How do you generate passwords?

Question

How do you generate passwords?

• Random Characters?
• Passphrases?
• High Ascii?

Something like this?

cat /dev/urandom | strings

Answer 1

Mac OS X's "Keychain Access" application gives you access to the nice OS X password generator. Hit command-N and click the key icon. You get to choose password style (memorable, numeric, alphanumeric, random, FIPS-181) and choose the length. It also warns you about weak passwords.

Answer 2

Use this & thumps up :)

cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w 10 | head -n 1

Change the head count to generate number of passwords.

Answer 3

A short python script to generate passwords, originally from the python cookbook.

#!/usr/bin/env python

from random import choice
import getopt
import string
import sys

def GenPasswd():
    chars = string.letters + string.digits
    for i in range(8):
        newpasswd = newpasswd + choice(chars)
    return newpasswd

def GenPasswd2(length=8, chars=string.letters + string.digits):
    return ''.join([choice(chars) for i in range(length)])

class Options(object):
    pass

def main(argv):
    (optionList,args) = getopt.getopt(argv[1:],"r:l:",["repeat=","length="])

    options = Options()
    options.repeat = 1
    options.length = 8
    for (key,value) in optionList:
        if key == "-r" or key == "--repeat":
            options.repeat = int(value)
        elif key == "-l" or key == "--length":
            options.length = int(value)

    for i in xrange(options.repeat):
        print GenPasswd2(options.length)

if __name__ == "__main__":
    sys.exit(main(sys.argv))

Answer 4

The open source Keepass tool has some excellent capabilities for password generation, including enhanced randomization.

Answer 5

I use password safe to generate and store all my passwords, that way you don't have to remember super strong passwords (well except the one that unlocks your safe).

Answer 6

An slight variation on your suggestion:

head -c 32 /dev/random | base64

Optionally, you can trim the trailing = and use echo to get a newline:

echo $(head -c 32 /dev/random | base64 | head -c 32)

which gives you a more predictable output length password whilst still ensuring only printable characters.

Answer 7

The standard Unix utility called pwgen.

Available in practically any Unix-like distribution.

Answer 8

The algorithm in apg is pretty cool. But I mostly use random characters from a list which I've defined myself. It is mostly numbers, upper- and lowercase letters and some punctuation marks. I've eliminated chars which are prone to getting mistaken for another character like '1', 'l', 'I', 'O', '0' etc.

Answer 9

I don't like random character passwords. They are difficult to remember.

Generally my passwords fall into tiers based on how important that information is to me.

My most secure passwords tend to use a combination of old BBS random generated passwords that I was too young and dumb to know how to change and memorized. Appending a few of those together with liberal use of the shift key works well. If I don't use those I find pass phrases better. Perhaps a phrase from some book that I enjoy, once again with some mixed case and special symbols put it. Often I'll use more than 1 phrase, or several words from one phrase, concatenated with several from another.

On low priority sites my passwords are are pretty short, generally a combination of a few familiar tokens.

The place I have the biggest problem is work, where we need to change our password every 30 days and can't repeat passwords. I just do like everyone else, come up with a password and append an ever increasing index to the end. Password rules like that are absurd.

Answer 10

For web sites I use SuperGenPass, which derives a site-specific password from a master password and the domain name, using a hash function (based on MD5). No need to store that password anywhere (SuperGenPass itself is a bookmarklet, totally client-side), just remember your master password.

Answer 11

I think it largely depends on what you want to use the password for, and how sensitive the data is. If we need to generate a somewhat secure password for a client, we typically use an easy to remember sentence, and use the first letters of each word and add a number. Something like 'top secret password for use on stackoverflow' => 'tspfuos8'.

Most of the time however, I use the 'pwgen' utility on Linux to create a password, you can specify the complexity and length, so it's quite flexible.

Answer 12

I use KeePass to generate complex passwords.

Answer 13

I use https://www.grc.com/passwords.htm to generate long password strings for things like WPA keys. You could also use this (via screenscraping) to create salts for authentication password hashing if you have to implement some sort of registration site.

Answer 14

In some circumstances, I use Perl's Crypt::PassGen module, which uses Markov chain analysis on a corpus of words (e.g. /usr/share/dict/words on any reasonably Unix system). This allows it to generate passwords that turn out to be reasonably pronounceable and thus remember.

That said, at $work we are moving to hardware challenge/response token mechanisms.

Answer 15

Pick a strong master password how you like, then generate a password for each site with cryptohash(masterpasword+sitename). You will not lose your password for site A if your password for site B gets in the wrong hands (due to an evil admin, wlan sniffing or site compromise for example), yet you will only have to remember a single password.

Answer 16

Having read and tried out some of the great answers here, I was still in search of a generation technique that would be easy to tweak and used very common Linux utils and resources.

I really liked the gpg --gen-random answer but it felt a bit clunky?

I found this gem after some further searching

echo $(</dev/urandom tr -dc A-Za-z0-9 | head -c8)

Answer 17

I used an unusual method of generating passwords recently. They didn't need to be super strong, and random passwords are just too hard to remember. My application had a huge table of cities in North America. To generate a password, I generated a random number, grabbed a randon city, and added another random number.

boston9934

The lengths of the numbers were random, (as was if they were appended, prepended, or both), so it wasn't too easy to brute force.

Answer 18

Well, my technique is to use first letters of the words of my favorite songs. Need an example: Every night in my dreams, I see you, I feel you...

Give me:

enimdisyify

... and a little of insering numbers e.g. i=1, o=0 etc...

en1md1sy1fy

... capitalization? Always give importance to yourself :)

And the final password is...

en1Md1sy1fy

Answer 19

Joel Spolsky wrote a short article: Password management finally possible

…there's finally a good way to manage all your passwords. This system works no matter how many computers you use regularly; it works with Mac, Windows, and Linux; it's secure; it doesn't expose your passwords to any internet site (whether or not you trust it); it generates highly secure, random passwords for each and every site, it's fairly easy to use once you have it all set up, it maintains an automatic backup of your password file online, and it's free.

He recommends using DropBox and PasswordSafe or Password Gorilla.

Answer 20

passwords:

$ gpg --gen-random 1 20 | gpg --enarmor | sed -n 5p

passphrases:

http://en.wikipedia.org/wiki/Diceware

Answer 21

Mostly, I type dd if=/dev/urandom bs=6 count=1 | mimencode and save the result in a password safe.

Answer 22

import random

length = 12
charset = "abcdefghijklmnopqrstuvwxyz0123456789"

password = ""
for i in range(0, length):
    token += random.choice(charset)

print password

Answer 23

On a Mac I use RPG.

Answer 24

In PHP, by generating a random string of characters from the ASCII table. See Generating (pseudo)random alpha-numeric strings

Answer 25

I start with the initials of a sentence in a foreign language, with some convention for capitalizing some of them. Then, I insert in a particular part of the sentence a combination of numbers and symbols derived from the name of the application or website.

This scheme generates a unique password for each application that I can re-derive each time in my head with no trouble (so no memorization), and there is zero chance of any part of it showing up in a dictionary.

Answer 26

You will have to code extra rules to check that your password is acceptable for the system you are writing it for. Some systems have policies like "two digits and two uppercase letters minimum" and so on. As you generate your password character by character, keep a count of the digits/alpha/uppercase as required, and wrap the password generation in a do..while that will repeat the password generation until (digitCount>1 && alphaCount>4 && upperCount>1), or whatever.

Answer 27

http://www.wohmart.com/ircd/pub/irc_tools/mkpasswd/mkpasswd+vms.c

http://www.obviex.com/Samples/Password.aspx

https://www.uwo.ca/its/network/security/passwd-suite/sample.c

Even in Excel! https://web.archive.org/web/1/http://articles.techrepublic%2ecom%2ecom/5100-10878_11-1032050.html

http://webnet77.com/cgi-bin/helpers/crypthelp.pl

Answer 28

Password Monkey, iGoogle widget!

Answer 29

The Firefox-addon Password Hasher is pretty awesome for generating passwords: Password Hasher

The website also features an online substitute for the addon: Online Password Hasher

Answer 30

I generate random printable ASCII characters with a Perl program and then tweak the script if there's extra rules to help me generate a more "secure" password. I can keep the password on a post-it note and then destroy it after one or two days; my fingers will have memorized it, and my password will be completely unguessable.

This is for my primary login password, something I use every day, and in fact many times a day as I sit down and unlock my screen. This makes it easy to memorize fast. Obviously passwords for other situations have to use a different mechanism.

Answer 31

makepasswd generates true random passwords by using the /dev/random feature of Linux, with the emphasis on security over pronounceability. It can also encrypt plaintext passwords given on the command line.

Most notable options are

--crypt-md5     Produce encrypted passwords using the MD5 digest algorithm
--string STRING Use the characters in STRING to generate random passwords

The former could be used to automatically generate /etc/passwd, /etc/cvspasswd, etc. entries. The latter is useful to add punctuation characters into your passwords, (by default generated password contains alphanumeric chars only).

makepasswd was originally part of the mkircconf program used to centrally administer the Linux Internet Support Cooperative IRC network.

Answer 32

I use the Crypt::GeneratePassword module.

Answer 33

For websites it's a 'secret' word combined with something memorable for the site I'm registering with.

For everything else I use a random generated password.

Answer 34

I manually generate pretty hard-to-remember strings of symbols, numbers, and upper and lower case letters that usually look like leetspeak.

Example:

&p0pul4rw3b$ite!

Then I store them as an email draft I can access from anywhere via web mail.

Answer 35

Jeff Atwood has suggested we all switch to pass phrases rather than passwords:

• Passwords vs. Pass Phrases
• Passphrase Evangelism

Answer 36

If you want to generate passwords that are easier for users to remember, take a look at Markov chains. http://en.wikipedia.org/wiki/Markov_chain

This algorithm can produce nonsense words that can be pronounced, so they also become easier to remember and to relay over the phone. A little Google-fu can get you some code samples in just about any language.

You would need to also obtain a good dictionary to filter out any passwords that come out as actual words.

Of course, these are not going to be high-strength passwords, but are really good when you need some basic access control on something and you don't want to burden your users with hard to remember passwords.

Answer 37

I usually use password safe to generate random passwords. For passwords I actually want to be able to remember without password safe, I usually take a word, and a number, and interleave the characters

So you take a word.

baseball

and a number

24681357

and you get a password of

b2a4s6e8b1a3l5l7

It looks pretty random, and would probalby be hard to brute force. Also it's quite easy to type most of the time. You just type the word, and then move your cursor back to the second character, and type the number, and between each character press the right cursor key. Not only does this make it easier to type, it also makes it harder for key loggers to record what you are actually typing.

Answer 38

I use a couple of Perl scripts I wrote myself, available on Github.

gen-password generates passwords like 7bp4ssi02d4i, with options to specify the length and character set. (And as far as my bank knows, that's my mother's maiden name.)

gen-passphrase generates random passphrases like porcine volume smiled insert, using dictionary words, inspired by this XKCD cartoon.

Both get random data from /dev/urandom by default, but can be told to use /dev/random instead.

I keep my passwords in an encrypted database, and I never use the same password on more than one site. I actually remember very few of them.

Answer 39

For fairly important stuff I like to use combinations of letters and numbers, like "xme7UpOK". These can be generated with this one-liner:

perl -le 'print map { (a..z,A..Z,0..9)[rand 62] } 1..8'

For less important stuff I like to have passwords that are easy to type, pronounce and remember, something like "loskubov" or "gobdafol". These can be generated like this:

perl -le '@l=("aeiou", "bdfgjklmnprstv");
          print map {(split "",$l[$_])[rand length $l[$_]]} split "", "10110101"'

where "10110101" is the pattern for vowels and consonants.

Answer 40

This Perl one-liner helps sometimes (rand isn't secure but it often doesn't matter):

$ perl -E"say map { chr(33 + rand(126-33)) } 1..31

An example output:

ET<2:k|D:!z)nBPMv+yitM8x`r.(WwO

Answer 41

$ echo `cat /etc/dictionaries-common/words | sort --random-sort | head -n 4`
consented upsurges whitewall balderdash

Quite inefficient, but it works.

Answer 42

Pick a sequence out of

md5 random_file

Answer 43

<?php
    print md5(rand(0, 99999));
?>