Passwords were discussed many times here. https://trisquel.info/forum/what-are-your-favorite-encryption-programs-or-methods probably is the last thread about it. Here is the solution I suggested, where "words" tunes the number of words in the password (here four) and "dic" is the hunspell dictionary (choose a language you know) the words are taken in: $ words=4; dic=/usr/share/hunspell/en_US.dic; max=$(wc -l < $dic); for i in $(seq $words); do r=$(od -A n -N 4 -t u4 /dev/random); cut -d / -f 1 $dic | sed -n $(expr $r % $max + 1)p; done | tr '\n' ' '
I have just run it four times.  Here are the passwords it output:
suckle tattler captivity pointblank
bootprints does jeweler turbinate
prohibitive revealingly Jenelle femoral
bedding Alexandre Ase pathogenesis
They are certainly *much* easier to remember (and probably faster to type) than "pvQx697b88nfDJKv8LQ4Mg" (password your first command can output) and much stronger than "w5eJ". It *does* make a difference: script kiddies that got a database dump of cryptographically hashed passwords (it frequently happens) crack "w5eJ" in a split second. Literally. Indeed your second command can only generate 64^4 = 16,777,216 different passwords and, according to Bruce Schneier in 2006: Current commercial products can test tens -- even hundreds -- of millions of passwords per second. At the same time, there's a maximum complexity to the passwords average people are willing to memorize (.pdf). Those lines crossed years ago, and typical real-world passwords are now software-guessable. AccessData's Password Recovery Toolkit -- at 200,000 guesses per second -- would have been able to crack 23 percent of the MySpace passwords in 30 minutes, 55 percent in 8 hours. Since /usr/share/hunspell/en_US.dic contains 62,155 different words, the command I gave above can output 62,155^4 = 15 billion billion (sic) different passwords. A tool that tries one billion passwords per second takes more than 236 years (in average, knowing the password is four words in /usr/share/hunspell/en_US.dic) to crack the password. Against more serious enemies (e.g., a state agency targeting you) "capable of one trillion guesses per second" (as Edward Snowden wrote to Laura Poitras, as shown in Citizenfour) that number decreases to 86 days.

Notice also that my solution uses /dev/random, not /dev/urandom. /dev/urandom providing only pseudo-randomness, there is a risk (although it should be OK) of a bug that would help the cracker. For instance, a classical (but bad) way to seed pseudo-random number generators is to use the C function "time". It returns the current number of seconds since January 1, 1970. Knowing the year the password was generated (and the pseudo-random number generator that was used), only 31 million passwords need to be tried because there are 31 million seconds in a year: back to a split-second crack (no matter how long the password).

Reply via email to