If you want to avoid the embarrassment of finding your password on the Worst Offenders' List but struggle to come up with a strong, memorable password on your own, try a password creator (generator). Several freeware are available for PC and Mac. Use this quick summary and analysis to choose one that's right for you.
pwgen for Mac OS
pwgen is a graphical user interface for the Open BSD command line utility, pwgen. You can customize the password you generate to include all the "complexity" elements of a strong password (Length, Capitals, numbers, special characters) and you can also exclude characters that may look alike when certain fonts are used (O and 0, B and 8).
Random Password Generator (RPG) offers the same features as pwgen but also allows you to create password schemas or "environmental constraints". For example, you can apply filters to limit the characters used by RPG to generate hexadecimal passwords for WLAN security, or you can create filters to avoid ambiguous characters (as does pwgen).
Password Assistant for Mac OS
Password Assistant (PA) has the same features as pwgen and RPG. This program lets you use the built-in password assistant dialog in Mac OS without having to flog through System preferences and the Accounts preference panes to get to it. PA gives you access to the Mac OS a "memorable" option that lets you generate passwords that are composed from random words, symbols and numbers.
Password Generator XP
This utility offers strong, complex, password creation capabilities for Windows 7 and XP. In addition to the obligatory complexity generation features, Password Generator XP has a nifty vowel insertion algorithm that lets you generate passwords you can "pronounce". It also gives you choices of passwords each time you select criteria and run the program.
net user command line utility (Windows)
Throwback Windows users can open a CMD prompt, type net user username /random and generate a random password according to the local security policy enforced on your PC. Effective if not glamorous or particularly creative.
I'm not endorsing any particular product here, nor am I suggesting you MUST use a password generator. If none of the utilities I mentioned here strike your fancy, you can find dozens of software to generate or manage passwords by searching. You can also find web pages that offer scripts to generate passwords for you that satisfy typical minimum password complexity criteria. Remember to download from a source you trust, and verify with your own antimalware software that the utility you choose is legitware. Most importantly, however... use long, complex passwords. Don't use the same password everywhere. Generate new passwords reasonably frequently.
Thanks for this pointer. I will download the script and give it a try.
You raise a good point about online password testing tools: a test script or application hosted on a web server does create a possibility of a man in the middle attack, where the password you are composing or checking is intercepted or captured by a bad guy. To minimize this, I suggest that you use such password generators to compose a password of desired composition and length, but then change the suggested password a bit before you actually put it to use. If you are really concerned, use a client side password generator such as the ones I've mentioned.
Posted by: The Security Skeptic | Friday, 09 April 2010 at 09:24 AM
It has at least three advantages:
- Customizable (length, character set)
- It is all client-side, so you don't have to worry (that much) about MITM attacks
- Given that it is fully client side, you can do a code review instead of placing your trust in some server
Posted by: Cd-MaN | Friday, 09 April 2010 at 08:23 AM
Thanks for this observation. Everyone is capable of remembering passwords, the trick is to learn to compose passwords you alone will remember. Alternatively, create one very strong password. Use a random password generator to create passwords for all your accounts, and store these in a password vault or safe (many such applications exist).
You can follow me on Twitter at securityskeptic
Posted by: Security Skeptic | Thursday, 11 February 2010 at 01:25 PM
Users will still have problems with remembering passwords. Which brings about writing passwords on 'post-it's and sticking them on your monitor!
Do you have a twitter account? I'd like to follow you.
Posted by: Defmonk | Thursday, 11 February 2010 at 09:15 AM