生成随机密码
Posted
技术标签:
【中文标题】生成随机密码【英文标题】:Generating Random Passwords 【发布时间】:2010-09-08 11:21:02 【问题描述】:当我们网站上的用户丢失密码并前往“丢失密码”页面时,我们需要给他一个新的临时密码。我真的不介意这是多么随机,或者如果它符合所有“需要”的强密码规则,我想要做的就是给他们一个密码,他们以后可以更改。
该应用程序是用 C# 编写的 Web 应用程序。所以我正在考虑变得刻薄,并采用简单的方法来使用 Guid 的一部分。即
Guid.NewGuid().ToString("d").Substring(1,8)
建议?想法?
【问题讨论】:
这里有一些好的解决方案,但有一点建议:不要生成包含以下任何字符的密码:Oo0Ili(你明白为什么):) 【参考方案1】:这要大很多,但我认为它看起来更全面一点: http://www.obviex.com/Samples/Password.aspx
///////////////////////////////////////////////////////////////////////////////
// SAMPLE: Generates random password, which complies with the strong password
// rules and does not contain ambiguous characters.
//
// To run this sample, create a new Visual C# project using the Console
// Application template and replace the contents of the Class1.cs file with
// the code below.
//
// THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
// WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
//
// Copyright (C) 2004 Obviex(TM). All rights reserved.
//
using System;
using System.Security.Cryptography;
/// <summary>
/// This class can generate random passwords, which do not include ambiguous
/// characters, such as I, l, and 1. The generated password will be made of
/// 7-bit ASCII symbols. Every four characters will include one lower case
/// character, one upper case character, one number, and one special symbol
/// (such as '%') in a random order. The password will always start with an
/// alpha-numeric character; it will not start with a special symbol (we do
/// this because some back-end systems do not like certain special
/// characters in the first position).
/// </summary>
public class RandomPassword
// Define default min and max password lengths.
private static int DEFAULT_MIN_PASSWORD_LENGTH = 8;
private static int DEFAULT_MAX_PASSWORD_LENGTH = 10;
// Define supported password characters divided into groups.
// You can add (or remove) characters to (from) these groups.
private static string PASSWORD_CHARS_LCASE = "abcdefgijkmnopqrstwxyz";
private static string PASSWORD_CHARS_UCASE = "ABCDEFGHJKLMNPQRSTWXYZ";
private static string PASSWORD_CHARS_NUMERIC= "23456789";
private static string PASSWORD_CHARS_SPECIAL= "*$-+?_&=!%/";
/// <summary>
/// Generates a random password.
/// </summary>
/// <returns>
/// Randomly generated password.
/// </returns>
/// <remarks>
/// The length of the generated password will be determined at
/// random. It will be no shorter than the minimum default and
/// no longer than maximum default.
/// </remarks>
public static string Generate()
return Generate(DEFAULT_MIN_PASSWORD_LENGTH,
DEFAULT_MAX_PASSWORD_LENGTH);
/// <summary>
/// Generates a random password of the exact length.
/// </summary>
/// <param name="length">
/// Exact password length.
/// </param>
/// <returns>
/// Randomly generated password.
/// </returns>
public static string Generate(int length)
return Generate(length, length);
/// <summary>
/// Generates a random password.
/// </summary>
/// <param name="minLength">
/// Minimum password length.
/// </param>
/// <param name="maxLength">
/// Maximum password length.
/// </param>
/// <returns>
/// Randomly generated password.
/// </returns>
/// <remarks>
/// The length of the generated password will be determined at
/// random and it will fall with the range determined by the
/// function parameters.
/// </remarks>
public static string Generate(int minLength,
int maxLength)
// Make sure that input parameters are valid.
if (minLength <= 0 || maxLength <= 0 || minLength > maxLength)
return null;
// Create a local array containing supported password characters
// grouped by types. You can remove character groups from this
// array, but doing so will weaken the password strength.
char[][] charGroups = new char[][]
PASSWORD_CHARS_LCASE.ToCharArray(),
PASSWORD_CHARS_UCASE.ToCharArray(),
PASSWORD_CHARS_NUMERIC.ToCharArray(),
PASSWORD_CHARS_SPECIAL.ToCharArray()
;
// Use this array to track the number of unused characters in each
// character group.
int[] charsLeftInGroup = new int[charGroups.Length];
// Initially, all characters in each group are not used.
for (int i=0; i<charsLeftInGroup.Length; i++)
charsLeftInGroup[i] = charGroups[i].Length;
// Use this array to track (iterate through) unused character groups.
int[] leftGroupsOrder = new int[charGroups.Length];
// Initially, all character groups are not used.
for (int i=0; i<leftGroupsOrder.Length; i++)
leftGroupsOrder[i] = i;
// Because we cannot use the default randomizer, which is based on the
// current time (it will produce the same "random" number within a
// second), we will use a random number generator to seed the
// randomizer.
// Use a 4-byte array to fill it with random bytes and convert it then
// to an integer value.
byte[] randomBytes = new byte[4];
// Generate 4 random bytes.
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
rng.GetBytes(randomBytes);
// Convert 4 bytes into a 32-bit integer value.
int seed = BitConverter.ToInt32(randomBytes, 0);
// Now, this is real randomization.
Random random = new Random(seed);
// This array will hold password characters.
char[] password = null;
// Allocate appropriate memory for the password.
if (minLength < maxLength)
password = new char[random.Next(minLength, maxLength+1)];
else
password = new char[minLength];
// Index of the next character to be added to password.
int nextCharIdx;
// Index of the next character group to be processed.
int nextGroupIdx;
// Index which will be used to track not processed character groups.
int nextLeftGroupsOrderIdx;
// Index of the last non-processed character in a group.
int lastCharIdx;
// Index of the last non-processed group.
int lastLeftGroupsOrderIdx = leftGroupsOrder.Length - 1;
// Generate password characters one at a time.
for (int i=0; i<password.Length; i++)
// If only one character group remained unprocessed, process it;
// otherwise, pick a random character group from the unprocessed
// group list. To allow a special character to appear in the
// first position, increment the second parameter of the Next
// function call by one, i.e. lastLeftGroupsOrderIdx + 1.
if (lastLeftGroupsOrderIdx == 0)
nextLeftGroupsOrderIdx = 0;
else
nextLeftGroupsOrderIdx = random.Next(0,
lastLeftGroupsOrderIdx);
// Get the actual index of the character group, from which we will
// pick the next character.
nextGroupIdx = leftGroupsOrder[nextLeftGroupsOrderIdx];
// Get the index of the last unprocessed characters in this group.
lastCharIdx = charsLeftInGroup[nextGroupIdx] - 1;
// If only one unprocessed character is left, pick it; otherwise,
// get a random character from the unused character list.
if (lastCharIdx == 0)
nextCharIdx = 0;
else
nextCharIdx = random.Next(0, lastCharIdx+1);
// Add this character to the password.
password[i] = charGroups[nextGroupIdx][nextCharIdx];
// If we processed the last character in this group, start over.
if (lastCharIdx == 0)
charsLeftInGroup[nextGroupIdx] =
charGroups[nextGroupIdx].Length;
// There are more unprocessed characters left.
else
// Swap processed character with the last unprocessed character
// so that we don't pick it until we process all characters in
// this group.
if (lastCharIdx != nextCharIdx)
char temp = charGroups[nextGroupIdx][lastCharIdx];
charGroups[nextGroupIdx][lastCharIdx] =
charGroups[nextGroupIdx][nextCharIdx];
charGroups[nextGroupIdx][nextCharIdx] = temp;
// Decrement the number of unprocessed characters in
// this group.
charsLeftInGroup[nextGroupIdx]--;
// If we processed the last group, start all over.
if (lastLeftGroupsOrderIdx == 0)
lastLeftGroupsOrderIdx = leftGroupsOrder.Length - 1;
// There are more unprocessed groups left.
else
// Swap processed group with the last unprocessed group
// so that we don't pick it until we process all groups.
if (lastLeftGroupsOrderIdx != nextLeftGroupsOrderIdx)
int temp = leftGroupsOrder[lastLeftGroupsOrderIdx];
leftGroupsOrder[lastLeftGroupsOrderIdx] =
leftGroupsOrder[nextLeftGroupsOrderIdx];
leftGroupsOrder[nextLeftGroupsOrderIdx] = temp;
// Decrement the number of unprocessed groups.
lastLeftGroupsOrderIdx--;
// Convert password characters into a string and return the result.
return new string(password);
/// <summary>
/// Illustrates the use of the RandomPassword class.
/// </summary>
public class RandomPasswordTest
/// <summary>
/// The main entry point for the application.
/// </summary>
[STAThread]
static void Main(string[] args)
// Print 100 randomly generated passwords (8-to-10 char long).
for (int i=0; i<100; i++)
Console.WriteLine(RandomPassword.Generate(8, 10));
//
// END OF FILE
///////////////////////////////////////////////////////////////////////////////
【讨论】:
原来框架支持这个。所以我宁愿接受这个答案! 仅生成 2^31 个不同的密码,即使输出大小很长,也有点偏低。可能足以抵御在线攻击,但对于离线攻击来说肯定很小。 => 我不会推荐这个。 这仍然是一个很好的答案,因为“内置”支持确实是会员资格,如果您决定不使用 ASP.NET 会员资格怎么办?它仍然有效,因为依赖项是 System.Web.dll,但有点尴尬,因为该方法不是自包含的。 @GEOCHET:感谢您发布此替代方案。【参考方案2】:public string CreatePassword(int length)
const string valid = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
StringBuilder res = new StringBuilder();
Random rnd = new Random();
while (0 < length--)
res.Append(valid[rnd.Next(valid.Length)]);
return res.ToString();
这样做的好处是可以从可用字符列表中为生成的密码进行选择(例如,仅数字、仅大写或仅小写等)
【讨论】:
Random
不是加密安全的; System.Security.Cryptography.RNGCryptoServiceProvider
是更好的选择。
这将在每次调用该方法时生成相同的密码,因为每次都会实例化 Random 类。这可以通过将 Random 移出此方法并重用实例来确保安全。
不,不会。除非两个人决定在同一时间更改密码。
引用问题:不要关心“如果它符合所有“需要”的强密码规则”...感谢您否决这个答案
只是因为你测试它的方式:docs.microsoft.com/en-us/dotnet/api/…【参考方案3】:
对于这种密码,我倾向于使用可能生成更容易“使用”密码的系统。简短,通常由可发音的片段和一些数字组成,并且没有字符间的歧义(是 0 还是 O?A 1 还是 I?)。类似的东西
string[] words = 'bur', 'ler', 'meh', 'ree' ;
string word = "";
Random rnd = new Random();
for (i = 0; i < 3; i++)
word += words[rnd.Next(words.length)]
int numbCount = rnd.Next(4);
for (i = 0; i < numbCount; i++)
word += (2 + rnd.Next(7)).ToString();
return word;
(直接在浏览器中输入,因此仅用作指南。另外,添加更多单词)。
【讨论】:
【参考方案4】:我喜欢研究生成密码,就像生成软件密钥一样。您应该从遵循良好实践的字符数组中进行选择。使用 @Radu094 answered 并修改它以遵循良好实践。不要将每个字母都放在字符数组中。有些字母在电话里很难说或听懂。
您还应该考虑对生成的密码使用校验和,以确保它是由您生成的。实现此目的的一个好方法是使用LUHN algorithm。
【讨论】:
【参考方案5】:总是有System.Web.Security.Membership.GeneratePassword(int length, int numberOfNonAlphanumericCharacters
)。
【讨论】:
不知道Framework有这样的方法!惊人的!将为此换出我当前的代码! 我花了将近一天时间完善自己的 pw gen 代码后发现了它。想象一下我的感受;) AFAIK 此方法不会生成符合域密码策略的密码,因此它不适合所有用途。 此解决方案的主要问题是您无法控制字符集,因此您无法消除在实践中非常重要的视觉模糊字符 (0oOl1i!|)。ASP.NET Core
的任何东西?【参考方案6】:
我不喜欢 Membership.GeneratePassword() 创建的密码,因为它们太难看而且有太多特殊字符。
此代码生成一个 10 位不太难看的密码。
string password = Guid.NewGuid().ToString("N").ToLower()
.Replace("1", "").Replace("o", "").Replace("0","")
.Substring(0,10);
当然,我可以使用正则表达式来进行所有替换,但这在 IMO 上更具可读性和可维护性。
【讨论】:
不应将 GUID 用作加密 PRNG 如果你要使用这个方法,你可以使用 .ToString("N") 并且你不必替换“-”。也不需要替换“l”,因为它不是十六进制数字。 完全明白你为什么这样做。我只需要一个短暂的(不到一天)密码,每个用户不必太独特。抽出 1 和 0 是消除混乱的好方法。我也只是将我的转换为大写,然后将长度减少到 6。就像“N”的建议一样。谢谢!【参考方案7】:我创建了这个方法,类似于会员提供程序中的可用方法。如果您不想在某些应用程序中添加 Web 引用,这将非常有用。
效果很好。
public static string GeneratePassword(int Length, int NonAlphaNumericChars)
string allowedChars = "abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNOPQRSTUVWXYZ0123456789";
string allowedNonAlphaNum = "!@#$%^&*()_-+=[];:<>|./?";
Random rd = new Random();
if (NonAlphaNumericChars > Length || Length <= 0 || NonAlphaNumericChars < 0)
throw new ArgumentOutOfRangeException();
char[] pass = new char[Length];
int[] pos = new int[Length];
int i = 0, j = 0, temp = 0;
bool flag = false;
//Random the position values of the pos array for the string Pass
while (i < Length - 1)
j = 0;
flag = false;
temp = rd.Next(0, Length);
for (j = 0; j < Length; j++)
if (temp == pos[j])
flag = true;
j = Length;
if (!flag)
pos[i] = temp;
i++;
//Random the AlphaNumericChars
for (i = 0; i < Length - NonAlphaNumericChars; i++)
pass[i] = allowedChars[rd.Next(0, allowedChars.Length)];
//Random the NonAlphaNumericChars
for (i = Length - NonAlphaNumericChars; i < Length; i++)
pass[i] = allowedNonAlphaNum[rd.Next(0, allowedNonAlphaNum.Length)];
//Set the sorted array values by the pos array for the rigth posistion
char[] sorted = new char[Length];
for (i = 0; i < Length; i++)
sorted[i] = pass[pos[i]];
string Pass = new String(sorted);
return Pass;
【讨论】:
不要将System.Random
用于密码等安全关键信息。使用RNGCryptoServiceProvider
【参考方案8】:
我知道这是一个旧线程,但我有可能是一个相当简单的解决方案供某人使用。易于实施、易于理解且易于验证。
考虑以下要求:
我需要生成一个随机密码,其中至少有 2 个小写字母、2 个大写字母和 2 个数字。密码长度也必须至少为 8 个字符。
以下正则表达式可以验证这种情况:
^(?=\b\w*[a-z].*[a-z]\w*\b)(?=\b\w*[A-Z].*[A-Z]\w*\b)(?=\b\w*[0-9].*[0-9]\w*\b)[a-zA-Z0-9]8,$
这超出了这个问题的范围 - 但正则表达式基于 lookahead/lookbehind 和 lookaround。
以下代码将创建符合此要求的随机字符集:
public static string GeneratePassword(int lowercase, int uppercase, int numerics)
string lowers = "abcdefghijklmnopqrstuvwxyz";
string uppers = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
string number = "0123456789";
Random random = new Random();
string generated = "!";
for (int i = 1; i <= lowercase; i++)
generated = generated.Insert(
random.Next(generated.Length),
lowers[random.Next(lowers.Length - 1)].ToString()
);
for (int i = 1; i <= uppercase; i++)
generated = generated.Insert(
random.Next(generated.Length),
uppers[random.Next(uppers.Length - 1)].ToString()
);
for (int i = 1; i <= numerics; i++)
generated = generated.Insert(
random.Next(generated.Length),
number[random.Next(number.Length - 1)].ToString()
);
return generated.Replace("!", string.Empty);
要满足上述要求,只需调用以下代码:
String randomPassword = GeneratePassword(3, 3, 3);
代码以无效字符 ("!"
) 开头 - 因此字符串具有可以注入新字符的长度。
然后它从 1 循环到所需的 # 个小写字符,并在每次迭代中,从小写列表中抓取一个随机项,并将其注入字符串中的随机位置。
然后对大写字母和数字重复循环。
这将为您返回长度 = lowercase + uppercase + numerics
的字符串,其中您想要的计数的小写、大写和数字字符已按随机顺序放置。
【讨论】:
不要将System.Random
用于密码等安全关键信息。使用RNGCryptoServiceProvider
lowers[random.Next(lowers.Length - 1)].ToString()
此代码永远不会生成“z”。 random.Next 产生的整数小于所提供的数字,所以你不应该从长度中减去额外的一个。【参考方案9】:
插入一个计时器:timer1、2 个按钮:button1、button2、1 个文本框:textBox1 和一个组合框:comboBox1。确保您声明:
int count = 0;
源代码:
private void button1_Click(object sender, EventArgs e)
// This clears the textBox, resets the count, and starts the timer
count = 0;
textBox1.Clear();
timer1.Start();
private void timer1_Tick(object sender, EventArgs e)
// This generates the password, and types it in the textBox
count += 1;
string possible = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
string psw = "";
Random rnd = new Random ;
psw += possible[rnd.Next(possible.Length)];
textBox1.Text += psw;
if (count == (comboBox1.SelectedIndex + 1))
timer1.Stop();
private void Form1_Load(object sender, EventArgs e)
// This adds password lengths to the comboBox to choose from.
comboBox1.Items.Add("1");
comboBox1.Items.Add("2");
comboBox1.Items.Add("3");
comboBox1.Items.Add("4");
comboBox1.Items.Add("5");
comboBox1.Items.Add("6");
comboBox1.Items.Add("7");
comboBox1.Items.Add("8");
comboBox1.Items.Add("9");
comboBox1.Items.Add("10");
comboBox1.Items.Add("11");
comboBox1.Items.Add("12");
private void button2_click(object sender, EventArgs e)
// This encrypts the password
tochar = textBox1.Text;
textBox1.Clear();
char[] carray = tochar.ToCharArray();
for (int i = 0; i < carray.Length; i++)
int num = Convert.ToInt32(carray[i]) + 10;
string cvrt = Convert.ToChar(num).ToString();
textBox1.Text += cvrt;
【讨论】:
不要使用System.Random
来保证安全。【参考方案10】:
我的代码的主要目标是:
-
字符串的分布几乎是均匀的(不关心微小的偏差,只要它们很小)
它为每个参数集输出超过几十亿个字符串。如果您的 PRNG 只生成 20 亿(31 位熵)不同的值,那么生成 8 个字符串(约 47 位熵)是没有意义的。
它很安全,因为我希望人们将它用于密码或其他安全令牌。
第一个属性是通过以字母大小为模的 64 位值来实现的。对于小字母(例如问题中的 62 个字符),这会导致可忽略的偏差。第二个和第三个属性是通过使用RNGCryptoServiceProvider
而不是System.Random
来实现的。
using System;
using System.Security.Cryptography;
public static string GetRandomAlphanumericString(int length)
const string alphanumericCharacters =
"ABCDEFGHIJKLMNOPQRSTUVWXYZ" +
"abcdefghijklmnopqrstuvwxyz" +
"0123456789";
return GetRandomString(length, alphanumericCharacters);
public static string GetRandomString(int length, IEnumerable<char> characterSet)
if (length < 0)
throw new ArgumentException("length must not be negative", "length");
if (length > int.MaxValue / 8) // 250 million chars ought to be enough for anybody
throw new ArgumentException("length is too big", "length");
if (characterSet == null)
throw new ArgumentNullException("characterSet");
var characterArray = characterSet.Distinct().ToArray();
if (characterArray.Length == 0)
throw new ArgumentException("characterSet must not be empty", "characterSet");
var bytes = new byte[length * 8];
new RNGCryptoServiceProvider().GetBytes(bytes);
var result = new char[length];
for (int i = 0; i < length; i++)
ulong value = BitConverter.ToUInt64(bytes, i * 8);
result[i] = characterArray[value % (uint)characterArray.Length];
return new string(result);
(这是我对How can I generate random 8 character, alphanumeric strings in C#? 的回复的副本)
【讨论】:
如果 UInt64.MaxValue 不能被 characterArray.Length 整除,那么随机选择的字符将不会均匀分布(尽管这将是一个非常小的影响)。 @JeffWalkerCodeRanger 这就是为什么我说可忽略的偏见,而不是没有偏见。即使有 PB 的输出,您也只有不到 1% 的差异可以将其与完美无偏的字符串生成器区分开来。完全无偏的额外复杂性显然不值得在这里获得相当理论上的随机性。 对于使用 .NET Core 的用户,请替换为“new RNGCryptoServiceProvider().GetBytes(bytes);”使用“System.Security.Cryptography.RandomNumberGenerator.Create().GetBytes(bytes);”【参考方案11】:这很短,对我很有用。
public static string GenerateRandomCode(int length)
Random rdm = new Random();
StringBuilder sb = new StringBuilder();
for(int i = 0; i < length; i++)
sb.Append(Convert.ToChar(rdm.Next(101,132)));
return sb.ToString();
【讨论】:
它可能“工作”,但它肯定不安全。密码需要安全。 我认为随机密码是临时密码。不明白为什么它们必须是安全的,即使它们是安全的,您也可以在范围内添加数字和特殊字符。 如果您使用可预测的 PRNG 生成数字和特殊字符,则不会提高安全性。如果您知道密码是何时生成的,则可以将其范围缩小到几个候选者。【参考方案12】:我创建了使用 RNGCryptoServiceProvider 的this class,它很灵活。示例:
var generator = new PasswordGenerator(minimumLengthPassword: 8,
maximumLengthPassword: 15,
minimumUpperCaseChars: 2,
minimumNumericChars: 3,
minimumSpecialChars: 2);
string password = generator.Generate();
【讨论】:
那太好了,那个类的许可证是什么?可以用吗? 随心所欲地使用它!【参考方案13】:public string GenerateToken(int length)
using (RNGCryptoServiceProvider cryptRNG = new RNGCryptoServiceProvider())
byte[] tokenBuffer = new byte[length];
cryptRNG.GetBytes(tokenBuffer);
return Convert.ToBase64String(tokenBuffer);
(你也可以让这个方法所在的类实现 IDisposable,持有对 RNGCryptoServiceProvider
的引用,并正确处理它,以避免重复实例化它。)
注意到,由于这返回一个 base-64 字符串,输出长度始终是 4 的倍数,额外的空格使用 =
作为填充字符。 length
参数指定字节缓冲区的长度,而不是输出字符串(因此可能不是该参数的最佳名称,现在我考虑一下)。这控制密码将有多少字节的entropy。但是,由于 base-64 使用 4 字符块来编码每 3 个字节的输入,如果您要求的长度不是 3 的倍数,将会有一些额外的“空格”,它会使用 =
填补多余的。
如果您出于某种原因不喜欢使用 base-64 字符串,您可以将 Convert.ToBase64String()
调用替换为转换为常规字符串或任何 Encoding
方法;例如。 Encoding.UTF8.GetString(tokenBuffer)
- 只需确保您选择的字符集可以代表来自 RNG 的全部值范围,并且生成的字符与您发送或存储的任何地方都兼容。例如,使用 Unicode 往往会给出很多汉字。使用 base-64 可以保证广泛兼容的字符集,只要您使用合适的散列算法,此类字符串的特性就不会降低其安全性。
【讨论】:
我认为你的意思是把 tokenBuffer 放在你有 linkBuf 的地方。 当我使用这段代码并传入长度为 10 时,返回的字符串总是 16 个字符长,最后 2 个字符总是“==”。我使用不正确吗?长度是用十六进制指定的吗? 指定的长度是随机的字节数(或“熵”,因为它在技术上是已知的)。但是,返回值是 base-64 编码的,这意味着由于 base-64 编码的工作原理,输出长度始终是 4 的倍数。有时,这比编码所有字符所需的字符多,所以它使用= 填充其余字符。 RNGCryptoServiceProvider 是一个 IDisposable,所以我会使用 using 模式来实现它(即 using (var cryptRNG = new RNGCryptoServiceProvider()) ... ) @kloarubeek 一个有效的观点,一个很好的建议。我已将其添加到我的代码示例中。【参考方案14】:在我的网站上我使用这种方法:
//Symb array
private const string _SymbolsAll = "~`!@#$%^&*()_+=-\\|[]'\";:/?.>,<";
//Random symb
public string GetSymbol(int Length)
Random Rand = new Random(DateTime.Now.Millisecond);
StringBuilder result = new StringBuilder();
for (int i = 0; i < Length; i++)
result.Append(_SymbolsAll[Rand.Next(0, _SymbolsAll.Length)]);
return result.ToString();
为您的数组列表编辑字符串_SymbolsAll
。
【讨论】:
如编辑说明中所述。如果您链接到您的网站而不是代码参考,那么您纯粹是在做广告,这会使其成为垃圾邮件,因此请从您的答案中删除该链接。【参考方案15】:我一直对 KeePass 内置的密码生成器非常满意。由于 KeePass 是一个 .Net 程序并且是开源的,所以我决定深入研究一下代码。我最终只是引用了标准应用程序安装中提供的副本 KeePass.exe 作为我项目中的参考并编写了下面的代码。借助 KeePass,您可以看到它的灵活性。您可以指定长度、包含/不包含哪些字符等...
using KeePassLib.Cryptography.PasswordGenerator;
using KeePassLib.Security;
public static string GeneratePassword(int passwordLength, bool lowerCase, bool upperCase, bool digits,
bool punctuation, bool brackets, bool specialAscii, bool excludeLookAlike)
var ps = new ProtectedString();
var profile = new PwProfile();
profile.CharSet = new PwCharSet();
profile.CharSet.Clear();
if (lowerCase)
profile.CharSet.AddCharSet('l');
if(upperCase)
profile.CharSet.AddCharSet('u');
if(digits)
profile.CharSet.AddCharSet('d');
if (punctuation)
profile.CharSet.AddCharSet('p');
if (brackets)
profile.CharSet.AddCharSet('b');
if (specialAscii)
profile.CharSet.AddCharSet('s');
profile.ExcludeLookAlike = excludeLookAlike;
profile.Length = (uint)passwordLength;
profile.NoRepeatingCharacters = true;
KeePassLib.Cryptography.PasswordGenerator.PwGenerator.Generate(out ps, profile, null, _pool);
return ps.ReadString();
【讨论】:
【参考方案16】:这是我快速整理的内容。
public string GeneratePassword(int len)
string res = "";
Random rnd = new Random();
while (res.Length < len) res += (new Func<Random, string>((r) =>
char c = (char)((r.Next(123) * DateTime.Now.Millisecond % 123));
return (Char.IsLetterOrDigit(c)) ? c.ToString() : "";
))(rnd);
return res;
【讨论】:
【参考方案17】:public string Sifre_Uret(int boy, int noalfa)
// 01.03.2016
// Genel amaçlı şifre üretme fonksiyonu
//Fonskiyon 128 den büyük olmasına izin vermiyor.
if (boy > 128 ) boy = 128;
if (noalfa > 128) noalfa = 128;
if (noalfa > boy) noalfa = boy;
string passch = System.Web.Security.Membership.GeneratePassword(boy, noalfa);
//URL encoding ve Url Pass + json sorunu yaratabilecekler pass ediliyor.
//Microsoft Garanti etmiyor. Alfa Sayısallar Olabiliyorimiş . !@#$%^&*()_-+=[];:<>|./?.
//https://msdn.microsoft.com/tr-tr/library/system.web.security.membership.generatepassword(v=vs.110).aspx
//URL ve Json ajax lar için filtreleme
passch = passch.Replace(":", "z");
passch = passch.Replace(";", "W");
passch = passch.Replace("'", "t");
passch = passch.Replace("\"", "r");
passch = passch.Replace("/", "+");
passch = passch.Replace("\\", "e");
passch = passch.Replace("?", "9");
passch = passch.Replace("&", "8");
passch = passch.Replace("#", "D");
passch = passch.Replace("%", "u");
passch = passch.Replace("=", "4");
passch = passch.Replace("~", "1");
passch = passch.Replace("[", "2");
passch = passch.Replace("]", "3");
passch = passch.Replace("", "g");
passch = passch.Replace("", "J");
//passch = passch.Replace("(", "6");
//passch = passch.Replace(")", "0");
//passch = passch.Replace("|", "p");
//passch = passch.Replace("@", "4");
//passch = passch.Replace("!", "u");
//passch = passch.Replace("$", "Z");
//passch = passch.Replace("*", "5");
//passch = passch.Replace("_", "a");
passch = passch.Replace(",", "V");
passch = passch.Replace(".", "N");
passch = passch.Replace("+", "w");
passch = passch.Replace("-", "7");
return passch;
【讨论】:
你能解释一下你的代码是做什么的,为什么? From review 只有代码的答案没有解释可能会被删除。【参考方案18】:在接受的答案中添加了一些补充代码。它仅使用 Random 改进了答案,并允许一些密码选项。我也喜欢 KeePass 答案中的一些选项,但不想在我的解决方案中包含可执行文件。
private string RandomPassword(int length, bool includeCharacters, bool includeNumbers, bool includeUppercase, bool includeNonAlphaNumericCharacters, bool includeLookAlikes)
if (length < 8 || length > 128) throw new ArgumentOutOfRangeException("length");
if (!includeCharacters && !includeNumbers && !includeNonAlphaNumericCharacters) throw new ArgumentException("RandomPassword-Key arguments all false, no values would be returned");
string pw = "";
do
pw += System.Web.Security.Membership.GeneratePassword(128, 25);
pw = RemoveCharacters(pw, includeCharacters, includeNumbers, includeUppercase, includeNonAlphaNumericCharacters, includeLookAlikes);
while (pw.Length < length);
return pw.Substring(0, length);
private string RemoveCharacters(string passwordString, bool includeCharacters, bool includeNumbers, bool includeUppercase, bool includeNonAlphaNumericCharacters, bool includeLookAlikes)
if (!includeCharacters)
var remove = new string[] "a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z" ;
foreach (string r in remove)
passwordString = passwordString.Replace(r, string.Empty);
passwordString = passwordString.Replace(r.ToUpper(), string.Empty);
if (!includeNumbers)
var remove = new string[] "0", "1", "2", "3", "4", "5", "6", "7", "8", "9" ;
foreach (string r in remove)
passwordString = passwordString.Replace(r, string.Empty);
if (!includeUppercase)
passwordString = passwordString.ToLower();
if (!includeNonAlphaNumericCharacters)
var remove = new string[] "!", "@", "#", "$", "%", "^", "&", "*", "(", ")", "-", "_", "+", "=", "", "", "[", "]", "|", "\\", ":", ";", "<", ">", "/", "?", "." ;
foreach (string r in remove)
passwordString = passwordString.Replace(r, string.Empty);
if (!includeLookAlikes)
var remove = new string[] "(", ")", "0", "O", "o", "1", "i", "I", "l", "|", "!", ":", ";" ;
foreach (string r in remove)
passwordString = passwordString.Replace(r, string.Empty);
return passwordString;
这是我搜索生成随机密码时的第一个链接,以下内容超出了当前问题的范围,但可能需要考虑。
基于以下假设:System.Web.Security.Membership.GeneratePassword
在密码学上是安全的,至少 20% 的字符是非字母数字的。
不确定在这种情况下删除字符和附加字符串是否被认为是好的做法并提供足够的熵。
可能需要考虑以某种方式使用SecureString 实现内存中的安全密码存储。
【讨论】:
仅供参考,您不需要包含 KeyPass 可执行文件,因为它是开源的(源代码可供下载 here)【参考方案19】:validChars 可以是任何构造,但我决定根据删除控制字符的 ascii 代码范围进行选择。在本例中,它是一个 12 个字符的字符串。
string validChars = String.Join("", Enumerable.Range(33, (126 - 33)).Where(i => !(new int[] 34, 38, 39, 44, 60, 62, 96 ).Contains(i)).Select(i => return (char)i; ));
string.Join("", Enumerable.Range(1, 12).Select(i => return validChars[(new Random(Guid.NewGuid().GetHashCode())).Next(0, validChars.Length - 1)]; ))
【讨论】:
【参考方案20】: Generate random password of specified length with
- Special characters
- Number
- Lowecase
- Uppercase
public static string CreatePassword(int length = 12)
const string lower = "abcdefghijklmnopqrstuvwxyz";
const string upper = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
const string number = "1234567890";
const string special = "!@#$%^&*";
var middle = length / 2;
StringBuilder res = new StringBuilder();
Random rnd = new Random();
while (0 < length--)
if (middle == length)
res.Append(number[rnd.Next(number.Length)]);
else if (middle - 1 == length)
res.Append(special[rnd.Next(special.Length)]);
else
if (length % 2 == 0)
res.Append(lower[rnd.Next(lower.Length)]);
else
res.Append(upper[rnd.Next(upper.Length)]);
return res.ToString();
【讨论】:
不鼓励仅使用代码回答,因为它们没有为未来的读者提供太多信息,请对您所写的内容提供一些解释 一遍又一遍地创建相同的密码。需要将Random
的实例设为静态
请注意,如果连续多次调用此答案将生成相同的密码!!!如果您希望使用该功能一次将密码分配给多个记录,则必须在调用之间添加熵。不过还是有用的......【参考方案21】:
public static string GeneratePassword(int passLength)
var chars = "abcdefghijklmnopqrstuvwxyz@#$&ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
var random = new Random();
var result = new string(
Enumerable.Repeat(chars, passLength)
.Select(s => s[random.Next(s.Length)])
.ToArray());
return result;
【讨论】:
请解释一下你的答案 这个功能非常好用,只需稍作改动。 1. 如果您同时进行多个调用,则会增加熵。这意味着在调用之间调用 Sleep() 或其他一些导致熵的函数。 2.增加源字符的数量和随机性。我使用 keypass 创建了一系列 500 个字符的密码,不包括一堆我不想处理的类似和其他可转义字符,并使用了生成的 2000 个字符串。仅仅 100 毫秒的熵之后的随机性已经相当不错了。【参考方案22】:我将在锅中添加另一个不明智的答案。
我有一个用例,我需要随机密码进行机机通信,因此我对人类可读性没有任何要求。我的项目中也无权访问Membership.GeneratePassword
,也不想添加依赖项。
我相当肯定 Membership.GeneratePassword
正在做类似的事情,但在这里您可以调整要从中提取的字符池。
public static class PasswordGenerator
private readonly static Random _rand = new Random();
public static string Generate(int length = 24)
const string lower = "abcdefghijklmnopqrstuvwxyz";
const string upper = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
const string number = "1234567890";
const string special = "!@#$%^&*_-=+";
// Get cryptographically random sequence of bytes
var bytes = new byte[length];
new RNGCryptoServiceProvider().GetBytes(bytes);
// Build up a string using random bytes and character classes
var res = new StringBuilder();
foreach(byte b in bytes)
// Randomly select a character class for each byte
switch (_rand.Next(4))
// In each case use mod to project byte b to the correct range
case 0:
res.Append(lower[b % lower.Count()]);
break;
case 1:
res.Append(upper[b % upper.Count()]);
break;
case 2:
res.Append(number[b % number.Count()]);
break;
case 3:
res.Append(special[b % special.Count()]);
break;
return res.ToString();
还有一些示例输出:
PasswordGenerator.Generate(12)
"pzY=64@-ChS$"
"BG0OsyLbYnI_"
"l9#5^2&adj_i"
"#++Ws9d$%O%X"
"IWhdIN-#&O^s"
为了抢占对使用 Random
的投诉:随机性的主要来源仍然是加密 RNG。即使您可以确定性地预先确定来自Random
的序列(比如说它只产生1
),您仍然不会知道将选择的下一个字符(尽管会限制范围可能性)。
一个简单的扩展是为不同的字符集添加权重,这可以像增加最大值和添加失败案例以增加权重一样简单。
switch (_rand.Next(6))
// Prefer letters 2:1
case 0:
case 1:
res.Append(lower[b % lower.Count()]);
break;
case 2:
case 3:
res.Append(upper[b % upper.Count()]);
break;
case 4:
res.Append(number[b % number.Count()]);
break;
case 5:
res.Append(special[b % special.Count()]);
break;
为了更人性化的随机密码生成器,我曾经使用the EFF dice-word list实现了一个提示系统。
【讨论】:
【参考方案23】:我使用此代码生成由字母、数字和非字母数字字符组成的余额组成的密码。
public static string GeneratePassword(int Length, int NonAlphaNumericChars)
string allowedChars = "abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNOPQRSTUVWXYZ0123456789";
string allowedNonAlphaNum = "!@#$%^&*()_-+=[];:<>|./?";
string pass = "";
Random rd = new Random(DateTime.Now.Millisecond);
for (int i = 0; i < Length; i++)
if (rd.Next(1) > 0 && NonAlphaNumericChars > 0)
pass += allowedNonAlphaNum[rd.Next(allowedNonAlphaNum.Length)];
NonAlphaNumericChars--;
else
pass += allowedChars[rd.Next(allowedChars.Length)];
return pass;
【讨论】:
不要使用这个答案。它使用常规的“随机”类,而不是加密的 secure 类。【参考方案24】:这个包允许您生成一个随机密码,同时流畅地指示它应该包含哪些字符(如果需要):
https://github.com/prjseal/PasswordGenerator/
例子:
var pwd = new Password().IncludeLowercase().IncludeUppercase().IncludeSpecial();
var password = pwd.Next();
【讨论】:
【参考方案25】:如果您想利用 System.Web.Security.Membership.GeneratePassword 使用的加密安全随机数生成,但又想将字符集限制为字母数字字符,您可以使用正则表达式过滤结果:
static string GeneratePassword(int characterCount)
string password = String.Empty;
while(password.Length < characterCount)
password += Regex.Replace(System.Web.Security.Membership.GeneratePassword(128, 0), "[^a-zA-Z0-9]", string.Empty);
return password.Substring(0, characterCount);
【讨论】:
【参考方案26】:检查此代码... 我添加了 .remove(length) 以改善 anaximander 的响应
public string GeneratePassword(int length)
using(RNGCryptoServiceProvider cryptRNG = new RNGCryptoServiceProvider();)
byte[] tokenBuffer = new byte[length];
cryptRNG.GetBytes(tokenBuffer);
return Convert.ToBase64String(tokenBuffer).Remove(length);
【讨论】:
由于RNGCryptoServiceProvider
实现了IDisposable
,因此您应该将其包装在 using() 块中。【参考方案27】:
如何在 C# 中生成随机密码。 输出:(https://prnt.sc/11fac8v) 运行:https://onlinegdb.com/HJe5OHBLu
using System;
using System.Linq;
public class Program
private static Random random = new Random();
public static void Main()
Console.WriteLine("Random password with length of 8 character.");
Console.WriteLine("===========================================");
Console.WriteLine("Capital latters : 2");
Console.WriteLine("Number latters : 2");
Console.WriteLine("Special latters : 2");
Console.WriteLine("Small latters : 2");
Console.WriteLine("===========================================");
Console.Write("The Random Password : ");
Console.WriteLine(RandomStringCap(2) + RandomStringNum(2) + RandomStringSpe(2) + RandomStringSml(2));
Console.WriteLine("===========================================");
public static string RandomStringCap(int length)
const string chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
return new string(Enumerable.Repeat(chars, length)
.Select(s => s[random.Next(s.Length)]).ToArray());
public static string RandomStringNum(int length)
const string chars = "0123456789";
return new string(Enumerable.Repeat(chars, length)
.Select(s => s[random.Next(s.Length)]).ToArray());
public static string RandomStringSml(int length)
const string chars = "abcdefghijklmnopqrstuvwxyz";
return new string(Enumerable.Repeat(chars, length)
.Select(s => s[random.Next(s.Length)]).ToArray());
public static string RandomStringSpe(int length)
const string chars = "!@#$%^&*_-=+";
return new string(Enumerable.Repeat(chars, length)
.Select(s => s[random.Next(s.Length)]).ToArray());
【讨论】:
虽然这段代码 sn-p 可以解决问题,including an explanation 确实有助于提高您的帖子质量。请记住,您是在为将来的读者回答问题,而这些人可能不知道您提出代码建议的原因。 @Gerhard 我弄错了,谢谢你的建议。【参考方案28】:/// <summary>
/// Provides static methods to generate random passwords.
/// </summary>
public static class PasswordGenerator
/// <summary>
/// Generates a random password of the specified length.
/// </summary>
/// <param name="length">The length of the password to generate</param>
/// <returns>The generated password</returns>
/// <exception cref="ArgumentOutOfRangeException"></exception>
public static string Generate(int length)
return Generate(length, PasswordCharacters.All, null);
/// <summary>
/// Generates a random password based on the provided criteria.
/// </summary>
/// <param name="length">The length of the password to generate</param>
/// <param name="allowedCharacters">Set of allowed characters in the generated password</param>
/// <returns>The generated password</returns>
/// <exception cref="ArgumentOutOfRangeException"></exception>
public static string Generate(int length, PasswordCharacters allowedCharacters)
return Generate(length, allowedCharacters, null);
/// <summary>
/// Generates a random password based on the provided criteria.
/// </summary>
/// <param name="length">The length of the password to generate</param>
/// <param name="allowedCharacters">Set of allowed characters in the generated password</param>
/// <param name="excludeCharacters">Set of disallowed characters in the generated password</param>
/// <returns>The generated password</returns>
/// <exception cref="ArgumentOutOfRangeException"></exception>
public static string Generate(int length, PasswordCharacters allowedCharacters,
IEnumerable<char> excludeCharacters)
char[] password = InternalGenerate(length, allowedCharacters, excludeCharacters, () => new char[length],
(pw, ch, index) => pw[index] = ch);
return new string(password);
/// <summary>
/// Generates a random password of the specified length and returns it as a <see cref="SecureString" />
/// </summary>
/// <param name="length">The length of the password to generate</param>
/// <returns>The generated password as a <see cref="SecureString" /></returns>
/// <exception cref="ArgumentOutOfRangeException"></exception>
public static SecureString GenerateSecure(int length)
return GenerateSecure(length, PasswordCharacters.All, null);
/// <summary>
/// Generates a random password based on the provided criteria and returns it as a <see cref="SecureString" />
/// </summary>
/// <param name="length">The length of the password to generate</param>
/// <param name="allowedCharacters">Set of allowed characters in the generated password</param>
/// <returns>The generated password as a <see cref="SecureString" /></returns>
/// <exception cref="ArgumentOutOfRangeException"></exception>
public static SecureString GenerateSecure(int length, PasswordCharacters allowedCharacters)
return GenerateSecure(length, allowedCharacters, null);
/// <summary>
/// Generates a random password based on the provided criteria and returns it as a <see cref="SecureString" />
/// </summary>
/// <param name="length">The length of the password to generate</param>
/// <param name="allowedCharacters">Set of allowed characters in the generated password</param>
/// <param name="excludeCharacters">Set of disallowed characters in the generated password</param>
/// <returns>The generated password as a <see cref="SecureString" /></returns>
/// <exception cref="ArgumentOutOfRangeException"></exception>
public static SecureString GenerateSecure(int length, PasswordCharacters allowedCharacters,
IEnumerable<char> excludeCharacters)
SecureString password = InternalGenerate(length, allowedCharacters, excludeCharacters,
() => new SecureString(),
(pw, ch, index) => pw.AppendChar(ch));
password.MakeReadOnly();
return password;
/// <summary>
/// Common method to generate the password for strings and <see cref="SecureString"/>s
/// </summary>
/// <typeparam name="T">The type of the password to return</typeparam>
/// <param name="length">The length of the password to generate</param>
/// <param name="allowedCharacters">Set of allowed characters in the generated password</param>
/// <param name="excludeCharacters">Set of disallowed characters in the generated password</param>
/// <param name="initialValue">Function to generate the initial password to return</param>
/// <param name="appender">Function to append a character to the password</param>
/// <returns>The generated password</returns>
private static T InternalGenerate<T>(int length, PasswordCharacters allowedCharacters,
IEnumerable<char> excludeCharacters, Func<T> initialValue, Action<T, char, int> appender)
if (length <= 0)
throw new ArgumentOutOfRangeException("length", "Password length must be greater than zero");
// Create a byte array the same length as the expected password and populate it with
// random bytes
var randomBytes = new byte[length];
var randomNumberGenerator = new RNGCryptoServiceProvider();
randomNumberGenerator.GetBytes(randomBytes);
// Create a string of all the characters allowed in the password
string allowedCharactersString = GenerateAllowedCharactersString(allowedCharacters, excludeCharacters);
int allowedCharactersCount = allowedCharactersString.Length;
// Create the password
T password = initialValue();
for (int i = 0; i < length; i++)
appender(password, allowedCharactersString[randomBytes[i] % allowedCharactersCount], i);
return password;
/// <summary>
/// Generates a string of allowed characters after excluding the disallowed characters.
/// </summary>
/// <param name="characters">Set of allowed characters</param>
/// <param name="excludeCharacters">Set of disallowed characters</param>
/// <returns>String of allowed characters, excluding disallowed characters</returns>
private static string GenerateAllowedCharactersString(PasswordCharacters characters,
IEnumerable<char> excludeCharacters)
var allowedCharactersString = new StringBuilder();
foreach (KeyValuePair<PasswordCharacters, string> type in AllowedPasswordCharacters)
if ((characters & type.Key) != type.Key)
continue;
if (excludeCharacters == null)
allowedCharactersString.Append(type.Value);
else
allowedCharactersString.Append(type.Value.Where(c => !excludeCharacters.Contains(c)).ToArray());
return allowedCharactersString.ToString();
/// <summary>
/// Mapping of the <see cref="PasswordCharacters" /> enum to the characters they allow.
/// </summary>
private static readonly Dictionary<PasswordCharacters, string> AllowedPasswordCharacters =
new Dictionary<PasswordCharacters, string>(5)
PasswordCharacters.LowercaseLetters, "abcdefghijklmnopqrstuvwxyz" ,
PasswordCharacters.UppercaseLetters, "ABCDEFGHIJKLMNOPQRSTUVWXYZ" ,
PasswordCharacters.Numbers, "0123456789" ,
PasswordCharacters.Punctuations, @"~`!@#$%^&*()_-+=[]|\:;""'<,>.?/" ,
PasswordCharacters.Space, " "
;
/// <summary>
/// Enum representing the various sets of allowed characters for password generation.
/// </summary>
[Flags]
public enum PasswordCharacters
LowercaseLetters = 0x01,
UppercaseLetters = 0x02,
Numbers = 0x04,
Punctuations = 0x08,
Space = 0x10,
AllLetters = LowercaseLetters | UppercaseLetters,
AlphaNumeric = AllLetters | Numbers,
All = AllLetters | Numbers | Punctuations | Space
【讨论】:
正如目前所写,您的答案尚不清楚。请edit 添加其他详细信息,以帮助其他人了解这如何解决所提出的问题。你可以找到更多关于如何写好答案的信息in the help center。以上是关于生成随机密码的主要内容,如果未能解决你的问题,请参考以下文章