Random Passwords Generator as a tool for Network Administrators

In many organizations' security procedures, the recommended practice for password management is as follows:

• Users have their own, rather than shared passwords;
• Users choose their own passwords;
• Users are advised not to choose easily guessable combinations, or dictionary words as passwords;

This advice about using complex passwords can be enforced by add-ins to the login process. Management may be reluctant or unable to implement these because:

• there is suspicion that the add-in may itself present an exploitable weakness, particularly if it resides on the client system;
• the add-in software may be costly;
• the network operating system version may not support such a facility.

In these cases it may be preferred to rely on a centralised random password generator under the control of the network administrator.

It must be said that the use of a generator in this way is not the author's recommended best practice. However because there is a demand for such a tool, the author has made one available.

Security features

1. The generator uses a complex algorithm which produces a seven-character password made up of letters and numbers;
2. The password sequence uses the username and a version number as part of its generation key. If a new password needs to be issued for a user, the administrator's request increments the version number.
3. Although usernames and version numbers are kept on file, the passwords themselves are not; the program recalculates a password if the administrator wishes to view it.
4. The password is visible on screen only whilst the mouse button is held down over the appropriate field.
5. It is assumed that rights to the Random Password Generator program will be strictly limited and that no copies will be retained on diskettes, etc.

It is not intended that this program should be used in high security, e.g. military, environments. However, only the most skilled of potential intruders would be able to deduce the generator algorithm from a small sample of username/password combinations.

The most likely way for security to be compromised is if the executable program is apprehended. Having done this, the perpetrator could disassemble the code to learn the algorithm, although with the program in his possession this would not be necessary.

The commercial version of the software's defence against this is that the system administrator chooses a seed for the random number generator, and therefore although the would-be cracker knows the algorithm, he does not know the random seed, and therefore he has only narrowed the number of possible choices to the maximum value of a 32-bit number.

Further security implications, and options for high security applications, are set out in the Password Generator Security Discussion Paper.

Details of download programs

Back to Home