OK, this is really a big list of statements and assumptions. Read here to find out more of the details behind how passwords are generated.
See here for details. Or click across the different options across the top of the page to try different styles out.
None.
Previously, limits were imposed to prevent excessive usage. However, these limits were rarely reached, my server and bandwidth has never been overloaded, and the implementation was subtly broken.
Before I list the precautions and ways you can double check everything is above board, let me be very honest: no matter what I say here, you will need to trust me.
That is, despite every box I tick, and every precaution I take, there's no way you can be 100% sure either I, my hosting provider or the NSA aren't secretly recording each password you generate. To be 100% sure, grab a copy of the source code and generate passwords in your own controlled environment.
OK, with that out of the way, here's the list:
There are browser only (Javascript) password generators available. See below for details.
As of January 2015, I host it myself! The web site is hosted on a Debian based Linux server (which is actually an old laptop). A hardware random number generator is installed.
From a security point of view, I'm much more confident about who has access to my server. So it's even less likely someone will be snooping on any passwords generated.
For the 12 month prior to January 2015, it was hosted by WinHost. They provided a more than adequate service, but I realised I could save a few dollar by hosting it myself. And I figured, if I work in IT deploying other people's web sites, I should be able to host one myself!
For January 2015 to March 2019, it was hosted on my do-everything Windows server (which was originally my home theater PC).
The generated passwords and passphrase are entirely random. So, without any pattern to work with, any attacker would need to try every combination in turn. Which means the longer password you can memorise, the harder it is for the bad guys to guess.
To give some concrete numbers to work with, here's a worked example:
A 5 word passphrase has 1,463,822,570,892,924,289,024
total combinations (and is rated as Strong).
An attacker could invest about $10k (in Australia) to attempt up to 270 billion
unique passwords per second using Hashcat (based on figures from 2022).
At that rate, it would take about 2 months to try every combination.
Add one more word to make a 6 word passphrase (rated as Fantastic) and it would take over 3000 years!
With a 4 word passphrase (rated as Adequate) it would take just 10 minutes.
Most attackers will give up after a week or two of trying. So the 5 word passphrase is pretty good, 6 words nice and secure, and 4 words wouldn't survive long at all.
This is all based on the assumption you don't change the generated password.
Yes. You can see all the internals of the site at GitHub
Make Me a Password generates passwords on my server, and then sends them to you via a HTTPS connection. (See above for details about the security of the site). If you don't trust me (or my server, or my ISP) there are a number of password generators which run entirely in your browser (in Javascript) - use your favourite search engine to find them.
Steven Zeck has made a Javascript version of Readable Passphrase Generator.
Mir Rodriguez has made a Spanish Javascript version of Readable Passphrase Generator.
Yes.
The passphrase dictionary is a plain text file with one word per line.
The readable passphrase dictionary is an XML file which marks words according to their English parts of speach.
The PIN blacklist is a plain text file with one PIN per line. It was derived from work by Data Genetics.
No. Sorry, I don't speak any other languages.
Mir Rodriguez has made a Spanish Javascript version of Readable Passphrase Generator.
Maybe. For best results, please don't.
OK, you can pretty safely add to the password without any problem. Adding does not decrease the number of combinations (and may even increase them, although password crackers are very good at guessing common additions).
I commonly add a number and a symbol to a passphrase to meet my employer's password quality requirements, but leave the rest of the passphrase exactly as is.
On the other hand, all bets are off if you change a word or character within a password to, say, something you like better.
Or changing the letter o
to a number 0
.
Or capitalising a letter.
Quite simply, I don't know how your change will affect the total combinations. Some change you think looks totally random may actually be a common modification known by crackers and add very little to the password. It's always best to rely on randomness and length rather than funky modifications.
The readable passphrases have considerably more complex structure than any other style. As any student of languages knows all too well, natural language is, well, complicated. Even slight differences in phrase structure, for example an imperative verb rather than present tense, can dramatically change the number of combinations. And the different phrase length options each imply different phrase templates.
As with other styles, I want to capture the quality of generated phrases, but a single number simply doesn't work with the complexity of the templates used. So, rather than showing the maximum or minimum combinations, the range represents both.
The minimum represents the smallest number of combinations possible (assuming the worst case for everything). Maximum is the largest number of combinations (assume best case). And the average, which is used as the headline, is a middle ground of the two. The average is a good "working estimate" for comparing with other styles, but be aware you can occasionally get much easier or harder to guess phrases.
There are some graphs of different phrase strengths to give you an idea of different complexities and strengths. And the same page lists all the phrase templates which correspond to each length.
The readable passphrases have considerably more complex structure than any other style. Rather than a simple number of words to control the phrase length, the readable passphrase is based on templates (eg: noun verb adjective noun). Longer phrases use more complex templates. And most templates contain at least one optional word (eg: the adjective in the previous example is optional in most templates).
There are some graphs of different phrase strengths to give you an idea of different complexities and strengths. And the same page lists all the phrase templates which correspond to each length.
Mutators are a fancy way of changing your passphrase after it is created. Primarily, they are a way to add some upper case letters and numbers to your passphrase to meet complexity requirements (eg: must have an upper case and a number). But you can also use them to make a passphrase without spaces easier to read (by making all the first letters upper case).
Only 4 options are available on the web interface. But, if you use the API directly, you can control precisely where the numbers and upper case letter are added. And exactly how many are added.
PINs and Patterns are fundamentally insecure to be used as normal passwords. There are simply too few combinations in a 4 number PIN or 3x3 grid to stop someone trying every combination. They rely on the fact that you can only enter them a few times before your phone is locked or your ATM card is shredded.
To take into account the limited number of times you can enter a PIN or pattern before something horrible happens, the quality ratings are lowered.
Important PINs and patterns are not usable as normal passwords. Never use a short PIN / pattern as a computer login or website password.
There are some very commonly used PINs, such as 1234 or 1111. Because such PINs could quite easily be guessed, the most common are blacklisted and will never be generated.
You can download the list of blacklisted PINs. It was derived from work by Data Genetics.
The blacklist applies to PINs from 4 to 10 digits long.
No. Never use the passwords or passphrases used as examples.
Passwords are supposed to be kept secret. And the example passwords are anything but secret.
For security professionals, programmers and other people interested in the technical implementation of the site, there are more details available on the technical FAQ.
Password managers are computer programs which securely store your passwords. They make it easy to generate and remember a unique password for every website you visit.
They are the electronic equivalent of a notepad to write all your passwords down on. Along with a combination safe to store them in. And a set of dice to make new passwords. And a link to your browsers and other programs to type them easily.
A password manager means you'll only need to remember a handful of passwords, but every website you use can have a strong and unique password. Essential for best security on the Internet.
There are several different password managers available. As always, there are pluses and minuses for each of them and you should do your research before choosing one. But using any of them is a million times better than simply using the same password on every website.
If you're really looking for a recommendation, I use KeePass. Although I'd recommend 1Password for anyone non-technical.
So your banking account can't be accessed because some website random you registered on 5 years ago got hacked.
Websites get hacked on a daily basis from small mum-and-pop stores to high profile sites like LinkedIn or Adobe. If you use the same password for your internet banking as LinkedIn, there's a very high chance the bad hackers know your password and could easily access your bank accounts.
There are websites which list compromised or hacked sites. Others let you check if your email or password has been disclosed. And still others are dedicated to analysing, cracking and publishing the leaked passwords. The most highly prized lists are leaked passwords traded privately between hackers; you'll never know if your password are on those lists.
The take home message is: using the same password on multiple sites is risky. Like unsafe sex risky: if you use the same password on enough site, eventually you'll get bitten.
Unicode passwords are generated based on code points (each being a single character or letter). Code points each are categorised. Only code points from a limited number of categories (listed in the technical details) are used.
Most East Asian characters are categorised as OtherLetter. Checking the Include Asian Characters option adds that one category to the allowed list.
Unfortunately, there are a lot of East Asian Characters. Around 49 thousand of them (they are the red and light red in this picture). And they tend to swamp all other characters out.
So including them means at least three quarters of your password will appear as East Asian characters. Although it will significantly increase the number of combinations for your passwords.
In the end, it's a personal choice to make. But, because I can't read East Asian characters and they have no meaning to me, I prefer to exclude them.
Summary: only use the Basic Multilingual Plane, as you get little benefit when using all of Unicode but my server has to work 1000 times harder.
To understand why that is the case, there's some history and technical details about Unicode. And then some maths.
The Basic Multilingual Plane (or BMP) is a part of the Unicode standard which allows a little under 65 thousand different code points or characters. It was all that was considered when Unicode was originally designed. Unfortunately, people realised there are more than 65k different characters in all the different languages in the world. So, as is the usual case with computers and technology, some smart people designed a clever (but ugly) way to allow more characters. The original 65k (which was originally everything) was renamed to the Basic Multilingual Plane (plane zero), as it contained letters and characters for most major languages. And an additional 16 new "planes" were added (numbered 1 through to 16), each with 65k characters, to allow for a grand total of 1,114,112 (65k times 17 planes). Of that, Unicode in early 2014 (version 6.3) has allocated 110,187 different code points or characters - a little under 10%.
But, in terms of generating passwords, including the entire Unicode code point space is not very useful. Most of Unicode outside the BMP is actually unallocated (only about 10% of the total space, the BMP is 85% allocated for public use). So, my algorithm to generate passwords has to do more work to locate useful code points (ie: my server has to look much harder). But, because there's only an extra 60% or so extra characters to choose from, all that work does not translate into better passwords. A doubling of characters would be nice, but we barely get half way there.
If the entire Unicode code point space was allocated, then this problem would largely go away. My server wouldn't need to look so hard, and we'd have 10 times the number of characters which would make for even more insanely hard to guess passwords!
So, to repeat the summary: it's not really worth allowing more than the BMP when generating Unicode passwords. Just leave that check box unticked.
Yes. The site uses a web browser feature called Local Storage to store settings for each style of password, and the home page.
As long as you visit the site in the same web browser, your settings will be remembered. Different web browsers like Chrome or Firefox or Internet Explorer on the same computer won't remember your settings.
There is no Save button, however. Any time you change your a setting, your web browser just remembers.
In early 2018, I decided to migrate the site away from makemeapassword.org
to makemeapassword.ligos.net
.
Mostly, this was to save me a few dollars on domain registration (and the Australian Dollar isn't doing to well, so what's US$25 comes out to closer to AU$50 after conversions and fees).
Please update any bookmarks, references or scripts to makemeapassword.ligos.net. Any scripts which directly reference the API endpoint will receive no notification; they will simply stop working in December 2018.
The time line is as follows:
makemeapassword.org
will stop working.