frustrate shouldservers

Tim Chase blinux.list at thechases.com
Fri Feb 3 20:39:12 UTC 2017 

If you want a password generator that can produce fairly strong
"XKCD" passwords, I created one a while back

https://gist.github.com/Gumnos/fceaf405b0ffd8bfd325

It's a single Python file that lets you choose how many words you
want, the min/max length of those words, how many passwords to
generate, which dictionary you want to use (I occasionally point it
at the "upgoer five" dictionary for less obscure words), as well as
generation of statistics on how long it would take to brute-force the
password.  So it lets me do things like

 # generate 5 passwords
 passwordgen.py -c 5

 # generate 8 5-word passwords
 # where the words are 3-10 characters long
 passwordgen.py -c 8 -n 5 --min=3 --max=10

 # use my local upgoer_five dictionary
 passwordgen.py -d /usr/share/dict/upgoer_five

 # show stats on how long it would take to crack
 # any of these 8 passwords if a system can try
 # 10000000 passwords every second
 passwordgen.py -c 8 -g 10000000 -v

There's also optional functionality for skipping words from a
word-list (optionally ROT-13 encoded) in case you don't want it to
generate profane words.

I like the output because not only is it much easier to type, but it's
much easier to convey over the phone "your password is 'sick book mine
shadow knock'" as opposed to "your password is 'capital Juliet,
lowercase Whiskey, lowercase Bravo, ampersand, the number three,
capital Delta, equals-sign, ...'"

Have fun with it! (grins)

-tim


On February  3, 2017, Janina Sajka wrote:
> This has been a very good thread.
> 
> I have one additional suggestion which is to add something you
> personally know, but that could not be guessed very easily, nor
> exposed by a dictionary attack.
> 
> I find alternative, non standard phonetic spellings helpful this
> way. Even better are obscure, obsolete spellings of place names,
> people, objects, or concepts, particularly
> if the source language isn't English.
> 
> On its own this strategy is insufficient, of course. But two or
> three such terms, plus the hashing described below, builds up a
> good password, imo.
> 
> Of course, it's also important to employ available technology to
> thwart scripted attacks, e.g. with applications like denyhosts or
> fail2ban. Also, if you don't need to be open to access from the
> general public, move to IPv6 and shutdwon as much IPv4 access as
> possible. Anyone who has external access to any of my machines
> understands they need to come in via IPv6, because I'm not
> listening for connections on IPv4. Obviously, that doesn't work for
> mail or web traffic, but it's really helpful for sshd.
> 
> PS: If we've not mentioned it, the pwgen command has many useful
> options.
> 
> Janina
> 
> Tim Chase writes:
> > I've used a technique that's come to be known as "password
> > haystacks" (see link below) which involves simply padding your
> > good (or even written shoulder-surfable) password out to a
> > reasonable length to make the brute-force cracking all the more
> > complex.
> > 
> > So say my password is "correct horse battery staple".  I might
> > take that and then add 8 periods at the end. Or 10 ampersands.  Or
> > alternate dash-equals-dash-equals as many times as you want. Or
> > whatever secret character or characters you want and however many
> > of them you want.  It's also particularly handy if you have to
> > change your password on a regular basis (I usually just change
> > the haystack characters).
> > 
> > Alternatively, if you use a GUI and "keepassx" is accessible in
> > your screen-reader, it allows you to generate strong passwords,
> > keep them safe behind one master password, keep them hidden from
> > shoulder-surfing eyes, and will auto-type them into the last
> > window you were in.  This is the solution I use for most
> > passwords (except my master passwords, for which I use the
> > haystack method).
> > 
> > -tim
> > 
> > https://www.grc.com/haystack.htm
> > 
> > 
> > 
> > 
> > 
> > _______________________________________________
> > Blinux-list mailing list
> > Blinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/blinux-list
> 
> -- 
> 
> Janina Sajka,	Phone:	+1.443.300.2200
> 			sip:janina at asterisk.rednote.net
> 		Email:	janina at rednote.net
> 
> Linux Foundation Fellow
> Executive Chair, Accessibility Workgroup:	http://a11y.org
> 
> The World Wide Web Consortium (W3C), Web Accessibility Initiative
> (WAI) Chair, Accessible Platform Architectures
> http://www.w3.org/wai/apa
> 
> _______________________________________________
> Blinux-list mailing list
> Blinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/blinux-list

More information about the Blinux-list mailing list