I was wondering how safe it is to use password generation tools, be they online ones like duckduckgo (just type “password 14 strong” in the search field to generate a 14-character long “strong” password) or terminal based ones like pwgen.
The reason why I wonder is because these programs certainly use some algorithm to generate the password, and perhaps this limits the number of possible outcomes, probably making it easier for an attacking program to crack.
Most of these password generators use a random number generator. That often consists of two parts: a pseudo-random number generator which is algorithmic, and a source of real world randonness (usually called entropy), perhaps derived from timings of events that are seen.
There is probably enough entropy introduced to allay your concerns over the randomness. There is an additional concern, namely that the site could be secretly recording your password and IP address in a database, though in most cases this is unlikely.
The opensuse repos contain “pwgen” and probably other password generators. If you use that, you won’t have to worry about the practices of a web site.
On 2013-04-07 23:26, adhishm wrote:
> The reason why I wonder is because these programs certainly use some
> algorithm to generate the password, and perhaps this limits the number
> of possible outcomes, probably making it easier for an attacking program
> to crack.
Hum. Maybe humans are more predictable than machines in this respect
–
Cheers / Saludos,
Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)
On Sun, 07 Apr 2013 21:46:03 +0000, nrickert wrote:
> The opensuse repos contain “pwgen” and probably other password
> generators.
> If you use that, you won’t have to worry about the practices of a web
> site.
I second that. pwgen is OSS (so you can review its code and make sure
it’s not sending data anywhere or storing it somewhere). I usually use
it to generate pronounceable passwords, 25 or 30 at a time, and then I
pick one out of the list that I can remember (or one that’s close enough
to something I can remember, and I tweak it).
Choose a long sentence and take First letters of each word in the sentence and Capitalize some of the letters and add a a number here and there and a $
This is a sample passcode from above sentence. This way you can remember it easily.
i then pick an unbroken stream of as many characters as i need from
one (or two, or all three) of the strings…
that way even if someone has the ability to save those three strings
AND my (non-static) IP, they still have a near endless number of
permutations to try before unlocking anything…
and, then i put the new password on a post-its note and attach it to
my monitor. (not!)
–
dd
openSUSE®, the “German Engineered Automobile” of operating systems!
Thanks all for your input. I don’t think I’m paranoid to the point of wearing tinfoil hats, but I think I will settle for pwgen over online resources.
I second that. pwgen is OSS (so you can review its code and make sure
it’s not sending data anywhere or storing it somewhere). I usually use
it to generate pronounceable passwords, 25 or 30 at a time, and then I
pick one out of the list that I can remember (or one that’s close enough
to something I can remember, and I tweak it).
Jim
The passwords from pwgen are pronounceable and thus easy to remember, and it does not seem to be sending any data anywhere.
The passwords generated also look quite strong, and with the -y option there is at least one special character in it. I wish there was some way of specifying password length. Also, the program works well on the command line, so I could pipe its output to my own programs for a variety of purposes.
Choose a long sentence and take First letters of each word in the sentence and Capitalize some of the letters and add a a number here and there and a $
This is a sample passcode from above sentence. This way you can remember it easily.
Good idea. In fact today most passwords I use are actually short sentences with a few capitalized letters, numbers and special characters. To make it easy to remember I throw in something about the service to which it is a password too.
On 04/08/2013 12:06 PM, adhishm wrote:
> With passwords as long as that - I think I -will- have to write them on
> a post-it note and attach to my monitor.
of course i uses some much smaller sub-section of any of the three
60-something character strings…
my point was with each page containing 190 random characters i can be
confident even if someone does copy that page, they can’t know which (8 to 20 character snippet) i picked–and therefore the
permutations they would have to try would be very very many…so,
many i couldn’t even calculate how many combinations!
On Mon, 08 Apr 2013 09:56:01 +0000, adhishm wrote:
> The passwords generated also look quite strong, and with the -y option
> there is at least one special character in it. I wish there was some way
> of specifying password length. Also, the program works well on the
> command line, so I could pipe its output to my own programs for a
> variety of purposes.
You can specify the length of password to generate - the parameters
passed on the command line are length and number of passwords to
generate, so:
On Wed, 10 Apr 2013 16:16:01 +0000, adhishm wrote:
> hendersj;2545771 Wrote:
>>
>> You can specify the length of password to generate - the parameters
>> passed on the command line are length and number of passwords to
>> generate, so:
>>
>> pwgen 7 8
>>
>> generates 8 passwords of length 7.
>>
>> Jim
>
> Thanks for the tip! I wonder why I didn’t just search for it instead of
> glossing over the man page.
It happens - I only knew about it because I’d used it before (and only
used the built-in help initially).
