Memorable but secure passwords
otp
Readers of thrillers may remember that one time pads are used for coded messages intended to be used only once. The sender uses the top password or encryption, then discards it, and the receiver discards their copy after receiving a message. otp
[4] has no direct connection to actual one time pads, except that the name adds drama to security. Contrary to what the name seems to imply, there is no limit to how often you can use the passwords produced by otp
. Nor should this little script from the Debian repositories be confused with the similarly named Red Hat tool.
What otp
does offer is a number of simple controls for generating passwords. Its options consist of a format, followed by the number of characters in the generated password. The default is all uppercase passwords, but more options are easily added to modify results. For example, -c14
produces a password consisting only of letters that is 14 characters long. Similarly, users can opt for a password consisting of numbers (dCHARS
) or letter groups that are easy to pronounce (eCHARS
). For ease of use, -sCHARS
can also be used to specify the spacing of hyphens throughout the password. If no options are specified, the default is passwords of eight characters with a hyphen every four characters.
Also, otp
includes an option to specify the number of keys generated (-nNUMBER)
. In addition, it can also create an output file that can be used to verify incoming passwords (Figure 4).
Diceware
Diceware [5] gets its name from a method of generating results by rolling dice. The numbers on the dice are assembled as a number that is used to look up a word in a dictionary or word list that corresponds to that number. A number of words – five by default – are run together to produce the password. By default, each word begins with a capital letter unless the --no-caps
option is used. The number of words that comprise the password can be set with --num 'NUMBER'
, and special characters added with --specials 'NUMBER'
. A delimiter between words can be set with -d'CHARACTER'
. The Diceware application is unique in that its option --dice-side NUMBER
can be used so that results are not necessarily based on six-sided dice. As well, --randomsource SOURCE
can be set, so that the randomness is generated by your operating system (Figure 5).
Diceware's original dictionaries have inspired a number of refinements (see xkcdpass
). Diceware itself includes en
(English), en_eff
(based on Electronic Frontier Foundation modifications), en_orig
(the original Diceware dictionary), and en_securedrop
(English designed for security), which is the default. Each dictionary lists one word per line, prefaced with a sequential number, making the creation of a custom list an easy task.
xkcdpass
xkcdpass
[6] is a Python script inspired by a comic strip from the geekily popular xkcd comic (Figure 6). Instead of the usual mixture of characters, the strip advocates strings of words, maintaining that these strings are just as secure as a traditional password, and much easier to remember. xkcdpass
is designed to generate these strings [7].
xkcdpass
works by default with a word list called eff-long
[8], which was released by the Electronic Frontier Foundation under a Creative Commons Attribution license for the specific purpose of generating passwords. eff-long
, in turn, was originally a modification of Alan Beale's 12Dicts package for Aspell [9], which itself was based on the standard word list for Diceware. 12Dicts
consists of common English words of varying lengths originally derived from 12 different dictionaries, with outdated works, jargon, and scientific terms excluded. eff-long
consists of 7,776 words, listed one per line, with the first line numbered 1111 and the rest continuing in sequence. Generally, eff-long
is all that anyone needs, but other dictionaries are also installed: eff-special
, which contains 1,296 memorable words that are easier to remember but provide less security, and eff-short
, in which each word begins with a unique three-letter prefix that could be used one day for autocompletion. Dictionaries for Finnish, French, Italian, German, Norwegian, Portuguese, and Spanish are also available. Those who want greater security can also produce longer, more specialized lists if desired. All word lists are stored in /usr/lib/python3/dist-packages/xkcdpass/static/
.
The number of words in a password is five by default. However, --numwords=NUMBER
can be used to change the default, and --min=NUMBER
or --max=NUMBER
can be specified to control the length of each word. Still another way to customize the resulting password is to specify a regular expression with --var-char=REGEX
. For ease of memory, --acrostic=WORD
can be set, so that the first letter of each word spells out another word. For example, if the word supplied is "chaos," xkcdpass
might supply the password Church Hermann Auvergne Orthodox Sculptor (Figure 7).
Those who are security-conscious can include --verbose
to read the level of security supplied by a specific password. Yet another convenience is --interactive
, which continues to generate passwords until you accept one.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)