A note about "friendly" passwords

Often in a web application, the time will come where you opt to generate temporary passwords for users. One common approach to this is to use a helper that combines a small about of random data (such as 4 random numbers) with a word randomly selected from a pared down dictionary list.

Please don’t do this. There are at least two reasons:

  • Using a word list radically reduces password entropy
  • Eventually a password will unintentionally perplex, or worse, offend someone

If the day comes and the system generates the password “cigar1984” for somebody trying to quit smoking, that could be awkward.

Now, I’m no crypto expert, but I’m going to assume that the ruby SecureRandom library will do a better job than me at outputting random strings. So it’s of use here. For example:

require "securerandom"

# outputs something like "Ht25IeNqIBUp"
SecureRandom.urlsafe_base64.gsub(/[^a-z0-9]+/i, '')[0,12]

This strips non-alphanumeric characters such as ‘_’ and ‘-’ out. This is useful because people are less used to typing them, and also, certain mouseclick-to-copy behaviors will split on those characters depending on the environment.

It’s worth noting that certain characters often will confuse users if they are manually entering a password as viewed from the screen. Fonts can make characters including the following difficult to distinguish

  • 0 (zero)
  • 1 (the number one)
  • I (the uppercase i)
  • O (the uppercase OH)
  • l (lowercase L)

You can String#tr these out for substitutions, or strip them alltogether. This will slightly reduce entropy, but by keeping a longer password you compensate somewhat.

—Jan 26, 2013