Q: How can I generate good strong passwords?
A: Password Safe* Originally created by noted cryptographer Bruce Schneier of Counterpane Labs, it's open source and free, and has been subjected to extensive peer review.
???? Password safe is for storing passwords, not generating them. (It has been claimed to have a generator as well, but it is certainly not described in any documentation. Also as soon as attackers know that you are using it, you have given some information, and it is not a strong as it could be.) The proper answer to this is dd if=/dev/urandom of=/tmp/p bs=100 count=1 less /tmp/p And copy down the first 20 printable characters. This is a very very secure password ( as secure as it could be assuming printable characters) . It is also a totally unremeberable password. Eg, on my first try, $,c*:11#MwU!`b8QB-Th As soon as you place "momorability" into the mix, your password is no longer as secure as it could be.
It's also for generating them...
...as you apparently know. ;)
Of course it is -- see Password Policy. Source code is also available.
Not true -- security by obscurity is an oxymoron.
UNIX-specific, a hassle, and no more secure than Password Safe.
When a password needs to be remembered, I use and recommend Diceware Words.
Not true -- that just changes the entropy of a given key length, which can be offset with a longer key length.
The password is the one item tht MUST be secure. Its generating mechanism is important. Lets say we know our adversary uses a generator which produces consecutive letters of the alphabet as the password. It makes breaking his password easy. Any generator which does not simply make each letter an independent random variable over all letters gives the attacker information.
A hassle? How is it more of a hassle than downloading password safe, and figuring out how to use it to generate passwords.
Which destroys memorability again.
Of course.
Not necessarily. The best generator is one that's open and subject to peer review. Otherwise, there may be unknown defects. Security *doesn't* come from keeping the algorithm secret -- it comes from having a good algorithm, and sufficient password entropy (e.g., length). Randomness in the computer sense isn't necessarily a guarantee of security, since most so-called random number generators are actually pseudo-random, based on some sort of predictable algorithm.
Password Safe is dead easy to use, open source and subject to peer review, runs on Windows and other platforms, and does much more than just generate passwords. :)
Use of dice is more random than most computer algorithms.
Again, not necessarily. Something like "rock blue sky screen urge run wall" (diceware words) is both more secure and much easier to remember, especially if you generate a phrase with a memorable acronym.
Nice link.
Interestingly enough, generating good strong passwords is significantly easier than developing an administrative policy that *enforces* good strong passwords.
I often see various versions of "minimum length 10 characters, with at least two each upper case, lower case, numeric, and special characters, and may not contain any recognizeable words". Now, if I as a wannabe cracker know that information, my job just got easier instead of harder. First, I don't have to worry about any passwords less than ten characters. I also don't have to worry about all upper, all lower, all numeric, or all special, and since I know that there are at least two of each I also don't need to check any variant that doesn't have at least two of each included. I can also probably exclude any sequence of letters that appears in a common dictionary.
As a result, such a "secure password policy" can actually serve to greatly reduce the universe of possible passwords, and has the potential to actually lower rather than enhance overall security (unless of course you're in an environment with users that think "password" is a good password, in which case you have to do something).
I agree. HOwever, as I read the very brief stuff I can find about password safe's generator, the user feeds it all kinds of conditions on the passwords (length, lower case only, at least one non-alpha character, etc) This can result in very insecure passwords being generated (that they are as secure as they could be given the constraints is irrelevant). In addition the program uses an algorithmic random number generator as I see it as well. Ie, it would be far better to give a series of rules for good password generation rather than just point users to a program whose primary purpose is something else, and whose password generation capability is hard to find in the documentation, and has no warnings or description as to what makes a good password in the docs. It also lulls the naive user into a belief that they can hand off their security to a program which they do not understand.
Yes, so why are you advertising it as the only way to get a secure password?
Perhaps.
If you generate the phrase it is not random. That particular phrase I suspect has far less randomness than my phrase, and the urge to misremeber by inserting verbs and articles is high.
It's possible to misuse *any* tool. The primary reason for all the options is that different applications (e.g., websites) have different rules (e.g., allowable characters, length) for acceptable passwords. The program's help advises the use of the longest possible password. What more must they do to satisfy you? ;)
True, but one that has passed rigorous tests for randomness. Also, that's what you've advised -- OK for you, but not for Password Safe? ;) Regardless, the only real alternatives are to use something like a keystroke timer, which is both problematic and a hassle, or an external source of randomness, like my recommendation of diceware words.
I don't think those are valid criticisms, but I do agree that I should provide more information, so I've updated my FAQ. See what you think.
I don't think so -- I think the naive user is well-served by Password Safe.
I'm not doing that -- it's just the one I use and recommend. Regardless, I now recommend Diceware Words as well.
I think it's pretty much a given.
It was in fact generated randomly.
It actually has more information entropy, and that's what counts. See:
and the other links I've added to my FAQ.
Inserting verbs and articles would actually increase strength be increasing length, not decrease it.
Euh, this is bullshit. Obscuring the target is a good security technique. If the bad guys don't know you're there, how can they come after you?
Yes but...
Sure. but so what?
Imagine (gasp) you don't have unix. Or don't understand what all that magick dd stuff does.
I disagree. Many people can remember pretty long strings of fairly random letters, such as a sequence of names and dates. Mark McIntyre
"Secrecy, Security, and Obscurity" by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc.
NOt them, you. You say that to have a strong password they should use password safe. Period. That is not sufficient.
I have no objection to password safe per se. I do have objections to you essentially saying that if the user uses password safe then they are OK.
What I interpret "generate the phrase" is that you generate the words, or add words to the words from diceware or whatever so as to get a memorable phrase. If you just use diceware, the stuff you get is not very memorable.
Eg their example: cleftcamsynodlacyyr While somewhat more memorable than $,c*:11#MwU!`b8QB-Th it also has much less "entropy". ( about the same as $,c*:11 ) which is probably easier to remember)
No, I meant that the user would in trying to remember it, insert articles and verbs while trying to remember it, meaning that he would type in the wrong passphrase.
I'm done with this increasingly pointless argument, giving you the last word. ;)
I for one wished that you wouldn't keep posting this over and over again, automated or not, if it wasn't posted you wouldn't have this debate *every* time it's posted!
Hi All,
Try this free utility - ViPNet [Password Roulette] - it is a Free password generator, which makes easy-to-remember passwords! Did you see
it? You might not use it but I am sure you will have some fun with generated passwords. It is free.
"... The innovation of this software is simple and genius. The passwords are derived from word phrases easy to remember. Often these phrases have a humorous touch facilitating the process of memorizing. The password list can be generated in 3 languages: English, German and Russia. Additionally ViPNet [Password Roulette] can generate random digital passwords ..."
You know it to be safe and secure because ... ?
A basic premise of good security is to take nothing at face value.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.