Introduction
The source code contains the class which generates a cryptographically random and strong password. The demo project contains the console application which uses the compiled generator class to generate the passwords.
By the term cryptographically random password I mean the generator uses the RNGCryptoServiceProvider class. By the term strong password I mean the generated password satisfies the Passwords must meet complexity requirements settings of Windows password policy, namely containing the characters from three of the four categories.
Using the Code
The code contains the class PasswordGenerator inside the namespace Petr.Felzmann. The class PasswordGenerator contains one public method Generate(int passwordLength). So the simplest way to generate a password is...
PasswordGenerator pswd = new PasswordGenerator();
string password = pswd.Generate(6);
... which generates the random password consisting of the 6 characters. If you want to generate the random password with random length, then use the overloaded Generate(int minPasswordLength, int maxPasswordLength) version. Afterwards the length of the password will be the random number between minPasswordLength and maxPasswordLength.
The class PasswordGenerator also has an overloaded constructor. The public PasswordGenerator(XmlDocument categories) version is useful when you can redefine default character categories. For more details, see the Flexibility section at the bottom of this article.
Implementation
The implementation idea in brief:
- Generate random bytes by
RNGCryptoServiceProvider.
- Project these random bytes to the character sets.
- Check whether the number of the mandatory categories is satisfied.
- If the count of the categories contained in the password is less, then the mandatory ones are required.
- Then generate the next necessary random chars.
- Finally, replace any char of the numerous enough categories in the password to achieve the requested number of the mandatory categories.
Flexibility
There is the possibility to define your own character categories with your defined characters. This is done through the XML document put into the PasswordGenerator constructor. The default implementation uses the following XML document which is included in the assembly as an embedded resource and satisfies the Passwords must meet complexity requirements setting discussed above:
<CharSetCategories xmlns="urn:petr-felzmann:schemas:password-generator" mandatory="3">
<Category>abcdefghijklmnopqrstuvwxyz</Category>
<Category>ABCDEFGHIJKLMNOPQRSTUVWXYZ</Category>
<Category>0123456789</Category>
<Category>()`~!@$%^*-+=|\{}[]:;"'>
The mandatory attribute specifies how many categories will occur in the resultant password. Note that the three special characters < & # are excluded to be able to use the generated password inside a Web environment protected against the Cross Site Scripting.
The source code and the assembly (as an embedded resource) contain the XML Schema described in these XML documents.
The example of flexibility: if you want to generate the text for CAPTCHA, then you can use this XML...
<CharSetCategories xmlns="urn:petr-felzmann:schemas:password-generator" mandatory="2">
<Category>ABCDEFGHIJKLMNOPQRSTUVWXYZ</Category>
<Category>0123456789</Category>
</CharSetCategories>
... and this code:
XmlDocument dom = new XmlDocument();
dom.Load(@"C:\MyCAPTCHA.xml");
PasswordGenerator pswd = new PasswordGenerator(dom);
string password = pswd.Generate(4);
History
- 27th August, 2006: Initial post
