Passwords were discussed many times here.
https://trisquel.info/forum/what-are-your-favorite-encryption-programs-or-methods
probably is the last thread about it. Here is the solution I suggested,
where "words" tunes the number of words in the password (here four) and "dic"
is the hunspell dictionary (choose a language you know) the words are taken
in:
$ words=4; dic=/usr/share/hunspell/en_US.dic; max=$(wc -l < $dic); for i in
$(seq $words); do r=$(od -A n -N 4 -t u4 /dev/random); cut -d / -f 1 $dic |
sed -n $(expr $r % $max + 1)p; done | tr '\n' ' '
I have just run it four times. Here are the passwords it output:
suckle tattler captivity pointblank
bootprints does jeweler turbinate
prohibitive revealingly Jenelle femoral
bedding Alexandre Ase pathogenesis
They are certainly *much* easier to remember (and probably faster to type)
than "pvQx697b88nfDJKv8LQ4Mg" (password your first command can output) and
much stronger than "w5eJ". It *does* make a difference: script kiddies that
got a database dump of cryptographically hashed passwords (it frequently
happens) crack "w5eJ" in a split second. Literally. Indeed your second
command can only generate 64^4 = 16,777,216 different passwords and,
according to Bruce Schneier in 2006:
Current commercial products can test tens -- even hundreds -- of millions of
passwords per second. At the same time, there's a maximum complexity to the
passwords average people are willing to memorize (.pdf). Those lines crossed
years ago, and typical real-world passwords are now software-guessable.
AccessData's Password Recovery Toolkit -- at 200,000 guesses per second --
would have been able to crack 23 percent of the MySpace passwords in 30
minutes, 55 percent in 8 hours.
Since /usr/share/hunspell/en_US.dic contains 62,155 different words, the
command I gave above can output 62,155^4 = 15 billion billion (sic) different
passwords. A tool that tries one billion passwords per second takes more
than 236 years (in average, knowing the password is four words in
/usr/share/hunspell/en_US.dic) to crack the password. Against more serious
enemies (e.g., a state agency targeting you) "capable of one trillion guesses
per second" (as Edward Snowden wrote to Laura Poitras, as shown in
Citizenfour) that number decreases to 86 days.
Notice also that my solution uses /dev/random, not /dev/urandom.
/dev/urandom providing only pseudo-randomness, there is a risk (although it
should be OK) of a bug that would help the cracker. For instance, a
classical (but bad) way to seed pseudo-random number generators is to use the
C function "time". It returns the current number of seconds since January 1,
1970. Knowing the year the password was generated (and the pseudo-random
number generator that was used), only 31 million passwords need to be tried
because there are 31 million seconds in a year: back to a split-second crack
(no matter how long the password).