Go to content Go to navigation Go to search

04/04/08 02:00 AM

What's In A Password?

Posted in by Anil Polat

Password strength meters are all over the Net. These tools are designed to determine how long, random, and complex a given password is.

In general, I think they make good indications about passwords. It’s just that most people type in their dictionary word and tack on a number or two to get a ‘strong’ password.

See how PasswordMeter.com rates these 2 passwords (the second one randomly generated using 63 available ASCII characters):

  • ‘Computer1’ – 56% = “Good” password rating.
  • ‘buty1{’ – 34% = “Weak” password rating.

Try it, a couple of random passwords and I got 28-70% ratings using just 6 characters. I know this is all in the algorithms used at each stage – so what’s a user to do?

My advice is to download a copy of (the free) TrueCrypt. Create an encrypted drive (for the paranoid go with a hidden one) and store your passwords in a text file there.

The TrueCrypt password should be at least 8 characters with 1 number and symbol in it. The text file should have all 8 character randomly generated passwords (here’s a good random generator).

You only have to remember the single password to the encrypted folder. Make a copy and back it up to a USB drive and you’re ready to go mobile.

Remember, never submit your email, name, or any other information along with a password you’re testing out in an online generator. It’s a good way to get your password stolen.

2 Comments for What's In A Password?

I don’t think I’ve ever seen an online password generator that offered TLS protection while serving up passwords. If you suspect that there’s anyone capable of sniffing network traffic between your workstation and the password generator then you should be aware that the password might get compromised.

It’s not that hard to write a script to generate strong passwords, and since the password doesn’t traverse any networks, it’s considerably safer.


Scott Shorter    04/04/08 09:17 AM    #

I use Password Safe for two reasons: 1) Schneier was involved with its origins, and 2) it is open source allowing examination for backdoors, networking, etc. I took a cursory look through the code, found nothing offensive, and I use it to store my passwords (and generate random ones).


Peter Hesse    04/04/08 10:00 AM    #