Free password generators, Part 1

* PC Tools Secure Password Generator

Some help desks suggest to their users that they try public password generators to create good passwords. I looked at a few generators, and here's what I observed.

But first - what’s a good password?

System and security administrators often have to explain to naive users that “Betty4me,” “myDog*Bowser” and “password6” are not good passwords. They are too easy to construct using dictionary-based attacks that compare one-way hashes of combinations of real words mixed with numbers and symbols with the one-way hashes of user passwords stored in password files. Some of them are also too easy to guess if the attacker knows something about the private life or preferences of the user (like the name of the user’s dog).

Password generators can help create passwords that are harder to guess. When looking at password generators, I limited my search of passwords to 10 characters which had to include letters, did not use mixed case, included numbers, and included punctuation. I kept mixed-case out of the passwords because I think that remembering which letter is uppercase or lowercase in a more-or-less random string increases the difficulty of remembering the password and therefore the likelihood that a user will write it down. Where possible, I generated 10 suggested passwords at once.

My first test used PC Tools Software’s Secure Password Generator. The Web page allows selection of length; use of letters, mixed-case, numbers, and symbols; and also allows the user to exclude similar-looking characters (l, 1, and I; and o or 0).

Here’s a sample pass with 10 characters, lowercase only, including special characters and excluding the confusing characters:

drud8?a*et

=r8st8t7ud

!78etr9cr*

4e@ufrugac

8_sececexu

gath65*ke*

9#upura_r!

$estugeth!

*e_uka&ra3

6etr=xuspa

Hmm, I’m not sure that these are particularly easy to remember, although at least there seem to be nice alternations of one or more consonants with a vowel, making it possible to try pronouncing them. However, I think that the unconstrained gibberish is worse:

rle8le0le-

!leC2_+wri

Xoep9=Adr1

-oe!RL2cri

pHL6*H5uDl

p_lA3l4Gou

xlE*i61?Le

glaP2&wROu

Wl0F-ouchi

wLa=lAg2aD

Yechhh! This alphabetic farrago is asking for calls the help desk for password resets - or sticky notes on the underside of the keyboard.

More next time.

Learn more about this topic

 
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2007 IDG Communications, Inc.