Generating secure passwords

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

One corporate blogger at Symantec recently wrote about the useless passwords that people use (with various lists placing “password”) at or close to the top of the list. His source contained some dubious claims (e.g. it claimed that one of the top passwords across Europe is “monkey”… maybe that is the case for English speaking Europeans but it’s unlikely to be the case in French, German, Spanish, Italian, Portugese, Greek, etc., etc.) but his point is valid – systems that require a password require one for a reason – usually to protect either the data contained in the system, or the reputation/identity of the person to which access is being granted or the company who operates the system.

As a concept, the idea of a username and accompanying password is flawed – ideally we would be using another form of identification and authentication – and that should use multiple factors (something I have/know/am) but in amongst the nearly 2 hours of drivel that was last week’s MacBreak Weekly podcast (note to self: drop this subscription from iTunes) was a little gem about generating new secure passwords. The panel was advocating the use of a utility such as OnePass to generate and manage passwords when one of them said he does something similar from the command line: Unix/Linux and Mac users can type openssl rand -base64 6 to generate a secure 8 character password (the number on the end of the command needs to be multiplied by 4 thirds to get the length of password – more details of using OpenSSL to generate secure passwords are available at the tech-recipes website).

One man who knows an awful lot about security, Steve Gibson, has produced a secure online password generator but the 64-character passwords it generates are a bit extreme for most purposes – and “secure” passwords of any length create their own problem – they are totally unmemorable, so most users will resort to using some form of password safe (either online or offline), reducing the security considerably.

Then there’s the issue of password policy – some sites will limit the length of a password whilst others will require the use of special characters.

At work, I use a variety of corporate systems, some of which respect my Active Directory logon, and others (timesheeting, more timesheeting, mobile phone billing, self-service HR portal) which do not – each with it’s own password policy for password length, complexity, re-use and expiry. Then there are the hundreds of websites that I use and which require registration. It’s a usability nightmare – and many people will use the same passwords repeatedly – an identity thief’s dream.

I prefer to use a memorable passphrase, which is typically longer than a password and although it may include dictionary words they do not make up the entire password. For example, if my password needs to be changed and something is happening at that time that might be memorable I could use that – “2008HolidayinFrance” is memorable, easy to type and whilst it includes dictionary words it’s also 19 characters long so spotting the dictionary word placement might take a while for a password cracker.

Of course, there is no one answer – what works for me might not work for you. What I’m pretty certain of though is that “password” is not a good password and that re-using the same password (or variations on it) is not a good idea either.

5 thoughts on “Generating secure passwords

  1. Something that looks similar to OnePass is Password Maker – basic idea is that you have one unique password/phrase, this is hashed against the site name, and that’s it. It generates a unique personal password for that site based on your pass-phrase. If you forget the site password (or rather FF/IE’s form filler does, or you’re using another machine), you can recreate the same one using the same passphrase/sitename combination.

    Online/offline version here: http://passwordmaker.sourceforge.net/passwordmaker.html (it’s fully client-side: HTML/JavaScript), but there’s a plugin for firefox that’s auto generate/enter the password for you.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.