13 replies to this topic

[0x150--ISO]

My 1st attempt at non repeating character strings
containing upper/lower case and digits.

I created this for personal use,
but feel free to use it if you like.

MsgBox % GenRndStr( 10 )
Return

GenRndStr( Length ) {
  If ( Length < 3 || Length > 30 ) {
    MsgBox, 0x30,, More than 3 less than 30 Characters!
    Return "Error"
  }
  RndStr := ""
  While ( StrLen( RndStr ) < Length ) {
    RndArr%a_index% := Rand()
    RndStr .= inStr( RndStr, RndArr%a_index% ) ? : ( RndArr%a_index%, Rand() )
  }
  Return RndStr
}

Rand() {
  Random, cTyp, 1, 3
  Random cNm, % ( cTyp=1 ? 48 : cTyp=2 ? 65 : 97 ), % ( cTyp=1 ? 57 : cTyp=2 ? 90 : 122 )
  Return % Chr( cNm )
}

Please let me know if you think its 'strong' enough
and if you see any optimization points.
I purposely left behind some old var arrays
so I know where to clean up.

AHK_L has much better arrays for this so I'm considering adapting it.
I would also like to convert it for PHP.
Ty and nJoy

[Frankie]

What if you create an array/string of possible characters and pick a random number between 1 and the length; then remove it from the list and repeat for the desired length?

I'm not sure how performance would be, though.

[sinkfaze]

If you're looking for a strictly non-repeating sequence, you may as well create a variable in advance with all the letters and numbers and Sort it until you get the right mix:

MsgBox %	GenRndStr( 10 ) 
Return 

GenRndStr( Length ) {
; must return a string with at least one lowercase letter, one uppercase letter and one number

	static	chars :=	"a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z"
		 . ",A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z"
		 . ",0,1,2,3,4,5,6,7,8,9"
	If	Length not between 3 and 30
	{ 
		MsgBox, 0x30, , Length must be more than 3 and less than 30 characters!
		Return	False
	}
	While	!(str~="\d") || !(str~="[a-z]") || !(str~="[A-Z]")
	{
		Sort, chars, Random D`,
		str :=	SubStr(chars,1,[color=red]Length * 2[/color])	; must accomodate the commas
	}
	Return	RegExReplace(str,",")	; removes the commas
}

[infogulch]

The random number generator isn't really secure enough for passwords

Do NOT use for CRYPTOGRAPHY

Use something like random_number(), it's a cryptographically secure random number generator based on Microsoft's Crypto API.

[0x150--ISO]

I really appreciate all the suggestions.
@Frankie I will still try that, must use 'real' arrays regardless of performance, ty.

@sinkfaze, this is what I was after tyso.much!
~= shorthand for REM . 2 questions:How is the loop being evaluated using RegExMatch :?:
How does the Sort guarantee no repeats :?:@infogulch ty for the link to your function.
Now I can study Crypt. and how AHK communicates with it.

2Alltytytyty!!

[sinkfaze]

How is the loop being evaluated using RegExMatch :?:

It's checking the contents of the local variable str; if it doesn't have a digit, a lowercase letter and an uppercase letter, it sorts the contents of the static variable chars (which contains all alphanumeric characters) and saves the first length * 2 characters to str. Then it's back to the beginning of the while-loop to evaluate the conditions again.

How does the Sort guarantee no repeats :?:

Sort doesn't have anything to do with it, it only mixes up the contents of the static variable chars, which has only one instance of each alphanumeric character.

[sumon]

For it to work as a PassGen it should be able to somehow make sure complexity follows an optionally defined pattern. In other words, another argument where you specify if it may or must contain an uppercase letter, number or maybe even special character.

[0x150--ISO]

Sorry for my ignorance here but wouldn't concatenation several short strings reintroduce the issue of possible duplicated characters per final string?

[infogulch]

I guess I didn't notice this before, but I would avoid strictly non-repeating sequences, as it reduces the possible passwords from chars**length to P(chars, length) (where chars is the number of possible characters, e.g. case sensitive letters and numbers would be 26 * 2 + 10 = 62 chars)

E.g. for a password length of 8 characters using only letters and numbers:
62 ** 8 = 218340105584896 ~ 220 trillion (truly random)
P(62, 8) = 136325893334400 ~ 140 trillion (no repeating characters)

You see even in this case allowing repeating sequences (as long as it's truly random) would give almost 2x the possible passwords and make it equivalently more difficult to guess.

[0x150--ISO]

..almost 2x the possible passwords and make it equivalently more difficult to guess.

Interesting.
I was under the impression most use a sequential+brute/dictionary combinations over 'guessing' :?:
( albeit 140trillion+ combinations would still take a long time).

[infogulch]

By 'guessing' I was referring to brute-forcing, since that's essentially what it is (just automated).

What you're making here is randomly generated so dictionary attacks are essentially worthless (except on the extremely insignificant possibility that it randomly generates a dictionary word).

My point was comparing a truly randomly generated password to one where there are no repeating characters.