Generating random passwords

Edit:This password utilities library has now been substantially upgraded and open-sourced with an MIT license. You can find a .NET 4.0 version of the library and an example graphical interface in a Google Code Mercurial repository.

This is the fourth installment in a series about creating a C# utilities library that covers the following areas:

  • Specifying password policies that can match most application requirements.
  • Generating cryptographically-secure random passwords that satisfy a specified password policy.
  • Measuring the strength (or more precisely, information entropy) of human-generated and machine-generated passwords.
  • Using random salts and key stretching to make password hashes more secure than the original passwords.
  • Measuring the additional strength added by iterative salted hashes. 
  • Timing the password generation and password hashing processes.

Finnish woods

Now that we have a PasswordPolicy class and a Die class, the actual password generation process is very straightforward.

We first need to know the password policy, and then roll a die which has the same number of sides as the number of symbols in the policy's acceptable symbols list. The roll result is used as an index into the symbols list, and the symbol at that position becomes the next character in the password. Repeat for as many characters as the password needs - again, this is defined by the password policy.

Most password policies give a wide choice in the password length. In these cases, the die can be used to pick a random actual length between the minimum and maximum password lengths permitted by the policy.

As each password is chosen randomly, it may not match the current password policy. In this case, the password is thrown away and a new one is generated. This continues until a password is found that matches the policy. In the case of a particularly draconian policy, this may take a significant number of attempts. As the current code generates around 20,000 passwords a second, this brute-force approach is not likely to cause a problem.

This method is at the heart of the PasswordGeneration class. It accepts a password policy, starts the timer, chooses the password length at random within the policy limits, then keeps generating passwords until it finds one that satisfies the specified password policy. Then the timer is stopped, the time it took to generate the password and the number of passwords rejected by the policy are both stored, and finally the newly-generated password is returned:

Password generation implementation

The only other interesting method in this class is the one that calculates the password information entropy. For a password randomly-generated by a machine, entropy is a good proxy for the password's strength. Later in this series, we'll look at the class that calculates the entropy of machine-generated and human-generated passwords:

Password generation implementation

You can view and download PasswordGenerator.cs. The complete library, including this class, will be posted at the end of this series. In the next installment, we'll look at the hash policy class.