Q: How can I generate good strong passwords?
A: Password Safe*
Originally created by noted cryptographer Bruce Schneier of Counterpane Labs,
it's open source and free, and has been subjected to extensive peer review.
* NOT
John Navas
>Q: How can I generate good strong passwords?
>A: Password Safe*
>Originally created by noted cryptographer Bruce Schneier of Counterpane Labs,
>it's open source and free, and has been subjected to extensive peer review.
??? As I read it is not for generating passwords. It is for keeping a whole
bunch of passwords safe and accessible for when you need them.
If you want to generate "good strong passwords"
dd if=/dev/urandom bs=128 count=1|uuencode /dev/stdout
and take a string of 20 or more characters from the second line to use as your
password.
Of course you will never remember it. So you will need passwordsafe.
>* NOT
In article
spam@physics.ubc.ca says...
> John Navas
>
> >Q: How can I generate good strong passwords?
>
> >A: Password Safe*
> >Originally created by noted cryptographer Bruce Schneier of Counterpane Labs,
> >it's open source and free, and has been subjected to extensive peer review.
>
> ??? As I read it is not for generating passwords. It is for keeping a whole
> bunch of passwords safe and accessible for when you need them.
The current version 2.15 that I have will generate "random" passwords.
I don't know the algorithm, nor the source of "real random" data -- it
generates eight character passwords which are a mix of upper case, lower
case and numbers. Within that set of characters, they look reasonably
random to the eye.
--
R. Dale Shipp
spam_catcher3 (at) _delete_this_comcast (dot) net
"Unruh"
news:dsjhck$679$1@nntp.itservices.ubc.ca...
> John Navas
>
> >Q: How can I generate good strong passwords?
>
> >A: Password Safe*
> >Originally created by noted cryptographer Bruce Schneier of Counterpane
Labs,
> >it's open source and free, and has been subjected to extensive peer
review.
>
> ??? As I read it is not for generating passwords. It is for keeping a
whole
> bunch of passwords safe and accessible for when you need them.
>
> If you want to generate "good strong passwords"
> dd if=/dev/urandom bs=128 count=1|uuencode /dev/stdout
> and take a string of 20 or more characters from the second line to use as
your
> password.
>
> Of course you will never remember it. So you will need passwordsafe.
/dev/urandom isn't "strong" - it is very possibly that there is a way of
breaking it.
If you're generating a password, it's better practice to use /dev/random,
which is quite a bit harder to break.
Alun Harford
"Alun Harford"
>"Unruh"
>news:dsjhck$679$1@nntp.itservices.ubc.ca...
>> John Navas
>>
>> >Q: How can I generate good strong passwords?
>>
>> >A: Password Safe*
>> >Originally created by noted cryptographer Bruce Schneier of Counterpane
>Labs,
>> >it's open source and free, and has been subjected to extensive peer
>review.
>>
>> ??? As I read it is not for generating passwords. It is for keeping a
>whole
>> bunch of passwords safe and accessible for when you need them.
>>
>> If you want to generate "good strong passwords"
>> dd if=/dev/urandom bs=128 count=1|uuencode /dev/stdout
>> and take a string of 20 or more characters from the second line to use as
>your
>> password.
>>
>> Of course you will never remember it. So you will need passwordsafe.
>/dev/urandom isn't "strong" - it is very possibly that there is a way of
>breaking it.
Complete nonsense I am afraid. /dev/urandom is seeded by physical
randomness just as /dev/random is, but that physical randomness is
"stretched out" using a PRNG if there is not enough physical randomness. Ie
it does not block if the physical sources dry up. /dev/random can block,
forever. Ie, /dev/urandom is as good as Tso could make it for a
cryptographically strong random number generator continually seeded by
physical randomness and is certainly far far far stronger than any other
part in the password chain. /dev/random should probably never be used,
precisely because if its blocking.
The man page for urandom was written by someone in a pessimistic mood and
not realising how it would be read by the great unwashed. /dev/urandom
has not been broken AFAIK, and is in no danger of being broken anytime soon.
>If you're generating a password, it's better practice to use /dev/random,
>which is quite a bit harder to break.
>Alun Harford
On 10-Feb-2006, Unruh
> Q: How can I generate good strong passwords?
I generally create my own passwords. It is not hard to type random numbers,
letters and special characters up to a 63 character length. If it is for a
encrypting a wireless network, you really don't need to remember the
password. Simply jot it down on a piece of paper, enter the router's menu,
type in the password then type in the same password in the client's menu and
you're done. Destroy the piece of paper that the password was written on.
Alternatively, you can go to https://www.grc.com/passwords.
--
----------
Just Me, D
Unruh wrote:
>... /dev/random can
> block, forever. <...> /dev/random should probably never be used,
> precisely because if its blocking.
In practise it won't block forever. If you only need a password, there is
enough randomness in its pool to not block at all.
You are recommending convenience over security. The Microsoft Way.
-- Lassi
Doug Jamal
> Alternatively, you can go to https://www.grc.com/passwords.
And you should not; every password you can see on this page one better
will not use, because GRC knows them afterwards.
Beside this drawback, the text on this page shows, that Gibson does not
understand what he's writing about at all (as usual); from this page:
| Every one is completely random (maximum entropy) without any pattern, and
| the cryptographically-strong pseudo random number generator we use
| guarantees that no similar strings will ever be produced again.
Pseudo random will never be as secure as true random white noise by design.
And, even worse, if the generator does guarantee that no similar strings
will ever produced again, then this "random" is not random at all, because
to be random, data produced may not depend in any way to data produced
before. This is the definition of "random".
And to guarantee, that never something similiar will be produced again,
Gibson even announces to every user, that he will store the passwords
he generates for them. So Gibson is just fooling the people who are using
his page, and he even admits the truth of this.
He completes showing us his incompetency by guaranteeing a maximum of
entropy in his passwords. This means, that passwords with lesser than
the possible maximum of entropy never will be produced, and an attacker
only has to check the few possible passwords with the maximum entropy
to crack any system, which is "secured" with Gibson's suggestions,
because the attacker can exclude every password with lesser entropy
without testing it.
http://grcsucks.com
Yours,
VB.
--
> My windows XP is updated for all critical updates including survive pack 2.
Norman Perry in c.s.f
Password Safe is a top quality program for storing your passwords, if
you want to create good random passwords, try our web based password
generator, you can get as diverse as you like with it.
* www.privacyoffshore.net (No Logs Internet Surfing)
* Anonymous Secure Offshore SSH-2 Surfing Tunnels
* Anonymous Mail & News through SSH-2 Tunnels
* Free Resources and Privacy Software
John Navas a écrit :
> Q: How can I generate good strong passwords?
>
An other way would be to define a "basic" password and then you hash it
using md5.
Soon wrote:
> John Navas a écrit :
>
>> Q: How can I generate good strong passwords?
>>
>
> An other way would be to define a "basic" password and then you hash it
> using md5.
Not much help. The attacker can also run MD5 before trying a password
guess. The attacker needs a bit more cycles, but otherwise it is as
efficient as any password guessing attack.
-- Lassi
It's simple. Use first-letter passwords -- just take the first character
of each word in a simple sentence, substituting 1s and 0s for Is and Os
where they occur.
For example:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sentence = "I generally create my own passwords."
Password = 1gcm0p
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(Choose a longer sentence if you're not happy with only 6 characters).
Virtually uncrackable, easy to remember, and you don't have to write it
down.
--
Ian
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
In
GMT, "Doug Jamal"
>Alternatively, you can go to https://www.grc.com/passwords.
Really, really bad idea.
--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
In
>It's simple. Use first-letter passwords -- just take the first character
>of each word in a simple sentence, substituting 1s and 0s for Is and Os
>where they occur.
>
>For example:
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Sentence = "I generally create my own passwords."
>
>Password = 1gcm0p
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>(Choose a longer sentence if you're not happy with only 6 characters).
>
>Virtually uncrackable, ...
Assumption that isn't valid. ANY pattern is risky.
--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
In <1139779942.965217.57600@g44g2000cwa.googlegroups.com> on 12 Feb 2006
13:32:23 -0800, "(admins) privacyoffshore"
wrote:
>Password Safe is a top quality program for storing your passwords, if
>you want to create good random passwords, try our web based password
>generator, you can get as diverse as you like with it.
With all due respect, Password Safe is a better bet for password generation
because of the expertise behind it and peer review.
--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas
On 13-Feb-2006, John Navas
> >Alternatively, you can go to https://www.grc.com/passwords.
>
> Really, really bad idea.
Feel free to back up your statement.
--
----------
Just Me, D
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
In
GMT, "Doug Jamal"
>On 13-Feb-2006, John Navas
>
>> >Alternatively, you can go to https://www.grc.com/passwords.
>>
>> Really, really bad idea.
>
>Feel free to back up your statement.
I have, many times, as Google can quickly reveal, and I'm not alone:
http://www.theregister.co.uk/2006/01/21/wmf_fud_from_grc/
--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas
on 2/14/2006 6:31 PM John Navas said the following:
> [POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
>
> In
> GMT, "Doug Jamal"
>
>
>>On 13-Feb-2006, John Navas
>>
>>
>>>>Alternatively, you can go to https://www.grc.com/passwords.
>>>
>>>Really, really bad idea.
>>
>>Feel free to back up your statement.
>
>
> I have, many times, as Google can quickly reveal, and I'm not alone:
> http://www.theregister.co.uk/2006/01/21/wmf_fud_from_grc/
>
Ummm, that article is about Gibson and the WMF exploit. Not about
Gibson's password generator. I agree I would not use it for the reasons
elsewhere in the thread, but the article is not that reason.
JH
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
In <11v56rt9j93j927@corp.supernews.com> on Tue, 14 Feb 2006 19:11:53 -0800,
John Hyde
>on 2/14/2006 6:31 PM John Navas said the following:
>>
>> In
>> GMT, "Doug Jamal"
>>
>>>On 13-Feb-2006, John Navas
>>>
>>>>>Alternatively, you can go to https://www.grc.com/passwords.
>>>>
>>>>Really, really bad idea.
>>>
>>>Feel free to back up your statement.
>>
>> I have, many times, as Google can quickly reveal, and I'm not alone:
>> http://www.theregister.co.uk/2006/01/21/wmf_fud_from_grc/
>
>Ummm, that article is about Gibson and the WMF exploit. Not about
>Gibson's password generator. I agree I would not use it for the reasons
>elsewhere in the thread, but the article is not that reason.
I didn't say it was. It just shows that Gibson isn't to be trusted in the
area of security.
--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas
news
> It's simple. Use first-letter passwords -- just take the first character
> of each word in a simple sentence, substituting 1s and 0s for Is and Os
> where they occur.
> For example:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Sentence = "I generally create my own passwords."
> Password = 1gcm0p
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> (Choose a longer sentence if you're not happy with only 6 characters).
Thank you very much for making cracking your passwords much easier.
> Virtually uncrackable, easy to remember, and you don't have to write it
> down.
The opposite is true. You just offerd much information about your
passwords, which helps to avoid a brute force or at least gives a
very good heuristics:
- you aren't using 'i's and 'o's in it, but 1 and 0 only
- you're telling much about the probability of the letters in your
password and about the probability of their ordering, because these
are the first letters of English sentences, and it's easy to create
statistics about English sentences in this view
- you only are using a small character subset
- you're using very short passwords (only 6 characters you seem to find
OK already)
So with this information, cracking your passwords will be much easier
compared to really strong passwords, which are long enough, out of the
complete character set, and are totally random.
Yours,
VB.
--
> My windows XP is updated for all critical updates including survive pack 2.
Norman Perry in c.s.f
Doug Jamal
> On 13-Feb-2006, John Navas
> > >Alternatively, you can go to https://www.grc.com/passwords.
> > Really, really bad idea.
> Feel free to back up your statement.
Beside http://grcsucks.com please read:
<43ef38e1@news.uni-ulm.de>
Yours,
VB.
--
> My windows XP is updated for all critical updates including survive pack 2.
Norman Perry in c.s.f
Post removed (X-No-Archive: yes)