Q: How can I generate good strong passwords?
A: Password Safe* Originally created by noted cryptographer Bruce Schneier of Counterpane Labs, it's open source and free, and has been subjected to extensive peer review.
There are any number of good solutions, search for your own. John appears to have a vested interest in this one. It doesn't take a "noted cryptographer" to create a good strong password, and peer review doesn't mean much if you get passwords that you can't remember.
fwiw, _this_ solution only works for Windows. There are non-Windows solutions based on passwordsafe, but even the godlike Bruce Schneier couldn't tell you whether they're any good.
Pasword generators sucks, You'll never be able to remember all those funny combinations. I use a personal solution I've learned from my wife when I need a strong password, which is not better than any other like, but it's also not worse than those passwd 'o' magic: - Step 1: get the first phrase you think about the subject and get all first letters - Step 2: use caps for all special terms (mostly substantives) - Step 3: change some letters for numbers (1 for I, 4 for 'for', 3 for E, etc)
Example: you'll set up a firewall's root passwd... one possible phrase is: "lets lock this box to disable hackers from coming", you'll end up with "lltbtdhfc". The words related are: lock, box, hackers, so you have now "lLtBtdHfc". Now, change some lower caps for numbers: "1LtB2dHfc".
Pretty good, hu ? ;) And the best thing is that is something much easier to remember because it's a phrase that you did it yourself! ;)
hope that helps...
--rengolin
I agree with rengolin. This is the best method for remembering your password. You can add:
- step 4: add special characters such as , _ ) ... like this your password will be stronger.
ps: don't forget to change it regularly.
sandrine
The question is what is the distribution of the letters of the first letters of sentences? I strongly suspect it is not random. Certainly in the dictionary far far more words start with s than u. Ie, this is not a random selection. Now it makes it memorable, which is also important (see next comment)
That can actually make it weaker-- the human propensity for forgetting new things means you will have to write it down ( danger of local attacks) and not notice when attacks have been make ( you make far too many mistakes to notice when someone else has tried your account).
Theoretically the most random your password is the better, but let's face it, it's much better to remember a strong password than not to a abusdelly-strong-password.
And when I say strong I mean for brute-force, because for strong algorithms like AES this is (yet) the only way of breaking. So, as most brute-force algorithms are based in dictionary words and hacker talk the probability of breaking a non-dictionary sequence of characters is minimal, either with true-random (yet impossible) or not-so-random (like first letters).
Of course I agree with you that if it were pseudo-random letters (as password generators) would be far more random than first letters but would probably increase the break time from a thousand years to a million years... ;)
Agreed, to certain point. If you only change a few letters, you would still have a strong password and would remember (at least for some tryies until you get in).
We did some tests with those kind of passwords. I provided the brute-force the first password and changing only three letters on the second one it run for days and couldn't find the second one, just as it did to the first password when it didn't know it. We used several brute-force programs available on the internet.
It certainly isn't the best aproach (which would be quantum secutiry) but it's a good one and I can say I trust is my firewall's password on it... ;)
regards,
--rengolin
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.