NOT SECURE!

This service must NOT be used over an unsecured connection!

Please flip to the secure version of this site by clicking here.


NOTICE!

As this is an unfunded hobby-project, I am unable to buy a dedicated SSL certificate to host the service. This means that when you click on the secure link above, your browser will probably warn you (at least the first time) that the certificate being offered is untrusted and/or not specifically named for this site.

What's the danger?

Since I always advocate checking the validity of any security claims, it's a little embarrassing that this should happen here. However, I'm not asking you to divulge your actual name, or any other personal information, and I never record ANY of the details you enter. The only reason I insist on bumping you into a secure mode is so that the details and passwords are encrypted in transit, to make them resistant to "sniffing".

Secure Socket Layer (SSL) certificates provide two services: authentication and encryption. In this particular case, no authentication is provided - the SSL doesn't guarantee that I am who I say I am. But the encryption is still very much in place and provides solid protection.

If I ever find the funds to buy a dedicated SSL certificate, this warning will disappear. While this may give a higher comfort-level, it won't actually make anything more secure.



What does this thing do?

It takes your input values, uses them to create a secure hash (with SHA512, in case you were wondering), then uses that to generate a rubbish-looking password.

And why would I care?

Random-looking passwords are good. Predictable passwords are not. If you, for example, use a five-character password composed of lower-case letters only, that represents 265 or 11,881,376 possible combinations. Assuming a serious computer could try a thousand a second, it would take 11,881 seconds or about three hours and twenty minutes to iterate through all of them. That's not a lot of time! And on average you'll hit the solution in half that time. Of course, depending on what the password is being used for, and in fact in most cases, you simply cannot try a thousand times every second. But we're looking at worst-case and best-protection here.

Taking that same situation, but using a 5-character password generated on this site, there would be 655, or 1,160,290,625 permutations, meaning that the same serious computer attempting the same crack-attacks would take 1,160,290 seconds or 322 hours. That's one hundred times stronger. In fact, it's probably a lot stronger as you may well have used a predictable (or slightly mangled) word as your password, which makes it susceptible to a dictionary attack. Switching to a character-set which uses upper-case and lower-case letters along with numbers and symbols adds an enormous amount of strength, and makes passwords immume to dictionary attacks.

Longer Is Stronger

Taking the above example even further, let's just add one more character to it. This doesn't make the password slightly stronger as you might think, it makes it SIXTY-FIVE times stronger. Yes, the number of permutations is now up to 656, or 75,418,890,625 which would now take that nasty cracking monster nearly two and a half years to chew through. Even the brute-force crackers would probably give up at this point and move on to an easier target. Let's get extreme here and take it up to ten characters. Now you have 6510 or 1,346,274,334,462,890,625 permutations taking over 42 million years to test. You're now at the level of password complexity that would require a botnet of a hundred thousand monster cracker computers 213 years of full-time work, on average, to break. I think by now you've probably got the point.

Why can't I just use the same password everywhere?

If the key to your car is stolen, you might lose your car. If that same key is used to access your house, safe, motorcycle, gym locker, safety-deposit box, office, postbox, garage and garden shed, you could lose just about everything you own. Think about it.

Now think about this: that key gets copied by the mechanic who services your car. Somebody that you just hand it over to, somebody who needs it. There's no avoiding giving him the key. So why give him the key to your entire life? Just give him the car key! It's exactly the same with passwords. NEVER use the same password in more than one place, there is always a chance that somebody peeks at it, and tries it (along with the same email address you registered with) on various other common sites. Before you know it, your online accounts have been hijacked. Just don't do it! Rather use utilities like this to generate unique strong passwords for each site or service. You retain the keys that can unlock the passwords, they see only what they need. Nobody ever gets your password for another site.

What do you do with my information?

I use it to generate a password for you. That's all. The details you entered are not retained or recorded. Full source code is available for inspection by interested parties, at the author's discretion.

Why is this page so butt-ugly?

There are no fancies here. No adverts or banners, but most importantly NO SCRIPTING AT ALL. This page is designed to be used as intended on as many browsers as possible. Adding fancy features both compromises that and gives more surface-area for security attacks. I have been asked to add a "copy to clipboard" button, but doing so would require scripting (and quite a lot of it to support the amazing variety of browsers out there) and I absolutely refuse to allow scripting here! If that is a feature you must have (and I can understand the attraction), then please use my desktop application or browser add-on instead (see the Passwords page). Mobile versions will be made available as soon as I get around to them. This online version is here to help you out when you're not at your main computer.

How can I get in touch with the author?

I'd love to hear from you. You can reach me via my online home at http://blog.pembi.net, where you can leave a comment on any post or page. Or you could just go straight to the Passwords page.