Memorable but secure passwords
otp
Readers of thrillers may remember that one time pads are used for coded messages intended to be used only once. The sender uses the top password or encryption, then discards it, and the receiver discards their copy after receiving a message. otp
[4] has no direct connection to actual one time pads, except that the name adds drama to security. Contrary to what the name seems to imply, there is no limit to how often you can use the passwords produced by otp
. Nor should this little script from the Debian repositories be confused with the similarly named Red Hat tool.
What otp
does offer is a number of simple controls for generating passwords. Its options consist of a format, followed by the number of characters in the generated password. The default is all uppercase passwords, but more options are easily added to modify results. For example, -c14
produces a password consisting only of letters that is 14 characters long. Similarly, users can opt for a password consisting of numbers (dCHARS
) or letter groups that are easy to pronounce (eCHARS
). For ease of use, -sCHARS
can also be used to specify the spacing of hyphens throughout the password. If no options are specified, the default is passwords of eight characters with a hyphen every four characters.
Also, otp
includes an option to specify the number of keys generated (-nNUMBER)
. In addition, it can also create an output file that can be used to verify incoming passwords (Figure 4).
Diceware
Diceware [5] gets its name from a method of generating results by rolling dice. The numbers on the dice are assembled as a number that is used to look up a word in a dictionary or word list that corresponds to that number. A number of words – five by default – are run together to produce the password. By default, each word begins with a capital letter unless the --no-caps
option is used. The number of words that comprise the password can be set with --num 'NUMBER'
, and special characters added with --specials 'NUMBER'
. A delimiter between words can be set with -d'CHARACTER'
. The Diceware application is unique in that its option --dice-side NUMBER
can be used so that results are not necessarily based on six-sided dice. As well, --randomsource SOURCE
can be set, so that the randomness is generated by your operating system (Figure 5).
Diceware's original dictionaries have inspired a number of refinements (see xkcdpass
). Diceware itself includes en
(English), en_eff
(based on Electronic Frontier Foundation modifications), en_orig
(the original Diceware dictionary), and en_securedrop
(English designed for security), which is the default. Each dictionary lists one word per line, prefaced with a sequential number, making the creation of a custom list an easy task.
xkcdpass
xkcdpass
[6] is a Python script inspired by a comic strip from the geekily popular xkcd comic (Figure 6). Instead of the usual mixture of characters, the strip advocates strings of words, maintaining that these strings are just as secure as a traditional password, and much easier to remember. xkcdpass
is designed to generate these strings [7].
xkcdpass
works by default with a word list called eff-long
[8], which was released by the Electronic Frontier Foundation under a Creative Commons Attribution license for the specific purpose of generating passwords. eff-long
, in turn, was originally a modification of Alan Beale's 12Dicts package for Aspell [9], which itself was based on the standard word list for Diceware. 12Dicts
consists of common English words of varying lengths originally derived from 12 different dictionaries, with outdated works, jargon, and scientific terms excluded. eff-long
consists of 7,776 words, listed one per line, with the first line numbered 1111 and the rest continuing in sequence. Generally, eff-long
is all that anyone needs, but other dictionaries are also installed: eff-special
, which contains 1,296 memorable words that are easier to remember but provide less security, and eff-short
, in which each word begins with a unique three-letter prefix that could be used one day for autocompletion. Dictionaries for Finnish, French, Italian, German, Norwegian, Portuguese, and Spanish are also available. Those who want greater security can also produce longer, more specialized lists if desired. All word lists are stored in /usr/lib/python3/dist-packages/xkcdpass/static/
.
The number of words in a password is five by default. However, --numwords=NUMBER
can be used to change the default, and --min=NUMBER
or --max=NUMBER
can be specified to control the length of each word. Still another way to customize the resulting password is to specify a regular expression with --var-char=REGEX
. For ease of memory, --acrostic=WORD
can be set, so that the first letter of each word spells out another word. For example, if the word supplied is "chaos," xkcdpass
might supply the password Church Hermann Auvergne Orthodox Sculptor (Figure 7).
Those who are security-conscious can include --verbose
to read the level of security supplied by a specific password. Yet another convenience is --interactive
, which continues to generate passwords until you accept one.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.