I just read Christer’s post about creating secure passwords using a simple Linux utility ‘pwgen’. Good read, and even better tutorial. However, I hope you don’t mind a bit Christer, but I’m going to pick on your post a little.
pwgen creates 8-character random passwords. Using the various options, you can increase/decrease the strength and readability of the generated passwords. It provides a helpful screendump, at which you pick one, and use it. Unfortunately, you cannot alter the length of the generated passwords using pwgen (at least, not that I am aware of). Also, it’s still generated to tty, even though it can be used elsewhere, which means the screen can be copied and saved to an attacking program. While 8 characters may be enough for some, it’s small enough to be cracked via brute force with little effort, even if you ran pwgen -sy.
As such, I’m going to explain the concept of passphrases. The term ‘passphrase’ is synonymous with PGP/GPG. When using your private key to decrypt or sign a message, you are always prompted to enter your passphrase. The idea of a passphrase is simple enough: create a phrase, using a series of ‘words’, that is substantially longer than a password. Of course, we are talking security here, so using just letters will get you shot with a dictionary attack. So, we need a phrase that is quite long, easy to remember, and very secure using numbers, letters of both case and symbols. Creating such a passphrase is easy.
One way to generate such a passphrase is to think of something that you like to do. Maybe its a hobby or a skill. Maybe a favorite pastime, a favorite video game or anything. For example, I enjoy programming in Perl, so, I could generate my passphrase as:
As it stands, it’s extremely weak, as it uses only letters, lowercase at that, and every word is in the dictionary. But, it is 21 characters long, substantially longer than anything pwgen produces. So we do have that going for us.
Now let’s make our passphrase stronger. I usually tell people to replace letters with symbols and numbers when convenient and to use both cases. Let’s start with putting uppercase letters in the passphrase. Every time we hit a syllable in the passphrase, uppercase that letter:
Not bad. A little stronger, although not much. Now let’s replace some of the letters with symbols. When doing so, we want to make this easy to remember, so we need to be consistent. Being consistent does create a weakness though, in the passphrase. Just remember, as long as you can remember it, then make it as strong as possible. So, I’m going to replace every ‘i’ with the vertical bar ‘|’, every ‘o’ with ‘%’, every a with a ‘@’ and every ‘m’ with a ‘#’:
It’s getting a little tougher to read, but our strength has easily increased ten-fold. Finally, lets add a couple numbers to the mix, and we’ll be finished. I’m going to replace every ‘e’ with a ’3′, every ‘g’ with a ’6′ and every ‘l’ with a ’7′. Let’s see how we turn out:
That’s a tough passphrase to crack, I don’t care what anyone says. Now, I’m not going to be naive, and say that it is perfect. This passphrase still follows dictionary form, and the consistency of what symbols and numbers replaced what letters are consistent. This does provide weakness to the passphrase, at which case, you may want to include underscores, periods, commas, dashes, etc. between words to increase its strength. Also, you may not want to be as consistent when replacing letters with numbers and symbols. Break it up a bit, just as long as you can remember it. However, you’ll find that this passphrase example is quite resilient to brute-force and dictionary attacks, and, it’s easy enough to remember. My recommended result, adding a period between words, would result in a 24-character passphrase: