Home > Java > Password generation

Password generation

This summer, I wrote some useful java classes for generating random passwords.

Creating random password can be useful in situations such as the following:

  • A user forgot his password for our application. Our application sends an email with a new temporary password.
  • We want to verify, if a mobile phone number submitted by user is correct. Our application sends an SMS with the new temporary password.
  • A user of our application creates a new account for his colleague or family member. Our application creates a temporary password for that account.
  • For our own purposes. We want to create a good password for our personal usage.

Creating a random password is not so easy as might by thought. There are two commons errors with this:

  1. The password generated is an inelegant word, for example: “1something2″. We doesn’t want to send such a password to our potential clients.
  2. The password generated contains problematic characters, for example: “1″ and “l” or “O” and “0″. There is a problem, when the user rewrites the password from one device to another, e.g.: from a mobile phone to a web application running on a laptop.

That’s why in my application I create password in the form: 2 letters followed by 1 digit followed by 2 letters followed by 1 digit and so on. For example: ab2cd3ef4. Of course, the randomly – generated password contains only safe characters.

I decided to publish this classes to the open source community. You can use my library in your application on LGPL terms. Here is an example of usage:

// create a new one time password for sending via sms or email
// (4 chars - about 1e5 unique combination)
String password = new PasswordGenerator().generate();
// create a new strong password
// (8 chars - about 1e10 combination)
String strongPassword = new StrongPasswordGenerator().generate()

Using this library is simply for maven2 fans. If you are not already a fan of maven2, I advise you to become one. In your maven2 application in pom.xml file add a dependency:

<dependency>
  <groupId>eu.jakubiak</groupId>
  <artifactId>jakubiak-generators</artifactId>
  <version>1.0-SNAPSHOT</version>
</dependency>

You have to download and build the source by typing:

svn checkout http://jakubiak-generators.googlecode.com/svn/trunk/ jakubiak-generators-read-only
cd jakubiak-generators-read-only/jakubiak-generators/
mvn clean install

You should see the success message. Now the installation is completed and you can use this library.

By the way, I also wrote classes for creating a random MD5 number and for creating a random key. MD5 is obvious. The random MD5 numbers are commonly used in web applications, for example as a session cookie. In such a scenario a KeyGenerator class is an improved replacement for the random MD5. The KeyGenerator class create a huge random number bigger than the MD5. (“Bigger” in this case means a potentially larger number is possible). This number is encoded using 62 safe for URLs chars: a-z, A-Z, 0-9. Thanks to that its string representation is shorter and more safe than a hexadecimal encoded MD5.

// create a statistically unique key
// (22 chars safely for URLS - about 2e39 unique combination)
String key = new KeyGenerator().generate();
// create a random MD5 and encode it hexadecimal
// (32chars - 2^128 combination)
String md5 = new Md5HexGenerator().generate();

You can also write your own generator, by implementing IGenerator interface.

Categories: Java Tags: , ,
  1. No comments yet.
  1. No trackbacks yet.