Thomas Sjögren wrote:
> Use passphrases instead of passwords.
> "I don't just read the comics in the newspaper" would result in the
> Idjrtcitn
> passphrase, add a leet touch to it and the result would be:
> 1djr7c17n
> Now turn some of the numbers into symbols.
> !djr/c17n
> If you want, feel free to add an alt-symbol to it.
This is, of course, a good heuristic for creating personal passwords that
are easy to remember (for the user) but difficult to guess (for the
cracker).
However, a typical administrator may have to generate tens or hundreds
of passwords in one go (even if the actual user will be prompted to change
the password), and this is where the password generators become useful.
I wrote a primitive password generator in C. Basically, it does all of
the things that the other password generators described here (mixed
UC/LC letters, numbers, punctuation), and I used this generator to
create passwords for our international partners who needed access
to our FTP site.
And I ran into a very curious difficulty. I had limited the characters
to plain ascii (i.e. < 128) to avoid problems with different
international character-sets and keyboards, but we had problems.
The colon (":") proved especially difficult for a vendor who lives
in Eastern Europe. He could not login using a password that contained
a colon. We sent, and re-sent, and re-sent the password, but still he
could not login. Finally we gave him a new password, almost identical
to the original one, but without the colon. And he got in on the first
attempt. (Apparently not even plain ascii is universally reliable.)
Another issue that bothers me: passwords generated by password generators
are, in themselves, (provided that the generator does its job properly)
reasonably secure -- but extremely hard to remember. If the user has to
write the password down or store it on his/her computer, that means weaker
security. The ideal password generator should generate passwords that
are easy to remember IF you know the password and can think of a mnemonic
for it but still hard to guess/crack if you do not know the password.
With this in mind, I started modifying my password generator slightly:
it now asks the user for a "seed" word, then it modifies it like the
"1337" generator, then it adds some random filler characters, then
it deletes/changes characters randomly. Depending on how much randomness
I add to the seed word, I can get either a) passwords that bear very
little or no resemblance to the seed word and are, therefore, secure
but hard to remember, or b) passwords that are easy to remember but
not much more secure than "1337" passwords. Neither of these is my idea
of an ideal password. I'm open to suggestions on how to improve the
algorithm. Ask for a seed PHRASE instead of a word and then modify
it as Thomas does above?
--
Topi Ylinen
