "avoid human error" does effect your password creation alphabet. If you want to check the current alphabet, enable the options you want to have and then select user entropy selector on the settings page. It will show you the current options, which are active and the result (which chars will be allowed to construct the password)

This list is the basis for all further options, e.g. if you pick big letters (A-Z) and then choosing "memorizable" will result in hard to memorizable password because all lowercase letters are skipped.

jump to top