Ready to Start Your Career?

Building Strong Random Passwords: Length vs. Complexity

pAZTKX3F 's profile image


August 18, 2017

First I would like to explain basic information about random passwords: What is a random password and what is best practice for building strong passwords?As a bonus for you, I prepared the script which will help you create strong passwords for you. The plus is that the script works on all Linux distributions (Centos/RedHat/Ubuntu/Debian), Raspberry and Cygwin (tested all).First, I want to remind you of some basic definitions.What is a password?According to Wikipedia [1] a '...password is a word or string of characters used for user authentication to prove identity or access approval in order to gain access to a resource (access code like a password), which is to be kept secret from those not allowed access...'What does it mean that my password should have randomness?According to Wikipedia [2] randomness is the lack of pattern or predictability in events. Easy, right? Eh, not always.It means that we want to create a random password that will be difficult to guess for aggressors, by means of special tools for brute-force or dictionary attacks (Hydra, ncrack, medusa, john, fcrackzip, ophcrack, pyrit, rainbowcrack, truecrack, etc.).Okay, now that we know what a password is and what randomness means, the next step we have to remember is basic best practices - how we can create 'strong' passwords? I hope that you know that every password can be cracked by attackers, it is a matter of time, unfortunately. However, length is a key factor in prolonging the amount of time it takes to crack.Good passwords should: [3]- be least 8 characters long ( I suggest more than 15 characters in length) - contain at least:     -- one uppercase letter[A-Z]     -- one lowercase letter[a-z]     -- one numeric character [0-9]     -- one special character from this set: ` ! @ $ % ^ & * ( ) - _ = + [ ] ; : ' " , < . > / ?Note: The above are suggestions that many companies and institutions follow/mandate for accounts. It is currently up for debate whether this is actually benefitial/effective.- not contain your login, email, name, surname, comapny name, your age etc. - not contain repeating character strings like: 111, aaa, @@@, AAA etc. - be a really random password, don't use words from the dictionaryHow can you check how strong your password is? (NEVER enter your real password!): is my script (bash) to generate a random password:
(1)#!/bin/bash  (2)  (3) clear  (4)  (5) echo "How long password [min 8 chars]: "  (6) read long //get how long password should be  (7) echo "How many passwords: "  (8) read many //get how many password I want  (9)  (10) if [ $long -ge 8 ] //check how long password is, if more than 8 chars script can generate random password  (11) then  (12)  (13) i="0" //set i=0  (14) while [ $i -lt $many ] //read how many password do you want  (15) do  (16) pass=`cat /dev/urandom | tr -dc '[:print:]' |head -c $long` //read chars from device /dev/urandom, get only printable chars and first chars ($long)  (17) echo $pass //list random passwors  (18) i=$[$i+1] //increment i++  (19) done  (20)  (21) else  (22) echo "sorry but your password is too short" //message if long password is less than 8 chars  (23) fi
Advantages:- the portable code may work on Linux/Cygwin [tested on Centos/Ubuntu/Cygwin] - all commands are in default distro Linux: cat | /dev/urandom | tr | head - clear code - you can generate passwords of any length and any quantityReferences:[1] -[2] -[3] -
Schedule Demo