What characterizes a strong password? First of all, its length. The longer the password, the stronger it is and the longer it takes to be cracked. Secondly, the entropy or randomness of the generation process. If the attacker can make some statistical assumptions based on the method of generation, even a alphanumerical 8 character password can be cracked within hours. The third characteristic of password generator is trust. Do you trust that the password generator does not keep logs, do you trust that it doesn’t have a backdoor? Lastly, do you have a secure communication channel between the generator and the receiver? Most of the online password generators fail one or more of these guidelines, and even software solutions have problems.
The only completely secure method to generate passwords is to use an open-source generator stored on your computer, preferably running Linux. But even one of the website generated passwords is considerably more secure than any password you can come up with.
Steve Gibson’s Perfect Passwords generator deserves the highest praise of all the solutions tested for this article. Besides the fact that Steve Gibson is a world renowned programmer, the algorithm used ensures a high level of entropy, and although there is no source code available to corroborate tech specs with the notes on the website, I personally trust it. The connection between the GRC server and your computer is secured by a SSL connection and the generator produces three strings at once: 64 random hexadecimal characters (0-9 and A-F), 63 random printable ASCII characters, 63 random alpha-numeric characters (a-z, A-Z, 0-9). The most secure of all is the ASCII string which contains numbers, letters and special characters. You can use any part, the complete string or even mix them to create an unique password. Your password will look something like:
While such a password will work for a web-based service or email account, you aren’t expected to remember it for your Windows account, it’s simply too complicated. I personally use a 12 character hexadecimal string for my user account password, which I can remember without having to write it down, like
This too, can be cracked with Rainbow tables, but it will deter most guys without NSA-level knowledge and processing power.
If you’re asking yourself,”How I can use 12 random ASCII characters for every password I have?” Here’s my system.
- I have an IronKey, a secure USB thumb drive that itself is protected by a 12 character hexadecimal string. All the data on the drive is hardware-encrypted. It will automatically self-destruct if physically tampered or if the password is entered 10 times wrong.
- The IronKey has an integrated password manager and a hardened mobile version of Firefox 3. The passwords never pass through the computer’s keyboard or compromised applications.
- When using my own hardware, which I can vouch is secure, for performance reasons I will use an Excel document which contains a list of services and their assigned passwords, stored on Google Docs. I will never save any passwords into the Firefox password manager. The only way this system can be compromised is by first cracking the computer user account password and hoping that the cookie session is still active.
Editor’s note: IronKey is not free. It starts at $79. If you think that it’s worth the money to protect your privacy and security, then check it out.
The other services I tested were:
PCTools – which provides different options for generating passwords: length, punctuation, numbers, letters etc. as well as a SSL secured connection. They also have a freeware, offline version of the generator. It’s not open-source and the technical details are not available for inspection.
GoodPassword – offers both a random password generator with some customization options and a “Leet” generator that “Leet Passwords are easy to remember acronym passwords generated by combining the first letter of each word, randomly changing the case, and replacing alphanumeric characters with their Leet (1337) equivalents, that is characters that look and/or sound the same”.
Multicians – generates ten “pronounceable” passwords using a Java applet. It’s not open-source but the source code is available for inspection. No SSL connection.
Linux users can use this command to quickly create a strong password:
% dd if=/dev/urandom count=1 2> /dev/null | uuencode -m – | sed -ne 2p | cut -c-8v1/oVN+S