Q: How can I generate good strong passwords?
A: Password Safe* Originally created by noted cryptographer Bruce Schneier of Counterpane Labs, it's open source and free, and has been subjected to extensive peer review.
Why is this a typical "security question non-answer"? The answer is a great way (I suppose) to store your passwords, but has nothing whatsoever to do with generating them in the first place.
Personally I roll a set of hex dice. 8*)
I think you'll find it IS relevent. Passwordsafe can generate passwords for you.
Say you are registering for a website. You create a new entry in Paswordsafe and click the 'Generate' button. Hey presto a new password (also you can generate passwords again and again before you select the best one)
Their are options to configure how the password is generated too.
Set Password default length Use Lowercase Use Uppercase Use Digits Use Symbols Use only easy-to-read chars (ie 0 and O)
I use passwordsafe and its great. I know I have secure passwords plus I dont have to resort to passwords that could be cracked easily.
Harry
And the next time you want to access a website from an internet cafe you will do what?
mike
Type it in! ;-)
I knew a lad who could remember about 20 M$ OEM and other codes!
I still don't know my own mobile number and I've had it 10 years! ;-(
Joking aside couldn't you store the prog / safe on yer pen drive .. then you could (probably?) use it in the Inet cafe?
All the best ..
T i m
Use your USB drive. Better to have a secure password than see all your accounts get hacked and stolen!
For a WPA-PSK passphrase ?
David Webb Security team leader CCSS Middlesex University
He did say 'Hex dice' so presumably these are marked 0-F so I suppose you couldd use ABBACABABBACAB as a passphrase ;-)
All the best ..
54 69 6D ;-)*Never ever* use passwords on a public computer!
Why not (assuming you could get them)? The only downside is that you would have to enter even more hex digits than letters -- for a secure WPA key, at least 24, ideally 32.
Precisely.
David Webb Security team leader CCSS Middlesex University
My apologies, BTW, for not realizing that this password store also generates passwords. I'm still a bit reluctant to let a program (even an open-source one) generate passwords for me, and in the end it still comes down to the security of the password to the vault.
The WinDoze widget wants 8-63 ascii or 64 hex, FWIW. Anyone actually done this?
Assuming that the attack against the key is a "try random values until you get it" attack.
If it's a "try common words in the English language" attack, many letter-based passphrases will be broken before a relatively short hex-based passphrase will.
[Assuming you aren't unlikely enough to get "FEEDDEADBEEFC0FFEE" as your random hex string]I'm waiting for the time that someone comes out with a passphrase cracker that demonstrates the lack of entropy in the English language.
Alun. ~~~~
Only if the letter-based passphrases are short -- see
for thorough background. The recommendation for letter-based passphrases is that they be over 20 characters.
But then we come full circle. Passphrases not in the dictionary take a really long time to break, even if they are only 8 characters long. Made-up words, deleborateily miespeeelehd werdes, acronyms, and conglomerations are pretty secure, though not as secure as random letter combinations, which in turn are not as secure as truly random hex keys.
Easy enough to miss the "generation" portion, it isn't an obvious "feature", just part of the product.
I have also been using a javascript that I saved to my PC.
I put in a couple of alpha characters at random here and there to make up my own key that was not generated by the web form.
I have been using a encrypted zip of plaintext hints on a flash drive. Sometimes I forget what the hint was supposed to mean, though, so that's kind of annoying. ;-)
I'd like to convert to the safe. I haven't explored how to import an ASCII list, but I see there's a unix command line tool to the same database, so I suppose I'll get there, even if it's copy-paste.
Based only on simple iteration of the Javascript random number generator, so digit sequencing is predictable, and no better than the real randomness of the generator in any event.
Standard ZIP encryption can often be cracked with a known plaintext attack.
This can even work when the start of the encrypted ZIP file is simply guessed; e.g., "Password ...". As a result, I don't recommend it.
Password Safe* (open source freeware originally created by noted cryptographer Bruce Schneier of Counterpane Labs) can import a plain text file with user-specified field separators.
Another false sense of security: There's no way to know in advance and thus avoid what is or is not in the dictionary, so what you propose is thus just a guess. Worse, since the attack can be mounted offline, a brute force attack might well succeed. There's no good reason to take any unnecessary risk, since a good passphrase is so easy to generate.
The drawback to those approaches are that the resulting keys are hard to remember and to use, which tends to encourage the kind of sloppiness that can compromise any system, no matter how robust. Better to use something secure that is still relatively easy to remember. Hence the recommendation to use word-based passphrases of more than 20 characters; e.g., "floor hiking dirt ocean", which is much easier to memorize than a "random" string yet still very robust.
on 10/13/2005 6:05 AM snipped-for-privacy@alpha2.mdx.ac.uk said the following:
Hmmm, I missed the beginning of the thread, but why not make a hard key to remember? After all, your laptop or whatever will remember it for you. You need to change it periodically, but it's not like it's every time you log in. Or am I missing something about the attack modality?
JH
The primary issue is that it's harder to enter all the keys when they are hard to remember, which also discourages changing them periodically. So why not just use easy to remember and enter passphrases?
The problem with storing passwords on computers is that such passwords, unless given robust protection, are only as secure as the computers themselves, and Windows itself isn't terribly secure. Thus Windows shouldn't always be storing network passwords automatically -- it should at least be a user option.
(In one case I know of, a "guest" at a party helped himself to confidential information on a computer in a bedroom.)
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.