« Phishers get big mileage by using info that looks credible | Main | ;login article: ICANN's Security Stability and Resiliency Plan »

Friday, 05 February 2010

How to create strong passwords

If you want to avoid the embarrassment of finding your password on the Worst Offenders' List but struggle to come up with a strong, memorable password on your own, try a password creator (generator). Several freeware are available for PC and Mac. Use this quick summary and analysis to choose one that's right for you.

pwgen for Mac OS

pwgen is a graphical user interface for the Open BSD command line utility, pwgen. You can customize the password you generate to include all the "complexity" elements of a strong password (Length, Capitals, numbers, special characters) and you can also exclude characters that may look alike when certain fonts are used (O and 0, B and 8).

  Pwgen

RPG for Mac OS

Random Password Generator (RPG) offers the same features as pwgen but also allows you to create password schemas or "environmental constraints". For example, you can apply filters to limit the characters used by RPG to generate hexadecimal passwords for WLAN security, or you can create filters to avoid ambiguous characters (as does pwgen). 

RPG 

Password Assistant for Mac OS

Password Assistant (PA) has the same features as pwgen and RPG. This program lets you use the built-in password assistant dialog in Mac OS without having to flog through System preferences and the Accounts preference panes to get to it. PA gives you access to the Mac OS a "memorable" option that lets you generate passwords that are composed from random words, symbols and numbers. 

Passwordassistant1 

Password Generator XP

This utility offers strong, complex, password creation capabilities for Windows 7 and XP. In addition to the obligatory complexity generation features, Password Generator XP has a nifty vowel insertion algorithm that lets you generate passwords you can "pronounce". It also gives you choices of passwords each time you select criteria and run the program. 

 

Pasgen 

net user command line utility (Windows)

 

Throwback Windows users can open a CMD prompt, type net user username /random and generate a random password according to the local security policy enforced on your PC. Effective if not glamorous or particularly creative.

Parting remarks

I'm not endorsing any particular product here, nor am I suggesting you MUST use a password generator. If none of the utilities I mentioned here strike your fancy, you can find dozens of software to generate or manage passwords by searching. You can also find web pages that offer scripts to generate passwords for you that satisfy typical minimum password complexity criteria. Remember to download from a source you trust, and verify with your own antimalware software that the utility you choose is legitware. Most importantly, however... use long, complex passwords. Don't use the same password everywhere. Generate new passwords reasonably frequently. 

 

Posted at 09:17 AM in All matters security, Stop Think Connect |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Thanks for this pointer. I will download the script and give it a try.

You raise a good point about online password testing tools: a test script or application hosted on a web server does create a possibility of a man in the middle attack, where the password you are composing or checking is intercepted or captured by a bad guy. To minimize this, I suggest that you use such password generators to compose a password of desired composition and length, but then change the suggested password a bit before you actually put it to use. If you are really concerned, use a client side password generator such as the ones I've mentioned.

Posted by: The Security Skeptic | Friday, 09 April 2010 at 09:24 AM

I just wanted to bring to your attention my little javascript password generator: http://hype-free.blogspot.com/2010/04/updated-yarpg.html

It has at least three advantages:
- Customizable (length, character set)
- It is all client-side, so you don't have to worry (that much) about MITM attacks
- Given that it is fully client side, you can do a code review instead of placing your trust in some server

Posted by: Cd-MaN | Friday, 09 April 2010 at 08:23 AM

Thanks for this observation. Everyone is capable of remembering passwords, the trick is to learn to compose passwords you alone will remember. Alternatively, create one very strong password. Use a random password generator to create passwords for all your accounts, and store these in a password vault or safe (many such applications exist).

You can follow me on Twitter at securityskeptic

Posted by: Security Skeptic | Thursday, 11 February 2010 at 01:25 PM

Users will still have problems with remembering passwords. Which brings about writing passwords on 'post-it's and sticking them on your monitor!

Do you have a twitter account? I'd like to follow you.

Posted by: Defmonk | Thursday, 11 February 2010 at 09:15 AM

The comments to this entry are closed.

Find me on Mastodon and Facebook

Spotlight Posts

  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.
  • New TLDs are coming #Dangerclose.
    A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory...

Search

My Photo

Categories