PWGen for Windows ----------------- Copyright (c) 2002-04 by Christian Thoeing Version 1.40 - French translation of the program is available, thanks to Marc Croteau (by the way, I modified the structure of language.txt ...) - now PWGen uses the ANSI X9.17 CSPRNG (based on AES) to generate passwords, instead of directly accessing the random pool -- this should be more secure (besides, PGP does it ...) - entropy gathering has been extended: PWGen intercepts all incoming Windows messages and adds the potentially "random" events (i.e. keystrokes and mouse clicks) to the pool; this means that the application _always_ collects entropy, whenever you type or click - the information about the "security" of the current password (Step III) is flexible now, depending on the entropy bits in the random pool; hence it follows that, if you request the "next password" (Ctrl+N), the "security" information will be updated and display the current number of true random bits in the pool; note that creating the next password will "consume" password_size bits from the random pool - a nice little feature can be accessed by F12: it shows a message box informing you of the number of true random bits in the pool - if possible, PWGen calls the Pentium RDTSC instruction which returns a very high-resolution counter and results in excellent entropy values - I have set the default value for "EntropySrcBIPB" (-> config.ini) to 0.5 (former 0.25) and the default value for "SysEntBitsOfInfo" to 34 (former 32); I'm sure this is perfectly OK, since the counters called by PWGen provide very good entropy - new setting (-> config.ini) "RandSeedPath" (i.e. path to the randseed file containing the "seed" for the random pool); as this file contains sensitive data (although it is definitely _not_ possible to recover any information concerning passwords from it), you are now given the possibility to "hide" it, e.g. on a floppy disk or somewhere on your harddisk; you can specify a mere path or a concrete file name - new functions: - "Phonetic" (i.e. pronounceable [using phoneme rules]) passwords can be created in the "Get Password List" menu (Ctrl+F5) - strong clipboard encryption (AES in CFB mode): Misc./Clipboard Encryption/Encrypt or Decrypt; can be used to encipher small(!) text files, for example password "safes" stored in text format hotkeys: Shift+Ctrl+C, Shift+Ctrl+D - "Permutation/Lottery" (F9): creates a random permutation that can be used as lottery numbers etc. - removed "Add to File" (popup menu of the password field in Step III), added "Format as Entry": formats the password as an "entry" (i.e. of a password safe) and copies it to the clipboard (hotkey: Ctrl+E) - you can change the "security level" of the program in the configuration dialog (F3) and choose between "Low (speed has priority)", "Normal" (i.e. the default settings) and "High (paranoia)" - I made the confirmation message box shown when quitting the program a "security" message box, i.e. it can be disabled (-> config.ini) - lots of the changes, modifications, bug fixes etc. only affect the source code of PWGen and don't change the behaviour of the program - have I already mentioned the minor changes & fixes? :-) Version 1.35 - "breaking news": PWGen features multilingual support now; all messages of PWGen can be easily translated into another language (see language.txt and config.ini) - removed function "Password List" ("Misc." menu); now password lists can be easily created by calling the specific "Get Password List..." functions - the program's settings can be modified via Windows dialog; press F3 to try this new feature (keep in mind that you have to restart the application in order to make changes effective!) - fixed bug in ClearControlTextBuf() (-> Main.cpp) - a lot of slight changes to meet the programmer's perfectionism ;-) Version 1.32 - new function "Add to File" accessible in the context menu of the password field (Step III); it adds the password and other relevant information as an "entry" to the file. If you encrypt this "list", it can serve you as a real password safe! - minor changes Version 1.31 - new feature "Password List" available in the "Misc." menu: it delivers a list containing 100 48bit passwords coded as Base64 (length: 8 characters); you can use these "quick & dirty" passwords for services that DON'T REQUIRE HIGH SECURITY! - some slight cosmetic changes Version 1.30 - entropy collecting procedure now adapted to PGP; it should be more secure than than the old version and even more secure than PGP, since PWGen provides more flexibility; see "EntropySrcBIPB" in config.ini for more details - added new function "Get Randomness" (in the "Misc." menu): it yields randomness coded as Decimal, Hexadecimal, Base64 or Words - "Create Random File" can now be called from the "Misc." menu - improved entropy technique: the content of the random pool is saved as a file ("__randseed.bin"); this data is no security risk; however, you can disable this process by changing the configuration - extended possibilities of showing random strings during the entropy collecting procedure (see config.ini for more details) - new function "Restart" ("Misc." menu) - new option "PrefPasswSize" (see config.ini) - extended system entropy - fixed minor bug in the Base64 module - minor fixes/changes Version 1.20 - new password generation technique: PWGen now uses a PGP-like random pool ensuring highest information density - changed restrictions in Step II: the process can easily be cancelled by clicking on "Next" (note that this may affect the password security!) - changed configuration (see config.ini) - some general changes (program menus, source code etc.) Version 1.15 - added new coding type: passwords can now be displayed as passphrases; PWGen makes use of the Diceware 8k word list containing 8192 (2^13) words; visit http://www.diceware.com for more information about Diceware - you can use your own word list (see configuration file for more details) - you can create files consisting of purely random data (use the context menu of the password field) - new function: "Next password" (Step III): calculates a new password out of the current one, very easy and fast, whereby nothing of the entropy gets lost (like a pseudo-random number generator) - new option in Step II: passwords can be created without collecting any additional entropy (then only system entropy is used) - the program shouldn't leave _any_ memory traces now - password length limited to 2048 bits (seemed more logical to me) - PWGen is now available as package with a setup program (PWGen-XXX-Setup.exe, where XXX ist the version number) - not to forget the notorious "slight" (more or less) changes ... Version 1.11 - added language support for German (translated HTML file); if you want to translate the documentation into another language, please contact me! Version 1.10 - a whole bunch of new features have been added ... - the program works with CryptPak 4.06 now (you can download the latest CryptPak version from http://come.to/hahn) - changed appearance and work mode of "Step II": PWGen is now capable of displaying a random string that you can copy in order to get better entropy data - the text the user enters into the field is not shown any longer - the program now checks if the user simply presses the same key all the time ("OK" or "BAD" is displayed after every keystroke) - changed bit generation of the keyboard delay entropy source: PWGen now mixes two random events derived from the time between keystrokes: entropyBit = (delay AND 1) XOR (delay > lastDelay) - changed timer: the program uses a high performance counter now - changed gathering of system entropy: it is now more secure/random, and the resulting sequence is 12 bytes (instead of 10 bytes) long - PWGen can be run in the system tray now (very useful!) - added a configuration file (config.ini) where the user can manually change several settings, for example whether the program shall create files containing the collected entropy (for test purposes) and so on; see the file config.ini for more details - default password size is now set to 72 bits - changed the program icon: it is now a dice that represents the randomness of the passwords and, hence, the cryptographical strength of the program; moreover it's simpler in regard to its graphic and more beautiful :-) - added SHA-1 self-test - changed directory structure of the source code - added MD5 checksums for the Zip files (click on the PWGen release notes to get them) - a lot of cosmetic/minor changes and slight code improvements Version 1.01 - fixed a bug in the password information fields ("Length", "Security"): the password security is NOT proportional to its length! - replaced message box signal (occurs when you have finished typing) by a pure acoustic signal - changed the directory structure of the source: CryptPak must be copied in a separate directory ("..\CryptPak") now - some cosmetic changes in the source files Version 1.00 - first public release