Bitcoin Forum
December 02, 2016, 08:27:46 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Secure Password Generation  (Read 1880 times)
a63ntsm1th
Member
**
Offline Offline

Activity: 94


View Profile
July 24, 2011, 02:37:07 AM
 #1

While setting up some bitcoin security measures and opening up some trading accounts i was having trouble thinking up passwords.  After googling for a few minutes I realized that there is no way you can trust a piece of software or a website to generate a password for you.

I was then reminded of diceware, the most secure password generation program in existence. (hint its not a computer program)

http://world.std.com/~reinhold/diceware.html

I have used this before to generate passphrases that are totally immune to any subconcious thought patterns I may have.

This is like superspy type level of security stuff (I like to pretend I'm Jason Bourne) so its kinda fun too!

edit: I realize this is a bit dated (not unlike myself) so any improved methods would be appreciated!

just my .02 btc
1480710466
Hero Member
*
Offline Offline

Posts: 1480710466

View Profile Personal Message (Offline)

Ignore
1480710466
Reply with quote  #2

1480710466
Report to moderator
1480710466
Hero Member
*
Offline Offline

Posts: 1480710466

View Profile Personal Message (Offline)

Ignore
1480710466
Reply with quote  #2

1480710466
Report to moderator
1480710466
Hero Member
*
Offline Offline

Posts: 1480710466

View Profile Personal Message (Offline)

Ignore
1480710466
Reply with quote  #2

1480710466
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480710466
Hero Member
*
Offline Offline

Posts: 1480710466

View Profile Personal Message (Offline)

Ignore
1480710466
Reply with quote  #2

1480710466
Report to moderator
1480710466
Hero Member
*
Offline Offline

Posts: 1480710466

View Profile Personal Message (Offline)

Ignore
1480710466
Reply with quote  #2

1480710466
Report to moderator
1480710466
Hero Member
*
Offline Offline

Posts: 1480710466

View Profile Personal Message (Offline)

Ignore
1480710466
Reply with quote  #2

1480710466
Report to moderator
error
Hero Member
*****
Offline Offline

Activity: 574



View Profile
July 24, 2011, 02:44:20 AM
 #2

I usually generate passwords with something like:

Code:
dd bs=32 count=1 if=/dev/random | base64

This isn't for everyone, of course, but it's going to be quite a while before anyone breaks one of those. Grin

15UFyv6kfWgq83Pp3yhXPr8rknv9m6581W
Smalleyster
Member
**
Offline Offline

Activity: 70


I yam what I yam. - Popeye


View Profile WWW
July 24, 2011, 02:45:48 AM
 #3

I use this one

http://www.pctools.com/guides/password/

Why is yours so super special?
(comment was directed to OP)

Feel like investing in a Miner?:
http://bitcointalk.org/index.php?topic=30044.msg377773#msg377773
A soup to nuts newbee system for a secure, portable USB wallet (free instructions):
NoobHowTo: http://bitcointalk.org/index.php?topic=27088.msg341387#msg341387
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1302


Bitcoin: An Idea Worth Spending


View Profile
July 24, 2011, 02:52:04 AM
 #4

How about colored diced and a color-coded periodic table?



Bitcoin: Where Liberty Blossoms
a63ntsm1th
Member
**
Offline Offline

Activity: 94


View Profile
July 24, 2011, 02:56:12 AM
 #5

I use this one

http://www.pctools.com/guides/password/

Why is yours so super special?
(comment was directed to OP)

Its not particularily special beyond the fact that it totally disconnects you from computer technology in the generation of the passphrase which is kinda cool to me Tongue

The other ideas here are interesting as well!

just my .02 btc
Smalleyster
Member
**
Offline Offline

Activity: 70


I yam what I yam. - Popeye


View Profile WWW
July 24, 2011, 02:57:48 AM
 #6

How about colored diced and a color-coded periodic table?



Bitcoin: Where Liberty Blossoms

OOOOOHHHHH Pretty colors! Oops musta been a flasback. (felt like '69 8^)

Feel like investing in a Miner?:
http://bitcointalk.org/index.php?topic=30044.msg377773#msg377773
A soup to nuts newbee system for a secure, portable USB wallet (free instructions):
NoobHowTo: http://bitcointalk.org/index.php?topic=27088.msg341387#msg341387
Smalleyster
Member
**
Offline Offline

Activity: 70


I yam what I yam. - Popeye


View Profile WWW
July 24, 2011, 03:01:25 AM
 #7

I use this one

http://www.pctools.com/guides/password/

Why is yours so super special?
(comment was directed to OP)

Its not particularily special beyond the fact that it totally disconnects you from computer technology in the generation of the passphrase which is kinda cool to me Tongue

The other ideas here are interesting as well!

I looked at that page and then the colors...made me put down my drink and hold the armrests.

You guys work too hard. 8^)

Feel like investing in a Miner?:
http://bitcointalk.org/index.php?topic=30044.msg377773#msg377773
A soup to nuts newbee system for a secure, portable USB wallet (free instructions):
NoobHowTo: http://bitcointalk.org/index.php?topic=27088.msg341387#msg341387
Vod
Legendary
*
Offline Offline

Activity: 1848


Licking my boob since 1970


View Profile WWW
July 24, 2011, 03:02:10 AM
 #8

While setting up some bitcoin security measures and opening up some trading accounts i was having trouble thinking up passwords.  After googling for a few minutes I realized that there is no way you can trust a piece of software or a website to generate a password for you.

http://www.lastpass.com

I'm into creating universes, smiting people, writing holy books and listening to prayers.
If you want your prayers answered, you must donate to 1CDyx8AUTiYXS1ThcBU3vy4SJWQq6pdFMH
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1302


Bitcoin: An Idea Worth Spending


View Profile
July 24, 2011, 03:07:44 AM
 #9

I use this one

http://www.pctools.com/guides/password/

Why is yours so super special?
(comment was directed to OP)

Its not particularily special beyond the fact that it totally disconnects you from computer technology in the generation of the passphrase which is kinda cool to me Tongue

The other ideas here are interesting as well!

I looked at that page and then the colors...made me put down my drink and hold the armrests.

You guys work too hard. 8^)

Here's something that'll calm you down.



Bitcoin: Where Liberty Blossoms
nux
Newbie
*
Offline Offline

Activity: 24


View Profile
July 24, 2011, 04:20:23 AM
 #10

I use a tool called pwqgen:

nux@stone:~$ pwqgen random=81
Under8Aroma-levy7boyish3Tutor
brass5cork!Trim=Warmth=Cycle
Rudder+colon$Dense2radio$Guilty
Tariff2Maybe7Bark7ribbon2wipe
Warp9noun_Dove-Tweed*Gang

You can even get somewhat readable/memorizeable passwords if you want

nux@stone:~$ pwqgen
Nicely+French&Viola

phillipsjk
Legendary
*
Offline Offline

Activity: 1008

Let the chips fall where they may.


View Profile WWW
July 24, 2011, 05:31:26 PM
 #11

My favorite online password generation site is GRC's Ultra High Security Password Generator. Of course, you would have to trust them not to record every passphrase ever generated.

I also like converting a web-page that changes from time to time to text; then taking the MD5 hash. However, given that I am using public information, I have this nagging feeling that the entropy may no longer "count" as being over 128 bit. I have the feeling everything that has ever been published probably adds up to less than 64 bits of entropy. I have a local file that changes from time-to-time. If it has enough entropy built up, I will use that instead. Example: MD5 hash of the msn frontpage converted to text: 01ac3a67614d6a37ac1fc3731d4fd8d1.

Edit: entropy pool of the file that changes over time: 0; since I overwrote it with the text version of MSN.com and published the hash. New msn.com hash at the time of this writing: 2c822728666881b433ba27caccbc3c6d.

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
ctoon6
Sr. Member
****
Offline Offline

Activity: 350



View Profile
July 24, 2011, 06:04:45 PM
 #12

solutions:
hardware RNG
take pictures of lava lamps, traffic or other stuff and hash it out.
Geiger counter, radiation is truly random.
microphone next to a fan

nafai
Member
**
Offline Offline

Activity: 112



View Profile
July 24, 2011, 06:52:22 PM
 #13

Most password managers have a built-in password generator.  You are using a password manager aren't you?  No?  Then I assume you either use the same password at more than one website/service, or your passwords are too simple.  I have yet to find someone who uses a unique, strong password for their email, facebook, twitter, all their forum accounts (like this one), online banking, paypal, dropbox, domain registrar, dns service, hosting account, amazon, newegg, cell phone provider, credit card accounts, computer administrator account, daily deals sites like groupon, car insurance, student loans, financial analysis like mint, turbotax, gaming accounts like world of warcraft or rift or runescape or w/e, bookmarking/networking sites like delicious, ebay, flickr, github, not to mention their bitcoin wallet, mtgox/tradehill, namecoin wallet, pool accounts like slush/deepbit/btcguild, etc etc ad nauseum...   WITHOUT using a password manager.  Never happened to my knowledge.  Human memory is limited, no way that most of us can remember 50+ unique, strong passwords.

And I'm sorry, but if your password for gmail is hfeu91hr_gmail and for facebook its hfeu91hr_facebook and for newegg its hfeu91hr_newegg, or some other pattern that is easily discerned, those passwords may be unique but they are not strong, because if someone hacks one account and sees your password it's not too hard to guess the password for your other accounts.  No, using "_fb" and "_ne" doesn't help, a smart person can still figure out your scheme.  No, using 3 different "strong" password prefixes instead of 1 doesn't help, then not all of your accounts are vulnerable only 1/3 of them are, but it's still overlapping passwords, i.e. not "strong and unique", just cuz you add a suffix or prefix doesn't make it truly unique.

I recommend KeePass by the way.  All of my passwords are 20-character alphanumeric w/punctuation (pseudo-randomly generated of course, no RNG is truly random) and completely unique.  When the mtgox database was leaked, I was absolutely certain that all I had to be concerned about was getting my mtgox account back and changing its password, none of my other 100+ accounts were in any way vulnerable because every password I use is both strong AND completely unique.

And I don't have to remember them, or even type them in, because like most password managers my keepass lets me hit a hotkey (ctrl-alt-A actually) and it types my login info for me on any of my 100+ accounts.

1HQiS9PLHPcoQMgN8ZdcGwhoMHWh2Hp37p
error
Hero Member
*****
Offline Offline

Activity: 574



View Profile
July 24, 2011, 07:52:58 PM
 #14

Most password managers have a built-in password generator.  You are using a password manager aren't you?  No?  Then I assume you either use the same password at more than one website/service, or your passwords are too simple.  I have yet to find someone who uses a unique, strong password for their email, facebook, twitter, all their forum accounts (like this one), online banking, paypal, dropbox, domain registrar, dns service, hosting account, amazon, newegg, cell phone provider, credit card accounts, computer administrator account, daily deals sites like groupon, car insurance, student loans, financial analysis like mint, turbotax, gaming accounts like world of warcraft or rift or runescape or w/e, bookmarking/networking sites like delicious, ebay, flickr, github, not to mention their bitcoin wallet, mtgox/tradehill, namecoin wallet, pool accounts like slush/deepbit/btcguild, etc etc ad nauseum...   WITHOUT using a password manager.  Never happened to my knowledge.  Human memory is limited, no way that most of us can remember 50+ unique, strong passwords.

And I'm sorry, but if your password for gmail is hfeu91hr_gmail and for facebook its hfeu91hr_facebook and for newegg its hfeu91hr_newegg, or some other pattern that is easily discerned, those passwords may be unique but they are not strong, because if someone hacks one account and sees your password it's not too hard to guess the password for your other accounts.  No, using "_fb" and "_ne" doesn't help, a smart person can still figure out your scheme.  No, using 3 different "strong" password prefixes instead of 1 doesn't help, then not all of your accounts are vulnerable only 1/3 of them are, but it's still overlapping passwords, i.e. not "strong and unique", just cuz you add a suffix or prefix doesn't make it truly unique.

I recommend KeePass by the way.  All of my passwords are 20-character alphanumeric w/punctuation (pseudo-randomly generated of course, no RNG is truly random) and completely unique.  When the mtgox database was leaked, I was absolutely certain that all I had to be concerned about was getting my mtgox account back and changing its password, none of my other 100+ accounts were in any way vulnerable because every password I use is both strong AND completely unique.

And I don't have to remember them, or even type them in, because like most password managers my keepass lets me hit a hotkey (ctrl-alt-A actually) and it types my login info for me on any of my 100+ accounts.

Hi!!!

Chrome + KWallet.

15UFyv6kfWgq83Pp3yhXPr8rknv9m6581W
grantbdev
Sr. Member
****
Offline Offline

Activity: 292



View Profile
July 24, 2011, 08:23:11 PM
 #15

Yeah, Keepass is my choice because it's FOSS and cross platform. You can tell the program how long you want the password, what you want it to include, etc., and it will generate the password among your other stored passwords in an encrypted safe that stays on your computer.

Don't use BIPS!
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!