CY 2550 - Foundations of Cybersecurity
Project 3: Password Generator
Description and DeliverablesOne big reason why people choose weak passwords that are easily cracked is because they have been taught that only confusing passwords are secure. People either reject this advice and leave themselves vulnerable, or adopt password creation heuristics that are not resilient to cracking in practice (e.g., English word plus one capital letter, one random number, and one random symbol).
In this project, you will gain hands on experience creating secure, memorable passwords that are resistant to cracking. To accomplish this, you will write a program that generates secure, memorable passwords using the XKCD method.
To receive full credit for this project, you will turn in the following:
- A program that you will write called project3/xkcdpwgen that can generate secure, memorable passwords using the XKCD method.
Program SpecificationYour program may be written in any language that is available on the Khoury College Linux machines (this includes C, C++, Python 2 and 3, Java, Racket, Ruby, Perl, Go, Rust, and possibly others). Regardless of which language you choose, your program must exactly obey the following command line syntax:
$ ./xkcdpwgen -h usage: xkcdpwgen [-h] [-w WORDS] [-c CAPS] [-n NUMBERS] [-s SYMBOLS] Generate a secure, memorable password using the XKCD method optional arguments: -h, --help show this help message and exit -w WORDS, --words WORDS include WORDS words in the password (default=4) -c CAPS, --caps CAPS capitalize the first letter of CAPS random words (default=0) -n NUMBERS, --numbers NUMBERS insert NUMBERS random numbers in the password (default=0) -s SYMBOLS, --symbols SYMBOLS insert SYMBOLS random symbols in the password (default=0)Note that your program does not need to print this exact help text. However:
- Your program must support all five of these command line arguments. Note that each argument is optional, i.e., the user may or may not supply it on the command line. Additionally, these arguments may be presented in any order on the command line.
- Your program must be named xkcdpwgen.
Usage of xkcdpwgen
By default, if you run xkcdpwgen with no arguments, it should produce a password composed of four random English words, all characters in lowercase, without numbers or symbols, like this:
$ ./xkcdpwgen guacamoleexamgallopedcrediting $ ./xkcdpwgen flockdolliescitizenrysource $ ./xkcdpwgen autumnsbooboomultipliesbandwagonsYou are free to use any English wordlist that you wish as part of this project. Some reasonable wordlists are available here, here, and here. Make sure to turn in a copy of your wordlist with your project! You may assume that your program will be invoked from the same directory that contains your wordlist, and you will need to hard-code the filename of your wordlist in your program.
The "-w" and "--words" arguments allow the user to override the number of words in the generated password. For example:
./xkcdpwgen -w 2 studiesexaminer $ ./xkcdpwgen -w 2 luridlypiersThe "-c" and "--caps" arguments capitalize the first letters of random words from the password. For example:
./xkcdpwgen -c 2 GrenadehostelriesBirdcagedirectives $ ./xkcdpwgen -c 2 warehousedfootbathJiffyGazeboThe "-n" and "--numbers" arguments add random numerical characters into the password, either at the beginning, end, or in-between words. The "-s" and "--symbols" arguments do the same thing but for symbol characters (~!@#$%^&*.:;). For example:
$ ./xkcdpwgen -n 2 -s 2 @$3genteelpredatorcrickets9frustrates $ ./xkcdpwgen -n 2 -s 4 ^saltiness77checkersvulgarly$saturn^; $ ./xkcdpwgen -n 2 -s 4 ~pushes%barre^5pricksgosh$9 $ ./xkcdpwgen -n 2 -s 4 putrefying$~7polycyclic.enneads1unamended!
You may add additional functionality to your program if you wish, but these arguments must be available and behave exactly as specified in this project description. You may handle errors however you see fit. For example the following invocation has an error; you may choose to display an error message, or generate a "best-effort" password.
$ ./xkcdpwgen -c 10
Packaging Your SubmissionBecause you are allowed to program in whatever language you wish, we require that all students submit a Makefile. If you choose to use a compiled language, you must turn in your source code, and the Makefile must compile your program. For example, if you write your program in C/C++, the final product of the Makefile should be a program called xkcdpwgen.
If you choose to program in a compiled language that does not produce executable binaries (e.g., the Java compiler produces .class files), then you must include a shell script with your submission named xkcdpwgen that can (1) invoke your program and (2) forward any given command line arguments to your program. You must also include a Makefile that transforms your source code into compiled files (e.g. .java files into .class files).
If you choose to use a language that does not need compilation (e.g., Python, Perl), you may leave your Makefile blank. We encourage students that choose to program in scripting languages to adopt shebang syntax and submit an executable script named xkcdpwgen.
Submitting Your Project
The exact files that you submit for this assignment will vary depending on the programming language you choose. At a minimum, you will probably submit:
- A Makefile, which may be empty
- The source code for your password generation program
- A wordlist file that is used by your password generation program
- Create a directory ~/cy2550/project3 in the folder corresponding to your git repository.
- Copy your Makefile, wordlist, and other pieces of source code and scripts to the ~/cy2550/project3 folder.
- Add these files to your repository, commit them, and push the committed files to Github.
- Submit your repository to Gradescope.
GradingThis project is worth 10% of your final grade, broken down as follows (out of 100):
- 20 points - turning in a password generation program that successfully compiles (if necessary) and runs on the command line, regardless of correctness
- 40 points - turning in a password generation program that has the correct default behavior, e.g. generates four word long random passwords
- 10 points each - correct support for the words, caps, numbers, and symbols arguments
- How hard is the xkcdpwgen program to write? My reference implementation is 46 lines of Python, so not too bad.
- If you've never written a command line driven program before, the first step is figuring out how to read command line arguments in your language of choice. All languages have this capability, although it's not always named the same thing. In C/C++, the command line is available as the argc and argv variables passed to main(). In Python, the sys module holds in the command line arguments in the sys.argv variable. Take the time to look at some examples of command line parsing in your language of choice.
- If you're not sure you've implemented the command line of your program correctly, have one of your friends test it out. Alternatively, post some example command lines to Piazza; we'll be happy to tell you if the formatting or behavior is incorrect.
- If you're using a compiled language, triple check that your code compiles and that your Makefile is free of errors before you submit. Make sure to test your compile on a Khoury College machine.
- Always test your program on the Khoury Linux machines before submitting it!