Building Strong Random Passwords: Length vs. Complexity

Profile image for paztkx3f
August 18, 2017 | Views: 2376

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

First I would like to explain basic information about random passwords: What is a random password and what is best practice for building strong passwords?
As a bonus for you, I prepared the script which will help you create strong passwords for you. The plus is that the script works on all Linux distributions (Centos/RedHat/Ubuntu/Debian), Raspberry and Cygwin (tested all).

First, I want to remind you of some basic definitions.

What is a password?
According to Wikipedia [1] a ‘…password is a word or string of characters used for user authentication to prove identity or access approval in order to gain access to a resource (access code like a password), which is to be kept secret from those not allowed access…’

What does it mean that my password should have randomness?
According to Wikipedia [2] randomness is the lack of pattern or predictability in events. Easy, right? Eh, not always.

It means that we want to create a random password that will be difficult to guess for aggressors, by means of special tools for brute-force or dictionary attacks (Hydra, ncrack, medusa, john, fcrackzip, ophcrack, pyrit, rainbowcrack, truecrack, etc.).

Okay, now that we know what a password is and what randomness means, the next step we have to remember is basic best practices – how we can create ‘strong’ passwords? I hope that you know that every password can be cracked by attackers, it is a matter of time, unfortunately. However, length is a key factor in prolonging the amount of time it takes to crack.

Good passwords should: [3]
– be least 8 characters long ( I suggest more than 15 characters in length)
– contain at least:
     — one uppercase letter[A-Z]
     — one lowercase letter[a-z]
     — one numeric character [0-9]
     — one special character from this set: ` ! @ $ % ^ & * ( ) – _ = + [ ] ; : ‘ ” , < . > / ?

Note: The above are suggestions that many companies and institutions follow/mandate for accounts. It is currently up for debate whether this is actually benefitial/effective.

– not contain your login, email, name, surname, comapny name, your age etc.
– not contain repeating character strings like: 111, aaa, @@@, AAA etc.
– be a really random password, don’t use words from the dictionary

How can you check how strong your password is? (NEVER enter your real password!):

http://password-checker.online-domain-tools.com/
http://www.passwordmeter.com/
https://password.kaspersky.com/

Below is my script (bash) to generate a random password:

(1) #!/bin/bash
  (2)
  (3) clear
  (4)
  (5) echo "How long password [min 8 chars]: "
  (6) read long //get how long password should be
  (7) echo "How many passwords: "
  (8) read many //get how many password I want
  (9)
  (10) if [ $long -ge 8 ] //check how long password is, if more than 8 chars script can generate random password
  (11) then
  (12)
  (13) i="0" //set i=0
  (14) while [ $i -lt $many ] //read how many password do you want
  (15) do
  (16) pass=`cat /dev/urandom | tr -dc '[:print:]' |head -c $long` //read chars from device /dev/urandom, get only printable chars and first chars ($long)
  (17) echo $pass //list random passwors
  (18) i=$[$i+1] //increment i++
  (19) done
  (20)
  (21) else
  (22) echo "sorry but your password is too short" //message if long password is less than 8 chars
  (23) fi

Advantages:
– the portable code may work on Linux/Cygwin [tested on Centos/Ubuntu/Cygwin]
– all commands are in default distro Linux: cat | /dev/urandom | tr | head
– clear code
– you can generate passwords of any length and any quantity

References:
[1] – https://en.wikipedia.org/wiki/Password
[2] – https://en.wikipedia.org/wiki/Randomness
[3] – http://crambler.com/password-security-why-secure-passwords-need-length-over-complexity/

Share and Earn Cybytes
FacebookTwitterGoogle+LinkedInEmail
Save
+1
7
5
Use Cybytes and
Tip the Author!
Join
Share and Earn
Cybytes
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
Be the Best at Whatever You Do.
We Have the Tools to Get You There.
Visit the NEW Marketplace of Over 500 Skill Enhancement Tools.
5 Comments
  1. Profile image for thephoton

    Very very dangerous to rely on passwords that are short – try a pass phrase – three to four words that have at least four characters each, use both cases, add numbers or special characters. Phrases are a lot easier to remember than any 8 character random crap that takes less than 2 days to hack. The longer the password, the longer it will take to brute force it. Also don’t use patterns or repeat the use of passwords – if they get in and you have done those things, they will own you and your identity. Check out the site howsecureismypassword.net and use a password manager/generator like what you find in LastPass or 1Password. The information in the is post should either be removed or really reseached and updated.

    Sad that sites like this don’t review posts like this one before adding them to their emails like it is something new and special – they need to do their part before they really hurt someone, especially when they bill this site as a source of security information and learning.

    • @Larry thank you for your comment.
      1) It is true if you use short password may be dangerous wherefore “***I suggest more than 15 characters in length***”.
      2) If you have a lot of passwords a good idea is use password manager but not LastPass or 1Password (never use online tools only offline). I hope that you understand why.

  2. You gave us such an good idea to create password.But unfortunately everyone also had known this.So I suggest you to add few more things related.Thank you

    • Are you sure that “everyone”?
      I know people who work in Security IT and use 8 characters passwords.
      Sometimes is it good idea remind about basic rules.

  3. This is not true. look in the link bellow. or take a look in nists latest publications. Length outweights complexity by far. you can easily add your username in your password as long you add ex. 25 more characters 😁
    https://xkcd.com/936/

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel