Comments on: Secure Passphrases Linux. GNU. Freedom. Sun, 13 May 2018 18:21:35 +0000 hourly 1 By: Aaron Thu, 05 Nov 2009 03:23:27 +0000 i'm familiar with pwgen and the man page, thanks.

By: RTFM Wed, 04 Nov 2009 23:59:27 +0000 pwgen [HowManyCharacters like 100] [how man passwords do you need] -n -c -y --> gives me nice ones... just read the manpage

you can even use a file's hash with -h but don't lose the file 😉

By: Levi Mon, 18 Dec 2006 22:16:09 +0000 Lonnie: Reading over my comment, I admit I was a bit harsh. We ended up having a nice discussion on #utah, though, so I hope no feelings were permanently hurt. 🙂

Anyway, I think there were some fundamentally wrong assumptions in the security comparisons, and the mathematical analysis of cryptographic things should always be considered, because these things don't always follow intuition.

Given an 8 character limit, which used to be quite common, it was very important to avoid dictionary words and use as many odd characters as possible. Now, adding additional characters can make even passphrases with plain English phrases much more secure than any 8-character password.

Emphasizing obfuscation when simply adding a few more words could create a much stronger passphrase is unfortunate.

By: Kevin Sat, 16 Dec 2006 03:28:30 +0000 Actually you can create passwords longer than 8 characters with pwgen. Just by adding a number, so:

pwgen -cn 20

Will create 20 character passwords with numbers and cases.

By: Lonnie Olson Sat, 16 Dec 2006 01:21:34 +0000 Re: Levi
I am pretty sure his claim that 'ienjoyprogrammingperl' is less secure was not compared to very strong 8 character passwords, but compared to what it could/should be, as he later explained. You are so picky.

By: Lonnie Olson Sat, 16 Dec 2006 01:17:06 +0000 Thanks, I really enjoyed this. Your techniques for good, long passphrases are very good.

Let me recommend better pass(word|phrase) generators.
1. For strong, memorable passphrases use apg. This tool will generate strong passphrases (configurable length and strength), and can optionally print out the pronunciation key. These passwords are not in the dictionary, but are still pronounceable, hence memorable.

2. For extremely strong, rarely used (WEP/WPA keys), long passphrases. Use GRC's Perfect Passwords. It generates completely random nonsense. It s delivered very securely over SSL.

By: Ubuntu Tutorials Fri, 15 Dec 2006 19:04:44 +0000 You do have some good points with this post. I understand pwgen doesn't make the *best* passwords but its better than "password" or something crappy like a lot of people use.

I've extended my post to refer to your extended outline. Thanks

By: Levi Fri, 15 Dec 2006 17:27:48 +0000 Clearly you're a bit rusty on your combinatorics. You claim that 'ienjoyprogrammingperl' is insecure because it only uses lowercase characters and contains dictionary words. Let's look at the math, shall we?

First, let's look at the naive brute-force method assuming only lowercase letters. That's 21 characters, each of which has 26 possibilities, which gives us a total search space of 26^21 combinations. I'll let you put that in your calculator yourself, as it's too big to type, and certainly not a realistic search space. Compare this with an 8-character password using all 256 characters, which yields only 256^8 combinations. This is a MUCH smaller number, though still huge. So, a completely obfuscated 8-character password is far less secure than a 21-character password consisting only of lowercase letters in the face of a brute force attack.

Now, let's examine a dictionary attack. My /usr/dict/words has 98569 words in it. If the hacker were to correctly guess that your password consisted of 4 non-repeated words (which is a best-case scenario, of course) then there would be 98569*98568*98567*98567 combinations. This is the same order of magnitude as an 8 character password utilizing potentially all 256 characters! In fact, it's more than 5 times bigger of a search space.

Anyway, you can now clearly see that your assertion that 'iloveprogrammingperl' is an extremely weak password is total bunk. It is actually more secure than an 8-character random password. It is true that using extra characters that remove the possibility of dictionary attacks make your password more secure, but there is a point of diminishing returns, and I think you crossed it somewhere before your final obfuscation there.

By: Tristan Rhodes Fri, 15 Dec 2006 16:36:18 +0000 Aaron,

Thanks for the post. I do like the idea of using passphrases, but I don't usually encrypt them as much as you. I would probably end up with something like this:


Here is my favorite password generator. It provides all the options I need. I usually have it create 50 passwords and I choose the one that is easiest to remember.

Password Length: (4 - 64 chars)
Include Letters: YES
Include Mixed Case: YES
Include Numbers: YES
Include Punctuation: YES
Use similar characters: (i, l, o, 1, 0, I) NO
Quantity: 50