(2003 to 2005)

Generated Passwords

Mon Dec 8 12:38:00 UTC+1100 2003


I'm one of those guys that has a 13 character alpha-numeric, mixed case password. I often let applications generate passwords for me, and being a software developer I often write software that generates passwords for users.

It is not uncommon to see an 8 character password generated, and distributed via unsecured e-mail that allows only one login where the user has to change the password at first use, within 24 hours of the password being issued or something, to mitigate the risk of someone else finding and using the password.

One thing that I have found to be a problem with automatic password generation is that some ASCII characters are easily confused with others. This can depend on the font, but there are some classics, like I and 1 and l. I wrote a function that determines if any automatically generated character is suitable for use in a password. The goal was to limit the characters that might appear in the password and be confused with another character. I think this was a good idea, and should save the help desk a few calls, therefore saving my clients and users time, money and frustration - all for some very simple code.

    /// <summary>
    /// Checks that a generated password character isn't a character that 
    /// might be confused with another character.
    /// </summary>
    /// <param name="c">Character to test.</param>
    /// <returns>
    /// True if the character shouldn't be easyily confused with another,
    /// otherwise false.
    /// </returns>
    private static bool IsValidPasswordChar(char c) {
      switch (c) {
        case '1' :
        case '0' :
        case 'l' :
        case 'I' :
        case 'o' :
        case 'O' :
        case 'T' :
        case 'Q' :
          return false;
        default :
          return true;


Copyright © 2003-2005 John Elliot