Random Password Generation Revisited

What is the worst password you could possibly use? Why it’s password of course. Closely trailing behind it are iloveyou and fuckyou and similar gems. But according the the Myspace password list analysis, nothing really beats cookie123. Apparently there are many cookie lovers out there. Go figure.

This seems to be a good time to spend few minutes talking about random password generation. You might remember my random password script from a while ago but I will repost it here again. The basic mechanic behind it is that you grab randomness from /dev/random and use uuencode to shape it into ASCII characters. The basic version of the script is this:

head -c 6 /dev/random | uuencode -m - | tail -n 2 | head -n 1

You can get a tad more fancy if your password allows only alphanumerics and use sed to remove any unwanted characters:

head -c 6 /dev/random | uuencode -m - | sed -n '2s/[^a-zA-Z 0-9]//;2p'

Biggest issue with this script is that the passwords, while random, are not very human friendly. They are usually unpronounceable ggibberish mess:

fEkISFlm tFszJfq4 i0hk/PHf TWHf21eF H8rjwKlg WO501Hfg
B3r9HHd4 vUCH68uZ Ie9z74hO vtExLgSZ
pwgen application. It is a random password generator that should be available via apt on most debian systems. Using it a little tricky at first because, when run on the command line, it generates a table of 50 some passwords. To get only a single output entry you need to do:

pwgen -1

On the other hand, if you redirect the output to a file, pwgen will generate only a single password by default. In practice not all the generated passwords are pronounceable, or easy to remember. But many of them are, and that is close enough. Here are some sample passwords generated using pwgen:

xaerei1A ahhu8Woh ieYee9ai Zephai5a Eighai2u woh4Kaiy Ikie2eif Ulie2aiz
baenee1N Mee1eole Shaghei8 Aiz4chah Iejeen2g eegipu7L uphie4Za Eiy7egis
ni5waPhu Ui1aivah iu5Eemul aiVee8ee Oaghong4 se4dooCu Caik7eig Kait8eic

Another useful app is otp which actually stands for One Time Pad. It was designed to generate cryptographical one-time-pad for encryption. But it’s default output can also serve for good, pronounceable passwords. Here is a few sample passwords generated by this app:

1) pxyf-josn 2) lsgz-ubyb 3) yhby-fdxc 4) blqp-qwqc
5) dfnc-nbev 6) voam-jqgs 7) lemw-ejdb 8 ) jlba-swah
9) sunc-sqpx 10) dvzv-rhal 11) ueyc-odae 12) nvjh-vpxq

As with pwgen default behavior is to generate 50 or so passwords. To get just one (for example to use in a shell script) you can use:

otp -n1

If you want more randomness, then you will probably like apg. By default it will gather encryption from the user, by prompting you for some input. The randomization algorithm then generates a list of passwords using the text you just typed in as a seed value. Here is a sample output:

cirIsem2 (cir-Is-em-TWO)
uchAitirdOk5 (uch-Ait-ird-Ok-FIVE)
yiarkUsh3 (yiark-Ush-THREE)
mejThebulg5 (mej-Theb-ulg-FIVE)
paxViptyor9 (pax-Vipt-yor-NINE)
ondafticsAk9 (ond-aft-ics-Ak-NINE)

As you can see above, apg actually gives you pronunciation hints that you can use to memorize your password. For scripting you should use:

apg -n 1

You will then get a single password (without the hint) that can be piped into another application.

So next time you sign up for a silly networking website, perhaps it would be wise to use a strong password. And if you can’t think of one, I just gave you bunch of tools that can help you generate it from scratch.

[tags]security, passwords, password generator, pwgen, apg, otp, one time pad[/tags]

This entry was posted in Uncategorized and tagged . Bookmark the permalink.

One Response to Random Password Generation Revisited

  1. For generating passwords from /dev/random, this will select from all possible printable characters.

    head -c 50 /dev/random | tr -cd "A-Za-z0-9@#\!\$%^&*()_+=-~;,.<>/[]{}|?:'\\\`" && echo

    My favorite password/passphrase generation method is Diceware. Use dice and a word list to generate easy-to-remember passwords.

    Reply  |  Quote

Leave a Reply

Your email address will not be published. Required fields are marked *