[TriLUG] OT: password generation

Rick DeNatale rick.denatale at gmail.com
Wed Feb 23 19:52:04 EST 2005 

There are opposing forces in what constitutes a good password.

On the one hand you want a password which is hard for someone to guess
at or stumble upon.

On the other hand you want a password which the user can remember
WITHOUT writing it down or putting it into a file.

Randomly generated passwords tend to be good at the first test, but
bad at the second.  Some random password generators come up with two
random words and tie they together, these might be easier to remember
but not as secure.

Passphrases like GPG/PGP uses are pretty good as long as you are a
fairly good typist. Of course many password rules checks disallow such
long passwords and require at least one number etc.

One of the better suggestions I've come across for developing a good
password was to think of a easily remembered phrase and use the first
letter of each word.  Like

mmtmybsa

I can remember "my momma told me you better shop around", and no, I
don't use mmtmybsa for any of my passwords.  If you have to include
digits you can use l33t1st tricks to introduce them, I might just
change the above to m3mtmybs4


On Wed, 23 Feb 2005 19:31:00 -0500 (EST), Matt Pusateri
<mpusateri at wickedtrails.com> wrote:
> On Wed, February 23, 2005 5:22 pm, Warren Myers said:
> > Howdy:
> >
> > I have been interested in cryptography for a long time, and know, as
> > I'm sure most of you do, that passwords tend to be the weak point of a
> > system.
> >
> > I recently wrote a password generator (available on my website
> > http://warrenmyers.com/pwd.php or in slightly different form
> > http://warrenmyers.com/stuff/pwd.zip, linux binary compressed) and am
> > wondering if any of you have come across other random password
> > generators, and what your experience in general of securing your
> > passwords and accounts has been.
> >
> > Thanks.
> >
> > Warren
> > --
> > http://warrenmyers.com
> > "Don't let the elephants see what the rabbits are doing." --Ben R Rich
> > --
> 
> Sorry I hit send before I finished my thought.  I don't claim to be a
> cryptographer, but it seems to me that if one were to use a password
> generator from somewhere.  That it would lend more credence if you
> could verify the experience of the author within well know
> cryptographic circles.  This is not to intimate that the password
> generator you have written is no good, it may be excellent, I don't
> know.  I haven't looked at it and don't claim to be of sufficient
> knowledge to evaluate it.  But when it comes to passwords and
> security. the level of scrutiny has to be elevated.  Obviously other
> software you run could just as easily if not more so lead to security
> holes more than the password chosen.
> 
> Matt
> 
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>

More information about the TriLUG mailing list