Pinterest Stumbleupon Whatsapp
Ads by Google

In this increasingly hostile computer environment, it is essential to have a strong password for everything. Whether it’s email, computer account or online banking, using your cat’s name as a password is a very bad idea. And if you’re afraid of not going remembering it because it’s too long and complicated, I’m going to show you how I do it.

What characterizes a strong password? First of all, its length. The longer the password, the stronger it is and the longer it takes to be cracked. Secondly, the entropy or randomness of the generation process. If the attacker can make some statistical assumptions based on the method of generation, even a alphanumerical 8 character password can be cracked within hours. The third characteristic of password generator is trust. Do you trust that the password generator does not keep logs, do you trust that it doesn’t have a backdoor? Lastly, do you have a secure communication channel between the generator and the receiver? Most of the online password generators fail one or more of these guidelines, and even software solutions have problems.

The only completely secure method to generate passwords is to use an open-source generator stored on your computer, preferably running Linux. But even one of the website generated passwords is considerably more secure than any password you can come up with.

Perfect Passwords

Steve Gibson‘s Perfect Passwords generator deserves the highest praise of all the solutions tested for this article. Besides the fact that Steve Gibson is a world renowned programmer, the algorithm used ensures a high level of entropy, and although there is no source code available to corroborate tech specs with the notes on the website, I personally trust it. The connection between the GRC server and your computer is secured by a SSL connection and the generator produces three strings at once: 64 random hexadecimal characters (0-9 and A-F), 63 random printable ASCII characters, 63 random alpha-numeric characters (a-z, A-Z, 0-9). The most secure of all is the ASCII string which contains numbers, letters and special characters. You can use any part, the complete string or even mix them to create an unique password. Your password will look something like:

“4q){4′{y]SWt]796Ay|9=

Ads by Google

While such a password will work for a web-based service or email account, you aren’t expected to remember it for your Windows account, it’s simply too complicated. I personally use a 12 character hexadecimal string for my user account password, which I can remember without having to write it down, like

FBA4F22489116F11F

This too, can be cracked with Rainbow tables, but it will deter most guys without NSA-level knowledge and processing power.

If you’re asking yourself,”How I can use 12 random ASCII characters for every password I have?” Here’s my system.

  1. I have an IronKey, a secure USB thumb drive that itself is protected by a 12 character hexadecimal string. All the data on the drive is hardware-encrypted. It will automatically self-destruct if physically tampered or if the password is entered 10 times wrong.
  2. The IronKey has an integrated password manager and a hardened mobile version of Firefox 3. The passwords never pass through the computer’s keyboard or compromised applications.
  3. When using my own hardware, which I can vouch is secure, for performance reasons I will use an Excel document which contains a list of services and their assigned passwords, stored on Google Docs. I will never save any passwords into the Firefox password manager. The only way this system can be compromised is by first cracking the computer user account password and hoping that the cookie session is still active.

Editor’s note: IronKey is not free. It starts at $79. If you think that it’s worth the money to protect your privacy and security, then check it out.
The other services I tested were:

PCTools

PCTools – which provides different options for generating passwords: length, punctuation, numbers, letters etc. as well as a SSL secured connection. They also have a freeware, offline version of the generator. It’s not open-source and the technical details are not available for inspection.

GoodPassword

GoodPassword – offers both a random password generator with some customization options and a “Leet” generator that “Leet Passwords are easy to remember acronym passwords generated by combining the first letter of each word, randomly changing the case, and replacing alphanumeric characters with their Leet (1337) equivalents, that is characters that look and/or sound the same”.

Multicians

Multicians – generates ten “pronounceable” passwords using a Java applet. It’s not open-source but the source code is available for inspection. No SSL connection.

For Linux

Linux users can use this command to quickly create a strong password:

% dd if=/dev/urandom count=1 2> /dev/null | uuencode -m – | sed -ne 2p | cut -c-8v1/oVN+S

You might want to read on through:

How To Create Strong Passwords That You Can Remember Easily How To Create Strong Passwords That You Can Remember Easily How To Create Strong Passwords That You Can Remember Easily Read More
Securely Synchronize Your Browser Passwords With LastPass Securely Synchronize Your Browser Passwords With LastPass Securely Synchronize Your Browser Passwords With LastPass Read More

There were also a bunch of other password generators profiled on MakeUseOf directory Dir Dir Read More .

Photo credit: Jelmer.

  1. Albert
    March 24, 2015 at 6:30 pm

    Nice post! It's completely safe to use javascript based websites to generate your keys because it's being done locally in your browser. I'm using https://www.realpasswordgenerator.com because it loads very fast when you need it.

  2. miranto
    October 16, 2009 at 9:34 am

    Well I use it to generate AESDIRECT.GOV passwords since they have very specific policies regarding passwords and it works perfectly fine, better than if I type a random password my self

  3. Strong Password Generator
    July 22, 2009 at 12:29 pm

    Nice article, Stefan. It's always good to generate debate on the importance of secure passwords.

    Can we humbly echo Yonathan's vote for Strong Password Generator?

    It's free. You can select the password length.You can select whether you want symbols in your password. The passwords are generated on the client side, and are secure.

    If there are any other features that readers think should be included in StrongPasswordGenerator.com, please reply to this comment to let us know.

  4. Istvaan
    July 19, 2009 at 11:28 am

    Maybe I missed something.... But, what about some Free Password Generators for MAC Users?

    Thank you !

  5. staeff
    July 8, 2009 at 9:13 am

    i was also thinking 'huh' about that excel-google-docs part. With Linux i happened to use the command line tool 'pwgen' (http://sourceforge.net/projects/pwgen/) to generate passwords. Its also available in JavaScript (http://8-p.info/pwgen/).

  6. Yonathan
    July 6, 2009 at 9:15 am

    For password-only syncing and storing, what's the difference between XMarks and LastPass (except for XMarks' bokmark syncing feature)?

  7. Tony
    July 6, 2009 at 7:46 am

    +1 for LastPass.

  8. Claus
    July 6, 2009 at 5:22 am

    KeePass Password Safe at http://keepass.info/ is opensource, a computer-local application (opposed to a web service), and also includes a configurable password generator. Simply the best!

  9. Peter
    July 6, 2009 at 5:20 am

    Limiting yourself to 16 characters comprising the hex decimal set reduces the set of possible passowrds dramatically and makes attacks MUCH more feasible. Not a good idea!

  10. lorindol
    July 6, 2009 at 2:51 am

    You can get a portable password safe that works on any system that can run tcl and tclkit from http://www.fpx.de/fp/Software/Gorilla/

    A good start for a free password generator is the script at http://angel.net/~nic/passwd.html - you can even have a bookmarklet to rule out any possibility of eavesdropping.

    "When using my own hardware, which I can vouch is secure, [...] I will use an Excel document [...] stored on Google Docs." That is a mean joke, right?

  11. pern0808
    July 4, 2009 at 9:23 am

    In regards to the LastPass comment above. Of course "risk" is always relative but as it relates to using LastPass, if you're willing to use any type of password manager LastPass is virtually no-risk as a result of the way in which data is encrypted locally and *not* stored on any 3rd party server/database. Plus, as a user for more than one year, I didn't enter my password/financial info into the LastPass profiles until I had been using the service for many months and became more comfortable with it.

  12. Natan
    July 4, 2009 at 4:23 am

    Windows Command Line Tool can also be used:
    Net User Guest /Random

  13. Adi
    July 4, 2009 at 4:21 am

    I currently use an online password manager :Password++
    http://paswd.appspot.com/

  14. Jim K
    July 3, 2009 at 3:19 pm

    For Macs, there is 1Password. I use it, and it works well.

  15. Sathish
    July 3, 2009 at 2:13 pm

    Thanks. I currently use PasswordChart (http://www.passwordchart.com/)

  16. Amadou
    July 3, 2009 at 2:09 pm

    Hi Stephan
    The utility "keepassword safe" enbed also such a feature

  17. Yonathan
    July 3, 2009 at 2:08 pm

    By reading it's features list, I can tell that using LastPass is a huge risk, if you lose your master password.
    Credit card number, many passwords, etc. are all stored in it.

    I personally let FF save my passwords with XMarks.
    Also, I KeePass for passwords that don't save cookies, and I use StrongPasswordGenerator.com as my, hmm... strong password generator.

    • Haplo
      July 3, 2009 at 2:10 pm

      Well, you really need to be very dumb to lose your master password. And, come on, who can't memorize a 16 character random string? Is not that hard.

  18. Haplo
    July 3, 2009 at 1:21 pm

    Lastpass.com

    Why all the hassle?

Leave a Reply

Your email address will not be published. Required fields are marked *