• ### Question

• how will I make a username and password generator in my system?

The system will generate a random username and password for a user. However the system will use some personal information entered by the user to generate a username and a password.

thank you so much...
Monday, September 1, 2008 1:22 PM

• Hi Rogem

Ok
I personally don't like the idea of your professor but I guess you have no choice.

The trick then is to a) find a suitable algorithm and then b) code that algorithm.
There are numerous (many, many) possible algorithms.

So some ides:
The username generated should be fairly simple and memorable.
The password needs to be somehwat more obscure and complicated.
Both, should, ideally be unique.

We are now bordering on the realms of cryptography.

Ok
The basic task is to take some text and generate some new text based on that text.

Ok - one way is by straight-forward translation of characters.

Take the alphabet:

abcdefghijklmnopqrstuvwxyz

Roate it by five letters say:

efghijklmnopqrstuvwxyzabcd

so now we have:

a  b  c  d  e  f g  h  i  j  k  l  m  n  o  p  q  r  s  t  u  v  w  x  y  z
e  f  g  h  i   j  k  l  m n o p  q   r  s   t  u  v w x  y  z  a   b  c d

So, replacing each letter in this sentence by the translated letter we get:

ws, vitpegmrk iegl pixxiv mr xlmw wirxirgi fc xli xverwpexih pixxiv ai kix

assuming I haven't scewed up any there.

Same with numbers (but we will rotate by 2 to save just reversing the numbers):

0 1 2 3 4 5

2 3 4 5 0 1

So now assuming you have gotten the user's first name and surname and age, we could concatenate (join) those words:

i.e.

Joe Bloggs 23 to give joebloggs23

rotate by 5 to give

The user name could be made up by taking the initial, full surname and age, say:

i.e. jbloggs23

--------------------------------

We could do a lot more - like XORing each character with another character (a very commonly used technique - but XOR is actually bad since it is SO easy to crack).

ok how do we code something like this?

we could do something like:

 Public Class Form1 Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click Dim vForename As String, vSurname As String, vage As String Dim vusername As String, vpassword As String, c As String 'Generate user name vForename = TextBox1.Text vSurname = TextBox2.Text vage = TextBox3.Text vusername = vForename.Substring(0, 1) & vSurname & vage Label1.Text = vusername 'Generate password vpassword = vForename & vSurname & vage For i = 0 To Len(vpassword) - 1 c = vpassword.Substring(i, 1) Mid(vpassword, i + 1, 1) = Chr(Asc(c) + 3) 'Say Next Label2.Text = vpassword End Sub End Class

I still would say that generating a user name and password from personal details is a really bad idea.
Allan
• Edited by Tuesday, September 2, 2008 2:48 AM spelling
• Marked as answer by Friday, September 5, 2008 5:02 AM
Monday, September 1, 2008 4:20 PM

### All replies

• rogem said:

how will I make a username and password generator in my system?

The system will generate a random username and password for a user. However the system will use some personal information entered by the user to generate a username and a password.

thank you so much...

Hi Rogem
Generating a random username and password from personal info is not random - it's the result of whatever algorithm you use. This is not really a good idea for a number of reasons.
1) The computer will have to inform the user what the username and password is when its generated. And, presumably keep a copy somewhere.
2) A programmer can usually figure out an algorithm pretty easily.
3) Usernames and passwords are only marginally safe - brute force approaches will eventually get by them.
4) The user would have to give the computer personal info BEFORE getting a username and password etc.

I could offer more reasons why what you want to do is a bad approach.
Firstly, let the user select his/her own username and password - like Windows lets you set your own.
Secondly, do NOT store them as 'clear text' - but rather, store them in encrypted form somehow.
Thirdly, do not allow blank usernames and/or passwords - users will use blanks if you let them.
Fourthly, ideally, usernames and passwords need to be changed periodically - say once a month - or when the user decides to change them.

Only take (and show) any personal info after the user has logged on securely.
Hope that helps.
Allan
• Edited by Monday, September 1, 2008 1:49 PM spelling
Monday, September 1, 2008 1:48 PM
• thank you for that...

my professor requires me to do that thing that I have told you..before he told me that I have already done the asking of uername and password from the user but he insists that the password and username should be system generated..

what should I do in order for me to do this?

i'm confuse with this...

Monday, September 1, 2008 2:46 PM
• Without knowing the other parameters, look at the Random class. Append a random number to whatever stipulations you have and use that as a user name and create a random number as the password.

Stephen J Whiteley
Monday, September 1, 2008 3:51 PM
• Hi Rogem

Ok
I personally don't like the idea of your professor but I guess you have no choice.

The trick then is to a) find a suitable algorithm and then b) code that algorithm.
There are numerous (many, many) possible algorithms.

So some ides:
The username generated should be fairly simple and memorable.
The password needs to be somehwat more obscure and complicated.
Both, should, ideally be unique.

We are now bordering on the realms of cryptography.

Ok
The basic task is to take some text and generate some new text based on that text.

Ok - one way is by straight-forward translation of characters.

Take the alphabet:

abcdefghijklmnopqrstuvwxyz

Roate it by five letters say:

efghijklmnopqrstuvwxyzabcd

so now we have:

a  b  c  d  e  f g  h  i  j  k  l  m  n  o  p  q  r  s  t  u  v  w  x  y  z
e  f  g  h  i   j  k  l  m n o p  q   r  s   t  u  v w x  y  z  a   b  c d

So, replacing each letter in this sentence by the translated letter we get:

ws, vitpegmrk iegl pixxiv mr xlmw wirxirgi fc xli xverwpexih pixxiv ai kix

assuming I haven't scewed up any there.

Same with numbers (but we will rotate by 2 to save just reversing the numbers):

0 1 2 3 4 5

2 3 4 5 0 1

So now assuming you have gotten the user's first name and surname and age, we could concatenate (join) those words:

i.e.

Joe Bloggs 23 to give joebloggs23

rotate by 5 to give

The user name could be made up by taking the initial, full surname and age, say:

i.e. jbloggs23

--------------------------------

We could do a lot more - like XORing each character with another character (a very commonly used technique - but XOR is actually bad since it is SO easy to crack).

ok how do we code something like this?

we could do something like:

 Public Class Form1 Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click Dim vForename As String, vSurname As String, vage As String Dim vusername As String, vpassword As String, c As String 'Generate user name vForename = TextBox1.Text vSurname = TextBox2.Text vage = TextBox3.Text vusername = vForename.Substring(0, 1) & vSurname & vage Label1.Text = vusername 'Generate password vpassword = vForename & vSurname & vage For i = 0 To Len(vpassword) - 1 c = vpassword.Substring(i, 1) Mid(vpassword, i + 1, 1) = Chr(Asc(c) + 3) 'Say Next Label2.Text = vpassword End Sub End Class

I still would say that generating a user name and password from personal details is a really bad idea.
Allan
• Edited by Tuesday, September 2, 2008 2:48 AM spelling
• Marked as answer by Friday, September 5, 2008 5:02 AM
Monday, September 1, 2008 4:20 PM
• try this ;)

 Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click Dim password As String = InputBox("please enter password") Dim CompGenPasswd As String Dim i As Integer password = Mid(password, 1, Len(password) - 2) For i = 0 To Len(password) CompGenPasswd &= Mid(password, 1, i) Next MsgBox(CompGenPasswd) End Sub
Tuesday, September 2, 2008 1:39 AM
•  i'll try this code...

thank you so much for helping me...

i would just ask questions if I have some...

i'm really thankful for this..

Tuesday, September 2, 2008 1:05 PM
• NP - yw
Cryptography is a science and an art of its own and like I said you're just about touching it.
Good luck with your project anyways.
Allan
Tuesday, September 2, 2008 10:26 PM
• thank you so much..

I still have to work a lot on my project since my professor demands a high quality project..

I hope you will still help me in the days to come..

thanks again...

God Bless...
Wednesday, September 3, 2008 1:22 PM
• rogem said:

thank you so much..

I still have to work a lot on my project since my professor demands a high quality project..

I hope you will still help me in the days to come..

thanks again...

God Bless...

High quality project?

With all due respect, a program that demands the user name and password to be system generated is not 'high quality'.

Stephen J Whiteley
Wednesday, September 3, 2008 3:30 PM
• Hi Rogem
Stephen is absolutely right in what he says there. I still find it incredible that a 'professor' should ask you to do this.
Forget about coding a second and just think it through a second ok?
Do you have a brother? Or a sister?
If yes, you will know their personal details as well as they do.
So let's say your brother decides to use your 'high quality' sw.
It would take you (or anyone who knows him well) what - two seconds maybe - to get past the log on.
Ok for some personal sw at home that might not be earth-shatteringly serious.
But scale it up  second.
Imagine if a security agency, say the NSA of USA or MI6 of the UK were to protect some national secrets using your program. Would it be secure?
My god it could lead to wwIII in seconds.
So would the NSA or MI6 consider it 'high quality'?

Would it be secure? Now multiply that by the sheer volume of the number of Windows sold  - security would be total joke. If I were a student of your professor I would personally tell him GFY if he asked me to do a program that gives system generated usernames and passwords.

What you do of course is up to you. But please dont bandy words like 'high quality' about the sw when describing it - unless you're planning on entering the world of false marketing.
You might think we're being a tad rude or unkind to you here - far from it, we are trying to be helpful to you and that means being honest about what you are doing.
Ok enough said I think.
Allan

• Edited by Wednesday, September 3, 2008 6:30 PM spelling
Wednesday, September 3, 2008 6:24 PM

I also think that it would be hard for me to secure the system if I will use a system generated username and password.. but what shall I do if my professor demands for that?.. will I refuse to him or what?

I really can't think on what should I do.. I'm not that professional enough to the field so I'm not that familiar of what should I do or not especially that I'm a student of the ones that asking me for that who is my professor..

please help me on how should I deal with this..I really can't think how to handle such situation...
Thursday, September 4, 2008 1:31 PM
• Hi Rogem
Sorry if me and Stephen put you in a bit of a quandary.
Do what your professor says - it's probably safer that way.
But on a personal level - you now know that his way isn't really the way to do it.
I mentioned cryptography.

Some simple points.

1. Passwords are only really a safe defence against the innocent anyway - and brute force methods can always get by them.
By brute force methods, I mean its possible to write a program that goes through all possible combination of characters until it finds the right password.

You can delay this by using really strong passwords - i.e. ones that draw from the full character set and includes letters, numbers and punctuation symbols - e.g. %\$4A6678l&xy&^^5qwert@n etc.

But unfortunately, such passwords are [deliberately] difficult to memorise - and its ALWAYS a bad idea to write them down and store them somewhere.

Secondly, you should only allow users, say, 3 attempts during a session. If they get it wrong three times - strike and their out!!!

Thirdly, any data you do store should be encrypted - just in case a cracker tries to bypass your program and just examines the data files directly.

So now, we can talk a bit about data files.

Before we even start encrypting data we can make things harder for a cracker.

You can remove any spaces and punctuation for a start - rely on a person's brain to help encrypt/decrypt things.

I'll repeat the sentence to show what I mean.

Youcanremoveanyspacesandpunctuationforastartrelyonapersonsbraintohelpencryptdecryptthings.

Next, remove all vowels.

Ycnrmvnyspcsndpncttnfrstrtrlynprsnsbrnthlpncryptdcryptthngs.

That is now our 'plain text' - i.e. what we will start to encrypt - and when decrypted is what you get back!

Cracker programs, more often than not, look for word breaks and punctuation. By removing them and all vowels we foiled most of them already.

Another common cracker attack is to look for frequencies of words and letters.

This is language dependent. For example, the letter e is the most commonly used letter in English.

I would take out obvious letters like 's' and common words like 'and', 'an', 'to' as well.

So now our 'plain text' sentence is:

Ycnrmvnypcndpncttnfrtrtrlynprnbrnthlpncryptdcryptthng.

Now our 'plain text' is hardly plain anymore lol.

So even if a cracker program broke the encryption - the 'plain' text isn't going to be of much use!

In fact, most cracker programs would probably give up!

Now we can start on sophisticated encryption - and then you should be able to safely store data - it might not quite fool the NSA or MI6  for very long but we can make life awfully difficult for them and virtually impossible for the average cracker!

The best forms of encryption use two keys - words if you like - that give the info necessary to decrypt a file. One key is public - and can be published anywhere ( a specific word in a bestseller book for example) and the other is a private key - known only to authorised people. You need both keys to decrypt the file - and the keys should be based on LONG prime numbers in some way (prime numbers are used because they cannot be factorised into simpler numbers).
By long I mean at least 128 bits - but preferably higher. It's been made illegal to use 256-bit or higher prime number based keys in the UK because the intelligence services cannot break the encryption then. They are treated as being 'munitions' lol

I would circumvent that by using two public keys - and two private keys - both 128 bit based, say,  - i.e. four keys in all lol

That, and the rule(s) I've given for making the 'palin text' itself hard to read gives reasonably secure protection.

We can make things harder still by adjusting our text to be frequency neutral - i.e. by ensuring that the frequency of each letter is of the same order of magnitude.

That's a reasonable intro to simple cryptography, I think.

Allan
• Edited by Thursday, September 4, 2008 3:22 PM spelling
Thursday, September 4, 2008 3:11 PM
• rogem said:

I also think that it would be hard for me to secure the system if I will use a system generated username and password.. but what shall I do if my professor demands for that?.. will I refuse to him or what?

I really can't think on what should I do.. I'm not that professional enough to the field so I'm not that familiar of what should I do or not especially that I'm a student of the ones that asking me for that who is my professor..

please help me on how should I deal with this..I really can't think how to handle such situation...

1. Do what your professor tells you to do.
2. Considering this is just an exercise/homework/thesis/whatever, it isn't really a big problem.
3. Sometimes, things made up in class to look like 'real world' applications (to make them less abstract) aren't really useful in the real world.

Stephen J Whiteley
Thursday, September 4, 2008 3:31 PM