Tuesday, January 2, 2018

Generating Random Passwords



People are not very good at generating randomness. Yet, for a password to be most secure it should be truly random. There are several password generators available on-line that will make secure passwords for you, and many password managers in which you store your passwords will also generate them for you.

If, however you want to generate a random password consisting of upper and lower-case letters, numbers, and symbols you can do so using a simple 6X6 grid and a single die. In one-half of each cell of your grid write out the upper-case letters of the of the alphabet and the numbers 0-9. In the other half of each cell, write the lower-case letters and ten symbols from your keyboard.

 
To generate a random password, roll a six-sided die three times. On the first roll just determine whether the number is odd or even. An odd number (1, 3, 5) indicates upper-case letters and numbers, and even number (2, 4, 6) indicates lower-case letters and symbols. Now roll the die twice more. The numbers 1-6 provide you coordinates on the grid to determine the letter, number, or symbol for your password. For example, in the grid above rolling 2-1-6 with your die would indicate a "f"; and rolling 3-4-4 would indicate a "V".

Continue rolling your die in this manner to generate as many random characters as necessary for your password. Because the roll of a die is random, and because the odds are exactly the same for any combination of numbers, your generated password will also be random.

The method of password generation is fairly slow, but it does provide you with a way to generate a random string of letters, numbers, and symbols when you don’t have access to a computer based password generator, or when you don’t want to trust the random number generator in your computer.

How long should my password be?

Password strength is based on entropy, or randomness of the password. Generally speaking a randomly generated password should have at least 60 bits of entropy to be considered secure, and 80 bits is even better. Using the method above each character generated has approximately 6 bits of entropy (E=log2(72)). So, a password should be at least 10 characters in length, with 14+ characters being preferred.

Diceware

Diceware is a way to generate random word groups (passphrases) that are easier to remember, but because of their length contain sufficient entropy to make them secure. Diceware is based on the principle that truly random selection of words from a wordlist, can result in easily memorable passwords that are also extremely resistant to attack.

While I prefer very long randomly generated passwords controlled by a password manager, there are still some passwords / passphrases that you must memorize - such as the passphrase granting access to your password manager. This is where using Diceware is an excellent tool for generating that passphrase.

In July 2016, the Electronic Frontier Foundation (EFF) updated the original Diceware wordlist.  Passphrases are generated in the same manner using the EFF list as when using the original Diceware list, but the EFF corrected some issues with the original list that had potential to generate errors.

Consider Diceware and the updated EFF wordlist when you need to generate a memorable random passphrase.


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.