Wednesday, January 18, 2012


People ask me about security, and much of it is based on having good passwords.  In general, one-time passwords are best.  These change each time one logs in; yubikeys and RSA ids are examples.  Two factor -- typically one reusable and one ephemeral (e.g.: SMS text your cell phone) -- are good too.  When we're stuck with reusable (using the same one again and again), then picking good ones is critical.  Good ones are both long and difficult to guess.  Random is best, as we humans aren't as random as we first appear.  As long and random passwords aren't memorable, we need password keepers.  Firefox will remember passwords for you; I recommend you allow it to do this, but: set a master password!  I also recommend using keepass from for whichever platform you have.

So, let's do a little math.  26 lower case letters, 26 upper case, 10 digits, and 10 symbols equals 72 characters.  Let's say you have 8 character random passwords using each of the character classes and no repeated characters.  So, 72*71*70*69*68*67*66*65 -= 482,590,739,030,400 possible passwords.  Not bad.  Now let's go to 20.  72*71*70*69*68*67*66*65*64*63*62*61*60*59*58*57*56*55*54*53 = 759,184,772,617,383,139,127,116,820,643,840,000 possible passwords.  Good enough for the time being.

Below is a password generator written in JavaScript. This assures the password is generated on you machine, in your browser. Choose how long you want your password to be, and what type of characters it needs to contain. Click "Generate!" and then you can cut and paste it into a password field. I recommend against sites that generate passwords on their server -- they have your address and a password of yours. And remember: you don't have to remember it, have your computer do that for you.

Number of characters
Include lowercase
Include uppercase
Include numbers
Include symbols


MdMonk said...

Now if only we could do the same with Meeting Maker. :)

devin said...

This is a bit of a tangent, but how do you feel about different password hashing algorithms? some people think bcrypt is the way to go, while others say use scrypt or PBKDF2. The argument is that bcrypt doesn't have the battle proven effectiveness that PBKDF2 does (as WPA, LastPass, 1Password and TrueCrypt have found PBKDF2 suitable for their needs), and that scrypt makes the brute force attacker pay more of a penalty because of hard memory limits you can configure in.

Steve Beaty said...

Generally, I like battle-proven solutions, but the SHA series could be a counter example. I also trust TrueCrypt. Also in general, I search proceedings of the Crypto conferences when deciding such matters :-)