Re: One liner to generate truly random passwords from command line

On Thu, Nov 27, 2008 at 15:04, Yimin Rong <yiminrong@xxxxxxxx> wrote:
wget -q -O - "http://random.org/integers/?
num=8&min=33&max=126&col=8&base=16&format=plain&rnd=new" | perl -ne
'foreach (split(/\t/, $_)) {print chr(hex($_));} print "\n"'

wget reads web pages
random.org generates random numbers using atmospheric noise
perl splits the input into tokens and converts

Except you have transmitted your random number in cleartext over the
net. As an attacker, I could be sniffing for http traffic (say with a
proxy installed at your ISP) going/coming from random.org. Once I had
that traffic I could try the random numbers in them (after conversion
with your algorithm) as passwords on your system.

Also, really random strings are hard to remember, which means you will
write it down. Now it is susceptible to theft or search warrant.

A much better solution is to use a passphrase made out of random words
from a dict file. An eight charcter random password made up of a-z,
A-Z, 0-9, !, @, #, $, %, ^, &, *, (, and ) gives you a search space of
72^8 (roughly 10^14) passwords. A three word passphrase from a dict
file with 234,936 words (OS X's /usr/share/dict/words) gives you a
search space of 234,936^3 (roughly 10^16) and an average search space
of around 26^30 (10^42) (if they don't know you are using a
passphrase. Which would you rather remember "abear Laotian
semimembranous" (I am imagining a Laotian bear that stuff is passing
through) or "WeIBHfKk"? If you bump the number of words in the
passphrase up to four you get a password that is stronger than an
eleven character password: "hlWVSm0nm8" vs "freakery hoary inflexive
Solomonic" (a wise but inflexible old man who gets up to strange
stuff).


--
Chas. Owens
wonkden.net
The most important skill a programmer can have is the ability to read.
.

Relevant Pages

  • Re: Reasons and examples for security
    ... setting pwd length large enough to literally force passphrase use. ... of complexity). ... >> otherwise compromised passwords by invalidating them. ... >>> I am looking for examples to support my case for tighter security. ...
    (microsoft.public.security)
  • Re: Secure passwords?
    ... > Which of these two passwords should be the most secure one: ... > 8 very cryptic characters not easy to remember. ... > To me it the first one seems much more secure since it has so many more ... One can then "harden" the passphrase in a number of ways, ...
    (alt.computer.security)
  • Re: SSH hacked?
    ... Private keys can themselves be encrypted and protected by a ... But what passphrase will you choose? ... not eliminated the problem of managing multiple passwords? ... an attacker can't simply get a copy an /etc/shadow ...
    (Ubuntu)
  • Re: How to better secure my wireless transmissions on my home WLAN? VPN?
    ... >I have ntl cable broadband connected to a Linksys WRT54G (v2, ... passphrase falls into the wrong hands. ... pseudo-random characters, and change it regularly -- I change my passwords ... Good way to generate secure passwords: ...
    (alt.internet.wireless)
  • Re: Recovery via Unrecovery
    ... search space by <argh fugget, ... The Great Unwashed don't get to type in passwords to anything Internet ... "Gurl pna'g qb nalguvat - gurl qba'g trg n furyy" ...
    (alt.sysadmin.recovery)