What are the best practices to create secure passwords? I would like to make them tougher to crack with brute force tools.
Part II
Are there any tools that can generate these passwords so I do not have to think one up myself?
What are the best practices to create secure passwords? I would like to make them tougher to crack with brute force tools.
Part II
Are there any tools that can generate these passwords so I do not have to think one up myself?
On Unix systems PAM, or Pluggable Authentication Module is a nice administrative tool that comes with a crack library that you can test passwords against.
After doing some recent security work, I know that Government standards usually have these guidelines when it comes to a password:
Common sense suggests you shouldn't put the 2 numbers and special characters at the beginning or end, but interspersed. While working on these guidelines it brought up the question whether having such complex passwords was really worth it. With passwords so complex, it seems that they have a higher probability of being stored as plain text somewhere by the user or written down somewhere.
In personal use, I typically go less stringent than those guidelines, but definitely no dictionary words or L33t speak.
Bruce Schneier has a nice article on it, based on what a company has have to be common practice in people choice of passwords.
EDIT: Oh, to generate password. You can use tools such as KeePass or Password Safe to auto generate and store different good password for your logins. See this question for more information.
grc.com has a nice page where you can get strong passwords.
curl https://www.grc.com/passwords.htm | openssl sha1
in scripts where I need a quick password (with error checking of the curl response)
Commented
Sep 25, 2014 at 10:21
Personally what I try to do for passwords is first think of a relatively long memorable phrase and perform the following transformation on it:
O
-> 0
, for
/ fore
/ four
-> 4
, one
, an
-> 1
, etc.In most cases this results in a pretty secure and unguessable password, which I can easily reconstruct myself based on these rules and remembering the phrase.
For example:
What are the guidelines for creation of a secure passwords?
Becomes:
WatG4co1sP?
Note that this scheme can be used to create passwords that fit pretty much any rules a company may have regarding minimum length, required included symbols, etc. It also has the added benefit that as long as you pick an encoding scheme that you can apply consistently because it makes sense to you (for capitals, and special characters and digits) then you should not need to write anything down on paper, avoiding the problem where a hacker might be able to find your passwords by just having a look around your workspace.
When security is a major factor, I always include some high ASCII characters.
For example, 154 is Ü. Not only do these characters greatly increase the amount of time required for a brute force attack, but most attacks don't even scan that character range and are sometimes not even capable of it.
Also, the obvious:
The discussion at Diceware is an interesting read.
For creating high value passwords and passphrases, the technique of a dictionary like diceware's and a good randomizer such as a handful of dice is a pretty good choice.
Personally, I use PasswordSafe locked by a strong passphrase generated by the diceware technique. I let PasswordSafe generate every other password I need, and generally have no idea what they might be after a few minutes have passed. I have copies of the safe file on several systems, so I'm not too worried about all the eggs being in one basket. The big advantage is that I never knowingly use the same password for two purposes.
For personal use, I do recommend storing a legible copy of the safe's passphrase in a secure location where it could be found by your heirs...
This site outlines the guidelines well, and will allow you to test it's security. I think coming up with your own will be more memorable then a generated one as well.
The SecurityStats site has a page where you can try your password fu
It gives you guidelines on better passwords too.
Good read on the Google Enterprise Blog on password security tracking,
You could maintain an account for yourself where you check the strengths of your passwords.
because the Google Account authentication system continuously sees new variations of password attacks from around the world, we can assess password strength in real-time and help administrators spot passwords that were relatively secure in the past that are more vulnerable to the latest patterns of attacks
As far as strength against brute force cracking goes, the best thing to do is increase the length and the number of possible combinations increase exponentially (literally). Of course, it's still a good idea to introduce some random characters and symbols to make dictionary attacks more difficult. Or maybe use a couple of words from different languages - bonus points for non-ASCII characters!
A more thorough analysis is available here.
And while we're looking at xkcd password advice, never reuse passwords.
See also Password Maker. This uses information you provide, including a seed, so that you can generate a unique password. Then all you have to do is remember the seed, and figure out the same data values, and Password Maker will generate the same password for you later.
My issues with passwords like that is that they are hard to type and harder to remember. Personally I have a program called gpw which generates passwords from syllable chunks, resulting in a password which is usually "almost" pronounceable. If you l33t-ify it, then add some capitalization and punctiation, you'll end up with something slightly easier to remember than line noise but is reasonably safe from brute-forcers.
So for example I'd do this:
$ gpw
ompartiz
tocycedt
psyllicu
doggiedu
I'd pick one I like, then turn it into something like ?D0ggid00