Ready to Start Your Career?
August 18, 2017
Building Strong Random Passwords: Length vs. Complexity
August 18, 2017
First I would like to explain basic information about random passwords: What is a random password and what is best practice for building strong passwords?As a bonus for you, I prepared the script which will help you create strong passwords for you. The plus is that the script works on all Linux distributions (Centos/RedHat/Ubuntu/Debian), Raspberry and Cygwin (tested all).First, I want to remind you of some basic definitions.What is a password?According to Wikipedia  a '...password is a word or string of characters used for user authentication to prove identity or access approval in order to gain access to a resource (access code like a password), which is to be kept secret from those not allowed access...'What does it mean that my password should have randomness?According to Wikipedia  randomness is the lack of pattern or predictability in events. Easy, right? Eh, not always.It means that we want to create a random password that will be difficult to guess for aggressors, by means of special tools for brute-force or dictionary attacks (Hydra, ncrack, medusa, john, fcrackzip, ophcrack, pyrit, rainbowcrack, truecrack, etc.).Okay, now that we know what a password is and what randomness means, the next step we have to remember is basic best practices - how we can create 'strong' passwords? I hope that you know that every password can be cracked by attackers, it is a matter of time, unfortunately. However, length is a key factor in prolonging the amount of time it takes to crack.Good passwords should: - be least 8 characters long ( I suggest more than 15 characters in length) - contain at least: -- one uppercase letter[A-Z] -- one lowercase letter[a-z] -- one numeric character [0-9] -- one special character from this set: ` ! @ $ % ^ & * ( ) - _ = + [ ] ; : ' " , < . > / ?Note: The above are suggestions that many companies and institutions follow/mandate for accounts. It is currently up for debate whether this is actually benefitial/effective.- not contain your login, email, name, surname, comapny name, your age etc. - not contain repeating character strings like: 111, aaa, @@@, AAA etc. - be a really random password, don't use words from the dictionaryHow can you check how strong your password is? (NEVER enter your real password!):https://password-checker.online-domain-tools.com/ http://www.passwordmeter.com/ https://password.kaspersky.com/Below is my script (bash) to generate a random password:
(1)#!/bin/bash (2) (3) clear (4) (5) echo "How long password [min 8 chars]: " (6) read long //get how long password should be (7) echo "How many passwords: " (8) read many //get how many password I want (9) (10) if [ $long -ge 8 ] //check how long password is, if more than 8 chars script can generate random password (11) then (12) (13) i="0" //set i=0 (14) while [ $i -lt $many ] //read how many password do you want (15) do (16) pass=`cat /dev/urandom | tr -dc '[:print:]' |head -c $long` //read chars from device /dev/urandom, get only printable chars and first chars ($long) (17) echo $pass //list random passwors (18) i=$[$i+1] //increment i++ (19) done (20) (21) else (22) echo "sorry but your password is too short" //message if long password is less than 8 chars (23) fiAdvantages:- the portable code may work on Linux/Cygwin [tested on Centos/Ubuntu/Cygwin] - all commands are in default distro Linux: cat | /dev/urandom | tr | head - clear code - you can generate passwords of any length and any quantityReferences: - https://en.wikipedia.org/wiki/Password - https://en.wikipedia.org/wiki/Randomness - http://crambler.com/password-security-why-secure-passwords-need-length-over-complexity/