ansaurus

Question

How to generate a strong password in C#?

Answer 1

+1 A:

Why not just fill an array with some characters and pick on random a number of them. You can divide them in groups to be sure that are include letters numbers and special characters.

You will also have to pick a proper length and how much of every group of characters to include and that's it. I don't think you need some sophisticated formulas.

anthares 2010-02-15 15:00:44

I don't think it's secure enough for brute force attacks and etc...

TTT 2010-02-15 15:01:47

Nothing is... But if you limit your logins to 5 logins per hour say you reduce the risk of the brute force attack.

Pino 2010-02-15 15:03:01

What could be harder than picking random chars ?

anthares 2010-02-15 15:03:53

@anthares I agree, Alon whats this for?

Pino 2010-02-15 15:04:35

Nope, I'm not going to limit my logins per hour, it is very irrating to the user. Instead, I'm going to put CAPTCHA after 3 tries.

TTT 2010-02-15 15:05:21

Well that works too and deals with the brute force problem.

anthares 2010-02-15 15:06:10

@Alon that method will work in the same way. So brite force attacks have been restricted.

Pino 2010-02-15 15:08:34

@Alon, after reading all of these I am curious why you need something so overkill? In my applications, which deal with a ton of personal customer information, I just use the password generator I posted below with varying length. Its nice to see you're interested in securing your application, but you have to keep ease of use in mind as well. Ultimately if someone wants to hack you, they'll manage to do it somehow no matter how strong a password you have.

Alex 2010-02-21 20:01:42

Answer 2

A:

http://www.obviex.com/Samples/Password.aspx

Pino 2010-02-15 15:02:21

Answer 3

A:

For systems that don't allow user-generated passwords it's very easy, actually: Any password is as secure as it's long. Not counting, of course, people who tack post-its to monitors, etc.

You probably want to maximize the set of characters from which the password is generated. But restricting the generated passwords greatly reduces the search space and therefore makes the password less secure. Again, this only holds if the user can't choose their own password.

If you deal with both generated and user-created passwords, then all bets are off, obviously. You then probably want to generate the passwords in a way that it uses as many characters from different classes as possible, resembling a strong user-chosen password. Ideally it should conform to the same constraints that the user-created password has to pass as well (if any).

Joey 2010-02-15 15:04:17

Answer 4

+12 A:

Will 2010-02-15 15:04:20

Please note the editor doesn't play friendly with some of the characters in the password.

Will 2010-02-15 15:08:09

As I said, this is a great method but is just returns a single digit in my computer, and in many other computers.

TTT 2010-02-15 15:08:42

@alon you're doing it wrong. Trust me. This method works and is bulletproof on any .NET installation on any computer.

Will 2010-02-15 15:10:25

Answer 5

+2 A:

How about Guid.NewGuid().ToString();?

dkackman 2010-02-15 15:06:07

Sorry, this will return 00000000-0000-0000-0000-000000000000 all the time. But this will work: Guid.NewGuid().ToString()

Steven 2010-02-15 15:19:58

@Steven - Edited according to suggestion

Nifle 2010-02-15 18:22:34

er... yeah... that's what I meant.... o.O

dkackman 2010-02-15 20:49:38

Urm, although it's random, that limits you password to chars 0-9 and a-f. You have seriously reduced the possible number of passwords, so you better force your users to change the system-gen password at next logon.

alphadogg 2010-08-22 19:00:21

Answer 6

+4 A:

To address your question about that formula:

The formula is saying that a password of length L drawn from an alphabet of N symbols is equivalent to a password of length H drawn from an alphabet of two symbols. So if you have, say, 64 symbols (say abc...xyzABC...XYZ01...89_!) and the password is 10 characters long, then that gives you equivalent security to a password 10 log2 64 = 60 characters long drawn from the alphabet "ab".

A "log" is the inverse operation of exponentiation. Two to the sixth power gives you sixty-four, therefore the "log two" of sixty-four gives you six.

Eric Lippert 2010-02-15 15:16:54

Answer 7

+1 A:

I'd use Guid myself :), and make the user edit the password after login

Swoosh 2010-02-15 15:57:22

Answer 8

A:

I don't know if this will help you, but this is what I use when I want to generate a random password which is also strong. It's quick and simple to implement/understand and isn't as much of an overkill as the one through the membership provider above...

    private string Token(byte Length) {
        char[] Chars = new char[] {
            'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',
            'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
            '0', '1', '2', '3', '4', '5', '6', '7', '8', '9'
        };
        string String = string.Empty;
        Random Random = new Random();

        for (byte a = 0; a < Length; a++) {
            String += Chars[Random.Next(0, 61)];
        };

        return (String);
    }

Alex 2010-02-21 07:30:03

ansaurus

tags:

views:

answers:

How to generate a strong password in C#?

related questions