Passwords

People ask me about security, and much of it is based on having good passwords.  In general, one-time passwords are best.  These change each time one logs in; yubikeys and RSA ids are examples.  Two factor -- typically one reusable and one ephemeral (e.g.: SMS text your cell phone) -- are good too.  When we're stuck with reusable (using the same one again and again), then picking good ones is critical.  Good ones are both long and difficult to guess.  Random is best, as we humans aren't as random as we first appear.  As long and random passwords aren't memorable, we need password keepers.  Firefox will remember passwords for you; I recommend you allow it to do this, but: set a master password!  I also recommend using keypass from http://keepass.info/ for whichever platform you have.

So, let's do a little math.  26 lower case letters, 26 upper case, 10 digits, and 10 symbols equals 72 characters.  Let's say you have 8 character random passwords using each of the character classes and no repeated characters.  So, 72*71*70*69*68*67*66*65 -= 482,590,739,030,400 possible passwords.  Not bad.  Now let's go to 20.  72*71*70*69*68*67*66*65*64*63*62*61*60*59*58*57*56*55*54*53 = 759,184,772,617,383,139,127,116,820,643,840,000 possible passwords.  Good enough for the time being.

All that said, how do you get random passwords?  There a twenty-letter one at the bottom of this page.  It was generated using simple JavaScript -- here's the code:

<script type="text/javascript">
var letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"

for (var i=0; i < 20; i++)
{
    document.write (letters.charAt (Math.floor (Math.random() * letters.length)));
}

</script>

This assures the password is generate on you machine, in your browser.  You can cut and paste it into a password field, and into keypass.  Don't use sites that generate passwords on the server itself -- they're trying to social engineer you.  And remember: you don't have to remember it, have your computer do that for you.

Random Password: