Secure Password Generation

[a63ntsm1th]

While setting up some bitcoin security measures and opening up some trading accounts i was having trouble thinking up passwords.  After googling for a few minutes I realized that there is no way you can trust a piece of software or a website to generate a password for you.

I was then reminded of diceware, the most secure password generation program in existence. (hint its not a computer program)

http://world.std.com/~reinhold/diceware.html

I have used this before to generate passphrases that are totally immune to any subconcious thought patterns I may have.

This is like superspy type level of security stuff (I like to pretend I'm Jason Bourne) so its kinda fun too!

edit: I realize this is a bit dated (not unlike myself) so any improved methods would be appreciated!

[error]

I usually generate passwords with something like:

Code:

dd bs=32 count=1 if=/dev/random | base64

This isn't for everyone, of course, but it's going to be quite a while before anyone breaks one of those.

[Smalleyster]

I use this one

http://www.pctools.com/guides/password/

Why is yours so super special?
(comment was directed to OP)

[Phinnaeus Gage]

How about colored diced and a color-coded periodic table?



Bitcoin: Where Liberty Blossoms

[a63ntsm1th]

I use this one

http://www.pctools.com/guides/password/

Why is yours so super special?
(comment was directed to OP)

Its not particularily special beyond the fact that it totally disconnects you from computer technology in the generation of the passphrase which is kinda cool to me

The other ideas here are interesting as well!

[Smalleyster]

How about colored diced and a color-coded periodic table?



Bitcoin: Where Liberty Blossoms

OOOOOHHHHH Pretty colors! Oops musta been a flasback. (felt like '69 8^)

[Smalleyster]

I use this one

http://www.pctools.com/guides/password/

Why is yours so super special?
(comment was directed to OP)

Its not particularily special beyond the fact that it totally disconnects you from computer technology in the generation of the passphrase which is kinda cool to me

The other ideas here are interesting as well!

I looked at that page and then the colors...made me put down my drink and hold the armrests.

You guys work too hard. 8^)

[Vod]

While setting up some bitcoin security measures and opening up some trading accounts i was having trouble thinking up passwords.  After googling for a few minutes I realized that there is no way you can trust a piece of software or a website to generate a password for you.

http://www.lastpass.com

[Phinnaeus Gage]

I use this one

http://www.pctools.com/guides/password/

Why is yours so super special?
(comment was directed to OP)

Its not particularily special beyond the fact that it totally disconnects you from computer technology in the generation of the passphrase which is kinda cool to me

The other ideas here are interesting as well!

I looked at that page and then the colors...made me put down my drink and hold the armrests.

You guys work too hard. 8^)

Here's something that'll calm you down.



Bitcoin: Where Liberty Blossoms

[nux]

I use a tool called pwqgen:

nux@stone:~$ pwqgen random=81
Under8Aroma-levy7boyish3Tutor
brass5cork!Trim=Warmth=Cycle
Rudder+colon$Dense2radio$Guilty
Tariff2Maybe7Bark7ribbon2wipe
Warp9noun_Dove-Tweed*Gang

You can even get somewhat readable/memorizeable passwords if you want

nux@stone:~$ pwqgen
Nicely+French&Viola

[phillipsjk]

My favorite online password generation site is GRC's Ultra High Security Password Generator. Of course, you would have to trust them not to record every passphrase ever generated.

I also like converting a web-page that changes from time to time to text; then taking the MD5 hash. However, given that I am using public information, I have this nagging feeling that the entropy may no longer "count" as being over 128 bit. I have the feeling everything that has ever been published probably adds up to less than 64 bits of entropy. I have a local file that changes from time-to-time. If it has enough entropy built up, I will use that instead. Example: MD5 hash of the msn frontpage converted to text: 01ac3a67614d6a37ac1fc3731d4fd8d1.

Edit: entropy pool of the file that changes over time: 0; since I overwrote it with the text version of MSN.com and published the hash. New msn.com hash at the time of this writing: 2c822728666881b433ba27caccbc3c6d.

[ctoon6]

solutions:
hardware RNG
take pictures of lava lamps, traffic or other stuff and hash it out.
Geiger counter, radiation is truly random.
microphone next to a fan

[nafai]

Most password managers have a built-in password generator.  You are using a password manager aren't you?  No?  Then I assume you either use the same password at more than one website/service, or your passwords are too simple.  I have yet to find someone who uses a unique, strong password for their email, facebook, twitter, all their forum accounts (like this one), online banking, paypal, dropbox, domain registrar, dns service, hosting account, amazon, newegg, cell phone provider, credit card accounts, computer administrator account, daily deals sites like groupon, car insurance, student loans, financial analysis like mint, turbotax, gaming accounts like world of warcraft or rift or runescape or w/e, bookmarking/networking sites like delicious, ebay, flickr, github, not to mention their bitcoin wallet, mtgox/tradehill, namecoin wallet, pool accounts like slush/deepbit/btcguild, etc etc ad nauseum...   WITHOUT using a password manager.  Never happened to my knowledge.  Human memory is limited, no way that most of us can remember 50+ unique, strong passwords.

And I'm sorry, but if your password for gmail is hfeu91hr_gmail and for facebook its hfeu91hr_facebook and for newegg its hfeu91hr_newegg, or some other pattern that is easily discerned, those passwords may be unique but they are not strong, because if someone hacks one account and sees your password it's not too hard to guess the password for your other accounts.  No, using "_fb" and "_ne" doesn't help, a smart person can still figure out your scheme.  No, using 3 different "strong" password prefixes instead of 1 doesn't help, then not all of your accounts are vulnerable only 1/3 of them are, but it's still overlapping passwords, i.e. not "strong and unique", just cuz you add a suffix or prefix doesn't make it truly unique.

I recommend KeePass by the way.  All of my passwords are 20-character alphanumeric w/punctuation (pseudo-randomly generated of course, no RNG is truly random) and completely unique.  When the mtgox database was leaked, I was absolutely certain that all I had to be concerned about was getting my mtgox account back and changing its password, none of my other 100+ accounts were in any way vulnerable because every password I use is both strong AND completely unique.

And I don't have to remember them, or even type them in, because like most password managers my keepass lets me hit a hotkey (ctrl-alt-A actually) and it types my login info for me on any of my 100+ accounts.

[error]

Most password managers have a built-in password generator.  You are using a password manager aren't you?  No?  Then I assume you either use the same password at more than one website/service, or your passwords are too simple.  I have yet to find someone who uses a unique, strong password for their email, facebook, twitter, all their forum accounts (like this one), online banking, paypal, dropbox, domain registrar, dns service, hosting account, amazon, newegg, cell phone provider, credit card accounts, computer administrator account, daily deals sites like groupon, car insurance, student loans, financial analysis like mint, turbotax, gaming accounts like world of warcraft or rift or runescape or w/e, bookmarking/networking sites like delicious, ebay, flickr, github, not to mention their bitcoin wallet, mtgox/tradehill, namecoin wallet, pool accounts like slush/deepbit/btcguild, etc etc ad nauseum...   WITHOUT using a password manager.  Never happened to my knowledge.  Human memory is limited, no way that most of us can remember 50+ unique, strong passwords.

And I'm sorry, but if your password for gmail is hfeu91hr_gmail and for facebook its hfeu91hr_facebook and for newegg its hfeu91hr_newegg, or some other pattern that is easily discerned, those passwords may be unique but they are not strong, because if someone hacks one account and sees your password it's not too hard to guess the password for your other accounts.  No, using "_fb" and "_ne" doesn't help, a smart person can still figure out your scheme.  No, using 3 different "strong" password prefixes instead of 1 doesn't help, then not all of your accounts are vulnerable only 1/3 of them are, but it's still overlapping passwords, i.e. not "strong and unique", just cuz you add a suffix or prefix doesn't make it truly unique.

I recommend KeePass by the way.  All of my passwords are 20-character alphanumeric w/punctuation (pseudo-randomly generated of course, no RNG is truly random) and completely unique.  When the mtgox database was leaked, I was absolutely certain that all I had to be concerned about was getting my mtgox account back and changing its password, none of my other 100+ accounts were in any way vulnerable because every password I use is both strong AND completely unique.

And I don't have to remember them, or even type them in, because like most password managers my keepass lets me hit a hotkey (ctrl-alt-A actually) and it types my login info for me on any of my 100+ accounts.

Hi!!!

Chrome + KWallet.

[grantbdev]

Yeah, Keepass is my choice because it's FOSS and cross platform. You can tell the program how long you want the password, what you want it to include, etc., and it will generate the password among your other stored passwords in an encrypted safe that stays on your computer.