views:

2101

answers:

38

Random Characters? Passphrases? High Ascii?

cat /dev/urandom | strings

+7  A: 

A short python script to generate passwords, originally from the python cookbook.

#!/usr/bin/env python

from random import choice
import getopt
import string
import sys

def GenPasswd():
    chars = string.letters + string.digits
    for i in range(8):
        newpasswd = newpasswd + choice(chars)
    return newpasswd

def GenPasswd2(length=8, chars=string.letters + string.digits):
    return ''.join([choice(chars) for i in range(length)])

class Options(object):
    pass

def main(argv):
    (optionList,args) = getopt.getopt(argv[1:],"r:l:",["repeat=","length="])

    options = Options()
    options.repeat = 1
    options.length = 8
    for (key,value) in optionList:
        if key == "-r" or key == "--repeat":
            options.repeat = int(value)
        elif key == "-l" or key == "--length":
            options.length = int(value)

    for i in xrange(options.repeat):
        print GenPasswd2(options.length)

if __name__ == "__main__":
    sys.exit(main(sys.argv))
Douglas Leeder
+3  A: 

The algorithm in apg is pretty cool. But I mostly use random characters from a list which I've defined myself. It is mostly numbers, upper- and lowercase letters and some punctuation marks. I've eliminated chars which are prone to getting mistaken for another character like '1', 'l', 'I', 'O', '0' etc.

Matthias Kestenholz
removing chars because of that just defeats the visual part of password obfuscation.
px
+1  A: 

I use KeePass to generate complex passwords.

Luke Bennett
+1: I do too ;)
John Gietzen
A: 
<?php
    print md5(rand(0, 99999));
?>
Teifion
It does make your passwords less random though. AFAIK, md5 generates a hexadecimal value, right? So instead of 26 + 10 possible values per character, you have only 16. On 6 characters, that means there are 130 times less possible combinations to brute force ;)
Erik van Brakel
Actually, there are only 100K unique passwords here. That's about the same as a 3 character password! (If this generating algorithm is known)
darron
I do have to admit, I use this a lot myself. However, I use it for temp. passwords which the user has to change on first logon. I also make a second pass over the generated md5 sequence to randomly capitalize some letters.
Erik van Brakel
A: 

On a Mac I use RPG.

px
A: 

In PHP, by generating a random string of characters from the ASCII table. See Generating (pseudo)random alpha-numeric strings

Daniel
+6  A: 

The open source Keepass tool has some excellent capabilities for password generation, including enhanced randomization.

Turnkey
A: 

I start with the initials of a sentence in a foreign language, with some convention for capitalizing some of them. Then, I insert in a particular part of the sentence a combination of numbers and symbols derived from the name of the application or website.

This scheme generates a unique password for each application that I can re-derive each time in my head with no trouble (so no memorization), and there is zero chance of any part of it showing up in a dictionary.

MOE37x3
+3  A: 

I don't like random character passwords. They are difficult to remember.

Generally my passwords fall into tiers based on how important that information is to me.

My most secure passwords tend to use a combination of old BBS random generated passwords that I was too young and dumb to know how to change and memorized. Appending a few of those together with liberal use of the shift key works well. If I don't use those I find pass phrases better. Perhaps a phrase from some book that I enjoy, once again with some mixed case and special symbols put it. Often I'll use more than 1 phrase, or several words from one phrase, concatenated with several from another.

On low priority sites my passwords are are pretty short, generally a combination of a few familiar tokens.

The place I have the biggest problem is work, where we need to change our password every 30 days and can't repeat passwords. I just do like everyone else, come up with a password and append an ever increasing index to the end. Password rules like that are absurd.

Erratic
+2  A: 

I use https://www.grc.com/passwords.htm to generate long password strings for things like WPA keys. You could also use this (via screenscraping) to create salts for authentication password hashing if you have to implement some sort of registration site.

martinatime
A: 

You will have to code extra rules to check that your password is acceptable for the system you are writing it for. Some systems have policies like "two digits and two uppercase letters minimum" and so on. As you generate your password character by character, keep a count of the digits/alpha/uppercase as required, and wrap the password generation in a do..while that will repeat the password generation until (digitCount>1 && alphaCount>4 && upperCount>1), or whatever.

JeeBee
+3  A: 

For web sites I use SuperGenPass, which derives a site-specific password from a master password and the domain name, using a hash function (based on MD5). No need to store that password anywhere (SuperGenPass itself is a bookmarklet, totally client-side), just remember your master password.

Thilo
A: 

Pick a sequence out of

md5 random_file
mloughran
This is terribly insecure. There are only 16 possible characters in your password. With a length of 8 characters, there are only 4 x 10^9 possible passwords in the search space.You probably just use these for temps that users are supposed to change immediately, but what if they never log in?
skiphoppy
+2  A: 

In some circumstances, I use Perl's Crypt::PassGen module, which uses Markov chain analysis on a corpus of words (e.g. /usr/share/dict/words on any reasonably Unix system). This allows it to generate passwords that turn out to be reasonably pronounceable and thus remember.

That said, at $work we are moving to hardware challenge/response token mechanisms.

dland
A: 

Password Monkey, iGoogle widget!

titanae
+1  A: 

I used an unusual method of generating passwords recently. They didn't need to be super strong, and random passwords are just too hard to remember. My application had a huge table of cities in North America. To generate a password, I generated a random number, grabbed a randon city, and added another random number.

boston9934

The lengths of the numbers were random, (as was if they were appended, prepended, or both), so it wasn't too easy to brute force.

Buzz
good for one time passwords.
px
+4  A: 

I use password safe to generate and store all my passwords, that way you don't have to remember super strong passwords (well except the one that unlocks your safe).

Ron Tuffin
+2  A: 

Pick a strong master password how you like, then generate a password for each site with cryptohash(masterpasword+sitename). You will not lose your password for site A if your password for site B gets in the wrong hands (due to an evil admin, wlan sniffing or site compromise for example), yet you will only have to remember a single password.

Elias Yarrkov
There are firefox extensions that do this, like password composer
https://www.pwdhash.com/
px
+3  A: 

I think it largely depends on what you want to use the password for, and how sensitive the data is. If we need to generate a somewhat secure password for a client, we typically use an easy to remember sentence, and use the first letters of each word and add a number. Something like 'top secret password for use on stackoverflow' => 'tspfuos8'.

Most of the time however, I use the 'pwgen' utility on Linux to create a password, you can specify the complexity and length, so it's quite flexible.

Linor
A: 

The Firefox-addon Password Hasher is pretty awesome for generating passwords: Password Hasher

The website also features an online substitute for the addon: Online Password Hasher

A: 

I generate random printable ASCII characters with a Perl program and then tweak the script if there's extra rules to help me generate a more "secure" password. I can keep the password on a post-it note and then destroy it after one or two days; my fingers will have memorized it, and my password will be completely unguessable.

This is for my primary login password, something I use every day, and in fact many times a day as I sit down and unlock my screen. This makes it easy to memorize fast. Obviously passwords for other situations have to use a different mechanism.

skiphoppy
+1  A: 

Well, my technique is to use first letters of the words of my favorite songs. Need an example: Every night in my dreams, I see you, I feel you...

Give me:

enimdisyify

... and a little of insering numbers e.g. i=1, o=0 etc...

en1md1sy1fy

... capitalization? Always give importance to yourself :)

And the final password is...

en1Md1sy1fy

nullDev
+1 for the method. -1 for quoting Céline Dion.
Rodrigo
A: 

I use the Crypt::GeneratePassword module.

Swaroop C H
I take it this is an answer to an oriented programming question!
Mac
A: 

For websites it's a 'secret' word combined with something memorable for the site I'm registering with.

For everything else I use a random generated password.

Piku
+1  A: 

The standard UNIX utility called pwgen. Available in practically any unix distribution.

Agoston Horvath
+1  A: 
Zack Peterson
Nice management tip.
px
+8  A: 

Mac OS X's "Keychain Access" application gives you access to the nice OS X password generator. Hit command-N and click the key icon. You get to choose password style (memorable, numeric, alphanumeric, random, FIPS-181) and choose the length. It also warns you about weak passwords.

aaronsw
A: 

I manually generate pretty hard-to-remember strings of symbols, numbers, and upper and lower case letters that usually look like leetspeak.

Example:

&p0pul4rw3b$ite!

Then I store them as an email draft I can access from anywhere via web mail.

Zack Peterson
A: 

Jeff Atwood has suggested we all switch to pass phrases rather than passwords:

Zack Peterson
A: 

makepasswd generates true random passwords by using the /dev/random feature of Linux, with the emphasis on security over pronounceability. It can also encrypt plaintext passwords given on the command line.

Most notable options are

--crypt-md5     Produce encrypted passwords using the MD5 digest algorithm
--string STRING Use the characters in STRING to generate random passwords

The former could be used to automatically generate /etc/passwd, /etc/cvspasswd, etc. entries. The latter is useful to add punctuation characters into your passwords, (by default generated password contains alphanumeric chars only).

makepasswd was originally part of the mkircconf program used to centrally administer the Linux Internet Support Cooperative IRC network.

Linulin
+1  A: 

passwords:

$ gpg --gen-random 1 20 | gpg --enarmor | sed -n 5p

passphrases:

http://en.wikipedia.org/wiki/Diceware

A: 

If you want to generate passwords that are easier for users to remember, take a look at Markov chains. http://en.wikipedia.org/wiki/Markov_chain

This algorithm can produce nonsense words that can be pronounced, so they also become easier to remember and to relay over the phone. A little Google-fu can get you some code samples in just about any language.

You would need to also obtain a good dictionary to filter out any passwords that come out as actual words.

Of course, these are not going to be high-strength passwords, but are really good when you need some basic access control on something and you don't want to burden your users with hard to remember passwords.

A: 

I usually use password safe to generate random passwords. For passwords I actually want to be able to remember without password safe, I usually take a word, and a number, and interleave the characters

So you take a word.

baseball

and a number

24681357

and you get a password of

b2a4s6e8b1a3l5l7

It looks pretty random, and would probalby be hard to brute force. Also it's quite easy to type most of the time. You just type the word, and then move your cursor back to the second character, and type the number, and between each character press the right cursor key. Not only does this make it easier to type, it also makes it harder for key loggers to record what you are actually typing.

Kibbee
+1  A: 

Mostly, I type dd if=/dev/urandom bs=6 count=1 | mimencode and save the result in a password safe.

Vatine
A: 

This Perl one-liner helps sometimes (rand isn't secure but it often doesn't matter):

$ perl -E"say map { chr(33 + rand(126-33)) } 1..31

An example output:

ET<2:k|D:!z)nBPMv+yitM8x`r.(WwO
J.F. Sebastian
+1  A: 
import random

length = 12
charset = "abcdefghijklmnopqrstuvwxyz0123456789"

password = ""
for i in range(0, length):
    token += random.choice(charset)

print password
Evan Fosmark
`print "".join(map(random.choice, [charset]*length))`
J.F. Sebastian
J.F. don't you think that is a bit too unpythonic?
Evan Fosmark
It is clear and concise. You might be unfamiliar with the `map` function but it is quite common. Try `$ ack --python '\W\s*map\s*\('` in your Python's distribution directory.
J.F. Sebastian
A: 

For fairly important stuff I like to use combinations of letters and numbers, like "xme7UpOK". These can be generated with this one-liner:

perl -le 'print map { (a..z,A..Z,0..9)[rand 62] } 1..8'

For less important stuff I like to have passwords that are easy to type, pronounce and remember, something like "loskubov" or "gobdafol". These can be generated like this:

perl -le '@l=("aeiou", "bdfgjklmnprstv");
          print map {(split "",$l[$_])[rand length $l[$_]]} split "", "10110101"'

where "10110101" is the pattern for vowels and consonants.

Pontus