Thread replies: 45
Thread images: 4
Thread images: 4
File: Qtxxg0a.png (11KB, 1195x368px) Image search:
[Google]
11KB, 1195x368px
What's /g/'s favorite way to come up with passwords?
Anything goes, even generators.
>>
>>61700528dd if=/dev/random bs=16 count=1 | base64
adjust bs to taste
>>
1234
>>
>>61700528
>>61700576LC_ALL=C tr -dc '[:graph:]' < /dev/urandom | head -c ${1:-16}; echo
Anything else is actually horrible.
>>
>>61701802
I actually really like this one, I'll save this somewhere.
I assume you just put them in an encrypted file or something then yeah?
>>
>>61700528
A sentece or 2 from a book that I remeber plus 3 random URLs plus 10 random numbers.
>>
>>61701891
>>61701802
Full disk encryption (LUKS/dm-crypt) and/or gnupg 2.1.
Versions 1.7 and greater of pass (https://www.passwordstore.org/) also use a very similar method and can automate the gnupg, however it requires that you have a password store setup before you can generate and the file structure leaks meta data so I don't like it.
Also, be very careful of old versions which use the horrible pwgen utility for generating passwords.
>>
>>61700528pass generate ...
for the real important stuff, diceware passphrases
>>
>>61701963
>A sentence or 2 from a book
Vulnerable to dictionary attack
> plus 3 random URLs
Why URLs? I doubt you are actually selecting them at random.
>plus 10 random numbers
Why just numbers?
Really dumb.
>>
>>61702014
The URLS are onion URLS. Numbers because I can remember numbers.
>>
>>61701985
Also want to mention that you really want to avoid versions of gnupg less than 2.1.
>>
>>61702033
And you can remember the onion URLs? Are these URLs selected from websites that you actually visit?
>>
could anybody give suggestions
>>
>>61702063
>And you can remember the onion URLs?
Yeah.
> Are these URLs selected from websites that you actually visit?
Some of them
>>
>>
>>61700528pwgen -y 8
Then pick two that seem easy to remember and concatenate them.
>>
>>61701802
what does the LC_ALL=C do?
>>
pwgen
>>
>>61702168
Sets the locale to C, which basically means characters are single bytes and the charset is ASCII. This might not be needed on some Linux systems where it is set to US English, but it is definitely needed on macOS or if you change your locale settings.
>>
>>61702014
There are far, far more words than letters so a sufficiently long sentence would be way harder to crack with dictionary than regular random guessing
>>
>>61702234
far out.
>>
>>61702151
>>61702191
https://lwn.net/Articles/713806/
>It turns out that pwgen has a pretty bad track record for security issues, especially in the default "phoneme" mode, which generates non-uniformly distributed passwords.
>>
>>61702254
>so a sufficiently long sentence would be way harder to crack with dictionary than regular random guessing
Either I am misunderstanding you or this is completely wrong.
>>
I use my own password generator. It takes bytes from /dev/urandom and matches a given character set, forming a random password.
>>
>>61702322
How is that different from this >>61701802
Source code?
>>
I just use the first letters of a song lyric or phrase that I like. Mix in a few numbers and capital letters and you are set.
I also put the name of the service at the end of my password. If my password ever gets broken or leaked I know which website is responsible.
>>
File: 1497354966720.png (82KB, 300x250px) Image search:
[Google]
82KB, 300x250px
>>61700528
I'll open my bible and combine elements from verses I like.
For example verse number + second letter of every word of the chosen part + number of the Apostel.
Endless possibilities and you always can still keep it in mind with, it was resolvable like this and that.
>>
>>61702343
It isn't, really, except more customizable in terms of character sets since I use regex. That appears to be the standard approach via shell. There are a multitude of different ways to retrieve data from /dev/*random and form secure random passwords.
>>
>>61702383
This is so totally vulnerable if someone just iterates through the verses.
>>
>>61702271
>bad track record
Hardly, given it's an unproven but rather theoretical vulnerability. Is there any proven attack on pwgen, via hashcat/similar? I don't think so.
>>
>>61702456
>generates non-uniformly distributed passwords.
Non-uniformly distributed meaning not random. Unless you need to memorize the password, it is absolutely less secure than just reading from /dev/urandom.
>>
File: 1493163934666.jpg (301KB, 1000x800px) Image search:
[Google]
301KB, 1000x800px
>>61702574
inb4
>no such thing as random
>>
>>61700528openssl rand -base64 30
>>
>>61702574
>it is absolutely less secure than just reading from /dev/urandom
Yes, but an attack vector would have to take the password being generated by default pwgen into account; this is unlikely, as there are many password generating methods and utilities. Find one single instance of a password crack being attributed to pwgen deficiencies - you can't.
>>
>>61700528
song lyrics with random numbers inserted inbetween words
impossible to forget
difficult to bruteforce
>>
>>61702699
>Yes, but an attack vector would have to take the password being generated by default pwgen into account; this is unlikely, as there are many password generating methods and utilities.
One ought to design systems under the assumption that the enemy will immediately gain full familiarity with them
https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle
>Find one single instance of a password crack being attributed to pwgen deficiencies - you can't.
This does not matter. I know for a fact that it is worse than /dev/urandom, so unless you need to memorize passwords you should not use it.
>>
a totally fucked up sentence with numbers and symbols and passwordstore
>>
>>61702788
g1g1g1g1g1g1
hmm. doesn't work. perhaps the genre is wrong
>>
>15-20 years ago
>every website or computer system lets users choose their own password, only restriction is minimum length
>now
>every system forces passwords to be between 8 and 16 characters long, must contain numbers and letters of different case, must contain special characters, must not be one of the 20 most commonly chosen passwords, and so on, and so on...
>because somehow "2k3\/\/l4Sk00l" is more secure than a random 20 digit number that you made up, or that it even matters how secure your password for minecraftfangirls.net/forum is
Can anyone explain this phenomenon to me?
>>
Keepass
>>
I just name them after Gundams and Zoids using the model numbers and name.
>>
Grep 5 random lines from /usr/dict/German or whatever the file is, I forgot the script
>>
>>61703311
The new password bullshit being forced is actually annoying.
Some need capitals, some need symbols, some need neither. It actually makes it harder to remember some of my passwords and moreso when I have to reset them.
They act like me having a hard password is going to stop their entire user list from getting dumped.
>>
>>61700528
KeePassX password generator. Use it.
Thread posts: 45
Thread images: 4
Thread images: 4