This uses the dictionary /usr/share/dict/words and skips all the words containing characters like é, å, ø and all those ending in 's. The resulting word list has 72,940 words in it. Then it chooses 4 random words from this dictionary and prints them to the screen. This gives a password with about 65 bits of entropy.
By adding another word, thus creating a 5-word passphrase, a botnet capable of checking 1,000 trillion passwords per second would spend, on average, 1600 years cracking away before it would find the correct passphrase.
Here are some example 4-word passphrases produced using this method:
These are surprisingly easy to remember. I use a 7-word passphrase for the most important things and it didn't take me more than a day or two to learn it.
The unix utility apg has some nice functions for generating passwords. Particularly I like it's "pronounceable" algorithm which tries to generate passwords that are slightly pronounceable. It's a good way to get those 6-14 character passwords with numbers, upper case, and punctuation that are easier to remember but still random.
I usually take the password and type it about 100 times to see how it feels, subtly changing any characters that feel awkward to type. This gives me a password that is very fast and natural to type (less likely to have errors), but still has a lot of randomness and obeys all the stupid password rules.
That's only 4 tokens and you should assume at least some of the combinations are already in rainbow tables. I don't know how long it would take to create a rainbow table for the whole space, which is this big:
72940^4 = 2.8304992 × 10^19
To put it in perspective, a 14-character password using only lower case English alphabet letters as individual tokens already beats this:
Then again, a random string of 14-characters is nearly impossible to remember.
The key takeaway here is that every word adds another 16.15 bits (assuming good random source and no non-random decisions by the user), whereas another character adds only 4.7 bits. I'd argue that the effort to remember another 4 random characters (to reach those 16 bits) is far more than the one to remember another random word. We're quite good with words, you know :)
yes, but picking a handful of random words out of the dictionary is not the advice the passphrase advocates are giving. They are saying use a phrase that's meaningful to you and easy to remember.... which means most people are going to use a phrase in their native tongue, just like most people are using passwords like "mylinkedin!" for linked in.
Edit: also, for anyone wanting something like the above technique, I recommend Diceware.
That's picking from ~35,000 words, which I think is still good enough but avoids ending up with "interpreters incredibility disciplinary constitutionality". (I need the C locale to stop this old GNU grep being painfully slow.)
It should be noted that if you use the same passphrase for your most important things, then it may not matter how uncrackable it is -- if it gets compromised through a method other than cracking, then all your other important accounts are also compromised.
Even relatively high-stakes companies like banks and credit card companies make obscenely stupid mistakes when it comes to security. For example, there was a case fairly recently where you could log into your Citibank account and change the account number in the GET query string, and you'd instantly have access to anybody else's account. Given that they're capable of that type of idiocy, all it takes is for one mental giant to decide that encrypting your password is better than hashing it, and you're vulnerable.
Malicious behavior isn't the only thing to watch out for. By doing business with the outside world, we're putting ourselves at the mercy of complete morons every day. If you use a different passphrase for every account, then you can at least limit your risk to one service.
To generate random alphanumeric strings drop the following into your zshrc:
function mkpw () {
if (( $# == 0 )) then
head /dev/urandom | uuencode -m - | sed -n 2p | cut -c1-${1:-12}
else
head /dev/urandom | uuencode -m - | sed -n 2p | cut -c1-${1:-$1}
fi
}
By default it generates an alphanumeric string of length 12. Given an integer argument n it generates an alphanumeric string of length n.
By adding another word, thus creating a 5-word passphrase, a botnet capable of checking 1,000 trillion passwords per second would spend, on average, 1600 years cracking away before it would find the correct passphrase.
Here are some example 4-word passphrases produced using this method:
These are surprisingly easy to remember. I use a 7-word passphrase for the most important things and it didn't take me more than a day or two to learn it.