Q: How can I generate good strong passwords?
A: Password Safe*
Originally created by noted cryptographer Bruce Schneier of Counterpane Labs,
it's open source and free, and has been subjected to extensive peer review.
* NOT
John Navas
>Q: How can I generate good strong passwords?
>A: Password Safe*
>Originally created by noted cryptographer Bruce Schneier of Counterpane Labs,
>it's open source and free, and has been subjected to extensive peer review.
???? Password safe is for storing passwords, not generating them.
(It has been claimed to have a generator as well, but it is certainly not
described in any documentation. Also as soon as attackers know that you
are using it, you have given some information, and it is not a strong as it
could be.)
The proper answer to this is
dd if=/dev/urandom of=/tmp/p bs=100 count=1
less /tmp/p
And copy down the first 20 printable characters.
This is a very very secure password ( as secure as it could be assuming
printable characters) . It is also a totally unremeberable
password.
Eg, on my first try, $,c*:11#MwU!`b8QB-Th
As soon as you place "momorability" into the mix, your password is no longer
as secure as it could be.
>* NOT
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
In
>John Navas
>
>>Q: How can I generate good strong passwords?
>
>>A: Password Safe*
>>Originally created by noted cryptographer Bruce Schneier of Counterpane Labs,
>>it's open source and free, and has been subjected to extensive peer review.
>
>???? Password safe is for storing passwords, not generating them.
It's also for generating them...
>(It has been claimed to have a generator as well,
....as you apparently know. ;)
>but it is certainly not
>described in any documentation.
Of course it is -- see Password Policy. Source code is also available.
>Also as soon as attackers know that you
>are using it, you have given some information, and it is not a strong as it
>could be.)
Not true -- security by obscurity is an oxymoron.
>The proper answer to this is
>dd if=/dev/urandom of=/tmp/p bs=100 count=1
>less /tmp/p
>And copy down the first 20 printable characters.
>This is a very very secure password ( as secure as it could be assuming
>printable characters) .
UNIX-specific, a hassle, and no more secure than Password Safe.
>It is also a totally unremeberable
>password.
When a password needs to be remembered, I use and recommend Diceware Words.
>Eg, on my first try, $,c*:11#MwU!`b8QB-Th
>As soon as you place "momorability" into the mix, your password is no longer
>as secure as it could be.
Not true -- that just changes the entropy of a given key length, which can be
offset with a longer key length.
--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas
John Navas
>[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
>In
>
>>John Navas
>>
>>>Q: How can I generate good strong passwords?
>>
>>>A: Password Safe*
>>>Originally created by noted cryptographer Bruce Schneier of Counterpane Labs,
>>>it's open source and free, and has been subjected to extensive peer review.
>>
>>???? Password safe is for storing passwords, not generating them.
>It's also for generating them...
>>(It has been claimed to have a generator as well,
>...as you apparently know. ;)
>>but it is certainly not
>>described in any documentation.
>Of course it is -- see Password Policy. Source code is also available.
>>Also as soon as attackers know that you
>>are using it, you have given some information, and it is not a strong as it
>>could be.)
>Not true -- security by obscurity is an oxymoron.
The password is the one item tht MUST be secure. Its generating mechanism
is important. Lets say we know our adversary uses a generator which
produces consecutive letters of the alphabet as the password. It makes
breaking his password easy. Any generator which does not simply make each
letter an independent random variable over all letters gives the attacker
information.
>>The proper answer to this is
>>dd if=/dev/urandom of=/tmp/p bs=100 count=1
>>less /tmp/p
>>And copy down the first 20 printable characters.
>>This is a very very secure password ( as secure as it could be assuming
>>printable characters) .
>UNIX-specific, a hassle, and no more secure than Password Safe.
A hassle? How is it more of a hassle than downloading password safe, and
figuring out how to use it to generate passwords.
>>It is also a totally unremeberable
>>password.
>When a password needs to be remembered, I use and recommend Diceware Words.
>
>>Eg, on my first try, $,c*:11#MwU!`b8QB-Th
>>As soon as you place "momorability" into the mix, your password is no longer
>>as secure as it could be.
>Not true -- that just changes the entropy of a given key length, which can be
>offset with a longer key length.
Which destroys memorability again.
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
In
>John Navas
>>Not true -- security by obscurity is an oxymoron.
>
>The password is the one item tht MUST be secure.
Of course.
>Its generating mechanism
>is important. Lets say we know our adversary uses a generator which
>produces consecutive letters of the alphabet as the password. It makes
>breaking his password easy. Any generator which does not simply make each
>letter an independent random variable over all letters gives the attacker
>information.
Not necessarily. The best generator is one that's open and subject to peer
review. Otherwise, there may be unknown defects. Security *doesn't* come
from keeping the algorithm secret -- it comes from having a good algorithm,
and sufficient password entropy (e.g., length). Randomness in the computer
sense isn't necessarily a guarantee of security, since most so-called random
number generators are actually pseudo-random, based on some sort of
predictable algorithm.
>>>The proper answer to this is
>>>dd if=/dev/urandom of=/tmp/p bs=100 count=1
>>>less /tmp/p
>>>And copy down the first 20 printable characters.
>>>This is a very very secure password ( as secure as it could be assuming
>>>printable characters) .
>
>>UNIX-specific, a hassle, and no more secure than Password Safe.
>
>A hassle? How is it more of a hassle than downloading password safe, and
>figuring out how to use it to generate passwords.
Password Safe is dead easy to use, open source and subject to peer review,
runs on Windows and other platforms, and does much more than just generate
passwords. :)
>>>It is also a totally unremeberable
>>>password.
>
>>When a password needs to be remembered, I use and recommend Diceware Words.
>>
Use of dice is more random than most computer algorithms.
>>>Eg, on my first try, $,c*:11#MwU!`b8QB-Th
>>>As soon as you place "momorability" into the mix, your password is no longer
>>>as secure as it could be.
>
>>Not true -- that just changes the entropy of a given key length, which can be
>>offset with a longer key length.
>
>Which destroys memorability again.
Again, not necessarily. Something like "rock blue sky screen urge run wall"
(diceware words) is both more secure and much easier to remember, especially
if you generate a phrase with a memorable acronym.
--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas
John Navas
>[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
>In
>
>>John Navas
>>>Not true -- security by obscurity is an oxymoron.
>>
>>The password is the one item tht MUST be secure.
>Of course.
>>Its generating mechanism
>>is important. Lets say we know our adversary uses a generator which
>>produces consecutive letters of the alphabet as the password. It makes
>>breaking his password easy. Any generator which does not simply make each
>>letter an independent random variable over all letters gives the attacker
>>information.
>Not necessarily. The best generator is one that's open and subject to peer
>review. Otherwise, there may be unknown defects. Security *doesn't* come
>from keeping the algorithm secret -- it comes from having a good algorithm,
>and sufficient password entropy (e.g., length). Randomness in the computer
>sense isn't necessarily a guarantee of security, since most so-called random
>number generators are actually pseudo-random, based on some sort of
>predictable algorithm.
I agree. HOwever, as I read the very brief stuff I can find about password
safe's generator, the user feeds it all kinds of conditions on the
passwords (length, lower case only, at least one non-alpha character, etc)
This can result in very insecure passwords being generated (that they are
as secure as they could be given the constraints is irrelevant). In
addition the program uses an algorithmic random number generator as I see
it as well. Ie, it would be far better to give a series of rules for
good password generation rather than just point users to a program whose
primary purpose is something else, and whose password generation capability
is hard to find in the documentation, and has no warnings or description as
to what makes a good password in the docs. It also lulls the naive user
into a belief that they can hand off their security to a program which they
do not understand.
>>>>The proper answer to this is
>>>>dd if=/dev/urandom of=/tmp/p bs=100 count=1
>>>>less /tmp/p
>>>>And copy down the first 20 printable characters.
>>>>This is a very very secure password ( as secure as it could be assuming
>>>>printable characters) .
>>
>>>UNIX-specific, a hassle, and no more secure than Password Safe.
>>
>>A hassle? How is it more of a hassle than downloading password safe, and
>>figuring out how to use it to generate passwords.
>Password Safe is dead easy to use, open source and subject to peer review,
>runs on Windows and other platforms, and does much more than just generate
>passwords. :)
Yes, so why are you advertising it as the only way to get a secure
password?
>>>>It is also a totally unremeberable
>>>>password.
>>
>>>When a password needs to be remembered, I use and recommend Diceware Words.
>>>
>Use of dice is more random than most computer algorithms.
Perhaps.
>>>>Eg, on my first try, $,c*:11#MwU!`b8QB-Th
>>>>As soon as you place "momorability" into the mix, your password is no longer
>>>>as secure as it could be.
>>
>>>Not true -- that just changes the entropy of a given key length, which can be
>>>offset with a longer key length.
>>
>>Which destroys memorability again.
>Again, not necessarily. Something like "rock blue sky screen urge run wall"
>(diceware words) is both more secure and much easier to remember, especially
>if you generate a phrase with a memorable acronym.
If you generate the phrase it is not random. That particular phrase I
suspect has far less randomness than my phrase, and the urge to misremeber
by inserting verbs and articles is high.
>--
>Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
>John Navas
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
In
>John Navas
>>Not necessarily. The best generator is one that's open and subject to peer
>>review. Otherwise, there may be unknown defects. Security *doesn't* come
>>from keeping the algorithm secret -- it comes from having a good algorithm,
>>and sufficient password entropy (e.g., length). Randomness in the computer
>>sense isn't necessarily a guarantee of security, since most so-called random
>>number generators are actually pseudo-random, based on some sort of
>>predictable algorithm.
>
>I agree. HOwever, as I read the very brief stuff I can find about password
>safe's generator, the user feeds it all kinds of conditions on the
>passwords (length, lower case only, at least one non-alpha character, etc)
>This can result in very insecure passwords being generated (that they are
>as secure as they could be given the constraints is irrelevant).
It's possible to misuse *any* tool. The primary reason for all the options is
that different applications (e.g., websites) have different rules (e.g.,
allowable characters, length) for acceptable passwords. The program's help
advises the use of the longest possible password. What more must they do to
satisfy you? ;)
>In
>addition the program uses an algorithmic random number generator as I see
>it as well.
True, but one that has passed rigorous tests for randomness. Also, that's
what you've advised -- OK for you, but not for Password Safe? ;) Regardless,
the only real alternatives are to use something like a keystroke timer, which
is both problematic and a hassle, or an external source of randomness, like my
recommendation of diceware words.
>Ie, it would be far better to give a series of rules for
>good password generation rather than just point users to a program whose
>primary purpose is something else, and whose password generation capability
>is hard to find in the documentation, and has no warnings or description as
>to what makes a good password in the docs.
I don't think those are valid criticisms, but I do agree that I should provide
more information, so I've updated my FAQ. See what you think.
>It also lulls the naive user
>into a belief that they can hand off their security to a program which they
>do not understand.
I don't think so -- I think the naive user is well-served by Password Safe.
>>Password Safe is dead easy to use, open source and subject to peer review,
>>runs on Windows and other platforms, and does much more than just generate
>>passwords. :)
>
>Yes, so why are you advertising it as the only way to get a secure
>password?
I'm not doing that -- it's just the one I use and recommend. Regardless,
I now recommend Diceware Words as well.
>>Use of dice is more random than most computer algorithms.
>
>Perhaps.
I think it's pretty much a given.
>>>>>Eg, on my first try, $,c*:11#MwU!`b8QB-Th
>>>>>As soon as you place "momorability" into the mix, your password is no longer
>>>>>as secure as it could be.
>>>
>>>>Not true -- that just changes the entropy of a given key length, which can be
>>>>offset with a longer key length.
>>>
>>>Which destroys memorability again.
>
>>Again, not necessarily. Something like "rock blue sky screen urge run wall"
>>(diceware words) is both more secure and much easier to remember, especially
>>if you generate a phrase with a memorable acronym.
>
>If you generate the phrase it is not random.
It was in fact generated randomly.
>That particular phrase I
>suspect has far less randomness than my phrase,
It actually has more information entropy, and that's what counts. See:
and the other links I've added to my FAQ.
>and the urge to misremeber
>by inserting verbs and articles is high.
Inserting verbs and articles would actually increase strength be increasing
length, not decrease it.
--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas
On 4 Apr 2006 22:46:00 GMT, in alt.internet.wireless , Unruh
>John Navas
>
>
>>Not true -- security by obscurity is an oxymoron.
Euh, this is bullshit. Obscuring the target is a good security
technique. If the bad guys don't know you're there, how can they come
after you?
>The password is the one item tht MUST be secure.
Yes but...
>Its generating mechanism is important.
Sure. but so what?
>>UNIX-specific, a hassle, and no more secure than Password Safe.
>
>A hassle? How is it more of a hassle than downloading password safe, and
>figuring out how to use it to generate passwords.
Imagine (gasp) you don't have unix. Or don't understand what all that
magick dd stuff does.
>>>Eg, on my first try, $,c*:11#MwU!`b8QB-Th
>>>As soon as you place "momorability" into the mix, your password is no longer
>>>as secure as it could be.
>
>>Not true -- that just changes the entropy of a given key length, which can be
>>offset with a longer key length.
>
>Which destroys memorability again.
I disagree. Many people can remember pretty long strings of fairly
random letters, such as a sequence of names and dates.
Mark McIntyre
--
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
In
+0100, Mark McIntyre
>On 4 Apr 2006 22:46:00 GMT, in alt.internet.wireless , Unruh
>
>
>>John Navas
>>
>>>Not true -- security by obscurity is an oxymoron.
>
>Euh, this is bullshit. Obscuring the target is a good security
>technique. If the bad guys don't know you're there, how can they come
>after you?
"Secrecy, Security, and Obscurity"
by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas
John Navas
>[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
>In
>
>>John Navas
>>>Not necessarily. The best generator is one that's open and subject to peer
>>>review. Otherwise, there may be unknown defects. Security *doesn't* come
>>>from keeping the algorithm secret -- it comes from having a good algorithm,
>>>and sufficient password entropy (e.g., length). Randomness in the computer
>>>sense isn't necessarily a guarantee of security, since most so-called random
>>>number generators are actually pseudo-random, based on some sort of
>>>predictable algorithm.
>>
>>I agree. HOwever, as I read the very brief stuff I can find about password
>>safe's generator, the user feeds it all kinds of conditions on the
>>passwords (length, lower case only, at least one non-alpha character, etc)
>>This can result in very insecure passwords being generated (that they are
>>as secure as they could be given the constraints is irrelevant).
>It's possible to misuse *any* tool. The primary reason for all the options is
>that different applications (e.g., websites) have different rules (e.g.,
>allowable characters, length) for acceptable passwords. The program's help
>advises the use of the longest possible password. What more must they do to
>satisfy you? ;)
NOt them, you. You say that to have a strong password they should use
password safe. Period. That is not sufficient.
>>In
>>addition the program uses an algorithmic random number generator as I see
>>it as well.
>True, but one that has passed rigorous tests for randomness. Also, that's
>what you've advised -- OK for you, but not for Password Safe? ;) Regardless,
>the only real alternatives are to use something like a keystroke timer, which
>is both problematic and a hassle, or an external source of randomness, like my
>recommendation of diceware words.
I have no objection to password safe per se. I do have objections to you
essentially saying that if the user uses password safe then they are OK.
>>Ie, it would be far better to give a series of rules for
>>good password generation rather than just point users to a program whose
>>primary purpose is something else, and whose password generation capability
>>is hard to find in the documentation, and has no warnings or description as
>>to what makes a good password in the docs.
>I don't think those are valid criticisms, but I do agree that I should provide
>more information, so I've updated my FAQ. See what you think.
>>It also lulls the naive user
>>into a belief that they can hand off their security to a program which they
>>do not understand.
>I don't think so -- I think the naive user is well-served by Password Safe.
>>>Password Safe is dead easy to use, open source and subject to peer review,
>>>runs on Windows and other platforms, and does much more than just generate
>>>passwords. :)
>>
>>Yes, so why are you advertising it as the only way to get a secure
>>password?
>I'm not doing that -- it's just the one I use and recommend. Regardless,
>I now recommend Diceware Words as well.
>>>Use of dice is more random than most computer algorithms.
>>
>>Perhaps.
>I think it's pretty much a given.
>>>>>>Eg, on my first try, $,c*:11#MwU!`b8QB-Th
>>>>>>As soon as you place "momorability" into the mix, your password is no longer
>>>>>>as secure as it could be.
>>>>
>>>>>Not true -- that just changes the entropy of a given key length, which can be
>>>>>offset with a longer key length.
>>>>
>>>>Which destroys memorability again.
>>
>>>Again, not necessarily. Something like "rock blue sky screen urge run wall"
>>>(diceware words) is both more secure and much easier to remember, especially
>>>if you generate a phrase with a memorable acronym.
>>
>>If you generate the phrase it is not random.
>It was in fact generated randomly.
What I interpret "generate the phrase" is that you generate the words, or
add words to the words from diceware or whatever so as to get a memorable
phrase. If you just use diceware, the stuff you get is not very memorable.
Eg their example:
cleftcamsynodlacyyr
While somewhat more memorable than $,c*:11#MwU!`b8QB-Th
it also has much less "entropy". ( about the same as $,c*:11 ) which is
probably easier to remember)
>>That particular phrase I
>>suspect has far less randomness than my phrase,
>It actually has more information entropy, and that's what counts. See:
>
>
>and the other links I've added to my FAQ.
>>and the urge to misremeber
>>by inserting verbs and articles is high.
>Inserting verbs and articles would actually increase strength be increasing
>length, not decrease it.
No, I meant that the user would in trying to remember it, insert articles
and verbs while trying to remember it, meaning that he would type in the
wrong passphrase.
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
In
>[SNIP]
I'm done with this increasingly pointless argument, giving you the last word.
;)
--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas
Mark McIntyre
> >>Not true -- security by obscurity is an oxymoron.
> Euh, this is bullshit. Obscuring the target is a good security
> technique. If the bad guys don't know you're there, how can they come
> after you?
If this would work - and I never saw it working. Do you know Kerckhoffs'
principle?
> I disagree. Many people can remember pretty long strings of fairly
> random letters, such as a sequence of names and dates.
Maybe. And most of the people cannot.
Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain
> I'm done with this increasingly pointless argument, giving you the last word.
I for one wished that you wouldn't keep posting this over and over
again, automated or not, if it wasn't posted you wouldn't have this
debate *every* time it's posted!
Hi All,
Try this free utility - ViPNet [Password Roulette] - it is a Free
password generator, which makes easy-to-remember passwords! Did you see
it?
You might not use it but I am sure you will have some fun with
generated passwords. It is free.
http://www.infotecs.biz/Soft/pass.htm
"... The innovation of this software is simple and genius. The
passwords are derived from word phrases easy to remember. Often these
phrases have a humorous touch facilitating the process of memorizing.
The password list can be generated in 3 languages: English, German and
Russia. Additionally ViPNet [Password Roulette] can generate random
digital passwords ..."
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
In <1144834057.662037.297670@j33g2000cwa.googlegroups.com> on 12 Apr 2006
02:27:37 -0700, "novikov@infotecs.ru"
>Hi All,
>
>Try this free utility - ViPNet [Password Roulette] - it is a Free
>password generator, which makes easy-to-remember passwords! Did you see
>
>it?
>You might not use it but I am sure you will have some fun with
>generated passwords. It is free.
>http://www.infotecs.biz/Soft/pass.htm
>
>"... The innovation of this software is simple and genius. The
>passwords are derived from word phrases easy to remember. Often these
>phrases have a humorous touch facilitating the process of memorizing.
>The password list can be generated in 3 languages: English, German and
>Russia. Additionally ViPNet [Password Roulette] can generate random
>digital passwords ..."
You know it to be safe and secure because ... ?
A basic premise of good security is to take nothing at face value.
--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas