Phishers get big mileage by using info that looks credible
;login article: ICANN's Security Stability and Resiliency Plan

How to create strong passwords

If you want to avoid the embarrassment of finding your password on the Worst Offenders' List but struggle to come up with a strong, memorable password on your own, try a password creator (generator). Several freeware are available for PC and Mac. Use this quick summary and analysis to choose one that's right for you.

pwgen for Mac OS

pwgen is a graphical user interface for the Open BSD command line utility, pwgen. You can customize the password you generate to include all the "complexity" elements of a strong password (Length, Capitals, numbers, special characters) and you can also exclude characters that may look alike when certain fonts are used (O and 0, B and 8).

  Pwgen

RPG for Mac OS

Random Password Generator (RPG) offers the same features as pwgen but also allows you to create password schemas or "environmental constraints". For example, you can apply filters to limit the characters used by RPG to generate hexadecimal passwords for WLAN security, or you can create filters to avoid ambiguous characters (as does pwgen). 

RPG 

Password Assistant for Mac OS

Password Assistant (PA) has the same features as pwgen and RPG. This program lets you use the built-in password assistant dialog in Mac OS without having to flog through System preferences and the Accounts preference panes to get to it. PA gives you access to the Mac OS a "memorable" option that lets you generate passwords that are composed from random words, symbols and numbers. 

Passwordassistant1 

Password Generator XP

This utility offers strong, complex, password creation capabilities for Windows 7 and XP. In addition to the obligatory complexity generation features, Password Generator XP has a nifty vowel insertion algorithm that lets you generate passwords you can "pronounce". It also gives you choices of passwords each time you select criteria and run the program. 

 

Pasgen 

net user command line utility (Windows)

 

Throwback Windows users can open a CMD prompt, type net user username /random and generate a random password according to the local security policy enforced on your PC. Effective if not glamorous or particularly creative.

Parting remarks

I'm not endorsing any particular product here, nor am I suggesting you MUST use a password generator. If none of the utilities I mentioned here strike your fancy, you can find dozens of software to generate or manage passwords by searching. You can also find web pages that offer scripts to generate passwords for you that satisfy typical minimum password complexity criteria. Remember to download from a source you trust, and verify with your own antimalware software that the utility you choose is legitware. Most importantly, however... use long, complex passwords. Don't use the same password everywhere. Generate new passwords reasonably frequently. 

 

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Thanks for this pointer. I will download the script and give it a try.

You raise a good point about online password testing tools: a test script or application hosted on a web server does create a possibility of a man in the middle attack, where the password you are composing or checking is intercepted or captured by a bad guy. To minimize this, I suggest that you use such password generators to compose a password of desired composition and length, but then change the suggested password a bit before you actually put it to use. If you are really concerned, use a client side password generator such as the ones I've mentioned.

I just wanted to bring to your attention my little javascript password generator: http://hype-free.blogspot.com/2010/04/updated-yarpg.html

It has at least three advantages:
- Customizable (length, character set)
- It is all client-side, so you don't have to worry (that much) about MITM attacks
- Given that it is fully client side, you can do a code review instead of placing your trust in some server

Thanks for this observation. Everyone is capable of remembering passwords, the trick is to learn to compose passwords you alone will remember. Alternatively, create one very strong password. Use a random password generator to create passwords for all your accounts, and store these in a password vault or safe (many such applications exist).

You can follow me on Twitter at securityskeptic

Users will still have problems with remembering passwords. Which brings about writing passwords on 'post-it's and sticking them on your monitor!

Do you have a twitter account? I'd like to follow you.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)