This algorithm produces 2*20*6*20*6*10*20*6*20*6*20 or around 82 billion permutations so it is quite feasible to brute force it though quite time consuming.
If all passwords don't have to be exactly the same length (just within a range), it's possible to modify your algorithm slightly, keeping the same principle, by allowing a vowel to be a dipthong and/or allowing a consonant to be a blend, at random. This will throw off the odd-even pattern, while still leaving something more likely to be pronounceable than an entirely random string.
srand( time() ^ ($$ + ($$ << 15)) ); my @v = ( 'a', 'e', 'i', 'o', 'u', 'y'); #, 'ai', 'ou', 'oo', 'ee', 'oi'); my @c = ( 'b', 'c', 'd', 'f', 'g', 'h', 'j', 'k', 'l', 'm', 'n', 'p', 'q', 'r', 's', 't', 'v', 'w', 'x', 'z'); $nc = @c; # Number of consonants excluding blends. # (Some of the blends are not good endings.) @c = (@c, 'bl', 'br', 'tr', 'st', 'dr', 'th', 'ch', 'sh'); my @d = (0..9, '_', '-', '.'); my $length = 10; # This is a minimum. my ($flip, $str) = (0,''); for ( 1 .. ($length - 1) ) { $flip++; if ($flip%2) { if ($flip==$length-1) { $str .= $c[rand($nc)]; } else { $str .= $c[rand(@c)]; } } else { $str .= $v[rand(@v)]; } } my $re; my $digitpos = rand(5)+3; foreach (1..$digitpos) { $re .= "."; } $str =~ s/($re)/$1 . $d[rand(@d)]/e; $str = ucfirst $str; print "$str\n";
Results...
So the question is, how secure are these passwords with that modification? Well, if the person doing the brute-forcing knows exactly how you generate them, or has seen a good number of them, they're not much better, because there's not enough variation. Adding in a bunch of different blends and dipthongs would probably help a bit. What would help more would be using several different algorithms and alternating between them at random -- so that one time you might get one like the above, and another time you might get "ad-hoc(Variable)17" or "e.g.{Sputnik}82" and yet another time you might get "f0rtu1t10us_gr33nh0us3" or "m4rg1n_bl4sph3my". (Update: those patterns are not as hard to brute-force as the one above, but they were intended only as quick examples.)
Any one of those patterns could be brute-forced, but trying to code a general case that takes in all of them could be just about as bad as doing each one of them in turn; with a dozen different such patterns, that could get prohibitive. If you want to be sure that they have to do them in turn (rather than coding a general case of some kind), throw in one pattern that generates fairly lengthy stuff like "running-implicit-tomorrow-wet-Howard" and "chortle-wax-Susan-dromedary-green". That makes for a very nice pessimal case when the algorithm trying to break it also has to deal with the possibilities inherent in the other patterns. Oh, and make sure your wordlist is large and undisclosed. (The wordlist can be disclosed if it is seriously large, e.g., if you scan in the OED.)
Of course, if they can get what they want by compromising only any one password, then you have to make sure each and every one of the patterns has a certain minimum of resistance to brute-forcing. Your exact threshhold will depend on your circumstances.
--jonadab
In reply to Re: Random string generator
by jonadab
in thread Random string generator
by ibanix
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |