Tip: to change a single word, just click on it!
How it
works?
This generator consists of 2659 nouns, 3977 adjectives, 8 bounding words and 11 symbols.
This generator consists of 2659 nouns, 3977 adjectives, 8 bounding words and 11 symbols.
You can
generate new passphrase by clicking “Re-Generate All” button or by clicking on
the word you would like to change.
It uses
JavaScript to generate your passphrase – no information is sent to server when
you use it and it doesn’t save any information as cookies on your computer.
But don’t
trust me – modify your generated passphrase. Just make sure that your
modifications won’t make it more vulnerable to attacks.
Safety
Well, there
is no such thing as a safe passphrase, some passphrases can be cracked in time
that takes to make your-self a cup of coffee and some would be obtained in time
that takes our sun to stop shining.
If someone
evil-minded is able to attack your system or file with "brute-force"
(computer checks all possible values until the correct value is found) it is
only a matter of time when he/she will succeed. As computers get faster every
day, the time to find the right value decreases.
In case of
abc attack - when different combinations of letters, numbers and symbols are
inserted into password field until match is found, this generator would
generate a very safe passphrase, because in case of abc attack size does
matter, and smallest passphrase that it generates is twenty characters long.
If attacker
knows that you used this generator and acquire words used in this generator…
This
generator can generate:
174 988 x
116 996 x 8 x 174 988 x 116 996= 3 353 115 780 737 712 146 432 combinations
… he/she
has to try all of these combinations, what would take up to 310 603 581 hours
of computation (see brute force attack time table). That is substantial amount
of time (35 457 years of continuous computation). Any hacker in his/her right
mind would probably seek for some other type of attack for obtaining your
passphrase.
Do I have
to use those pesky #%@123456789
Simple answer
- YES YOU DO! Because this passphrase generator is using simple English words
to compute you a nice and simple passphrase. And if you don’t use symbols or
numbers in your passphrase, then computation time in case of dictionary attack
is reduced from 35 457 years to some days or even minutes.
Do I have
to use capital letters
Again,
simple answer - YES YOU DO! And try to avoid capitalizing only first letter of
first word.
Why should
I use this passphrase generator?
Because you
are human (for all my nonhuman readers: "next sentence is true",
"previous sentence is false") and humans tend to use passes that are
somewhat predictable.
If you are English speaking, then you use possibly e-s more and less y-s in your passwords or passphrases.
Possibly your favorite color is blue and least favorite is white.
You probably will use only numbers 1 or 2 or 3.
You will use your or other person name in forming of your pass.
If you are English speaking, then you use possibly e-s more and less y-s in your passwords or passphrases.
Possibly your favorite color is blue and least favorite is white.
You probably will use only numbers 1 or 2 or 3.
You will use your or other person name in forming of your pass.
Why to
bother? Nobody wants my account, there is nothing valuable!
Hacked
accounts are valuable by themselves. Most valuable thing on your social network
or mail account is “access” to other accounts. Your hacked account is used to
send spam or phishing messages to accounts found at your account. People tend
to trust mails or messages from their friends or known contacts, and click on
any links they get from them.
One or two hacked accounts are usually useless, but thousands or even tens of thousands accounts are valuable commodity. So if you don’t want to be in that group, you better change your weak password to some good passphrase.
One or two hacked accounts are usually useless, but thousands or even tens of thousands accounts are valuable commodity. So if you don’t want to be in that group, you better change your weak password to some good passphrase.
This
passphrase makes no sense!
That is great! The less sense passphrase makes the better. When in the progress of picking your passphrase words, try to pick a memorable ones, but don't pick words that are compatible with you or your lifestyle (for example if you play football avoid words like "ball", "football", "field" etc.).
Responsibility This passphrase generator should be used "as it is". Owner of this site or developer of generator holds no responsibility for any harm that may occur while using this generator.
That is great! The less sense passphrase makes the better. When in the progress of picking your passphrase words, try to pick a memorable ones, but don't pick words that are compatible with you or your lifestyle (for example if you play football avoid words like "ball", "football", "field" etc.).
Responsibility This passphrase generator should be used "as it is". Owner of this site or developer of generator holds no responsibility for any harm that may occur while using this generator.
Short
password vs long password
At first we
used passwords,
Now we use
passphrases,
Soon we
will be using passbooks
Days, when
you could feel yourself secure using six character passwords, belong to the
nineties.
Nowadays six lettered pass can be cracked by twelve year olds.
Nowadays six lettered pass can be cracked by twelve year olds.
So, how
much time passwords have before preschool children start to crack them?
Moore’s Law
states that computers computation ability doubles every two years. So, let’s
make a table. I use 2 000 000 000 computations per second as a starting point,
as in my opinion it is somewhat close what someone interested in cracking would
achieved by using commercially available components at the moment.
Year
|
Computations
per second
|
2012
|
2000000000
|
2014
|
4000000000
|
2016
|
8000000000
|
2018
|
16000000000
|
2020
|
32000000000
|
2022
|
64000000000
|
2024
|
128000000000
|
2026
|
256000000000
|
2028
|
512000000000
|
2030
|
1024000000000
|
2032
|
2048000000000
|
2034
|
4096000000000
|
2036
|
8192000000000
|
2038
|
16384000000000
|
2040
|
32768000000000
|
2042
|
65536000000000
|
2044
|
131072000000000
|
2046
|
262144000000000
|
2048
|
524288000000000
|
2050
|
1048576000000000
|
2052
|
2097152000000000
|
2054
|
4194304000000000
|
2056
|
8388608000000000
|
2058
|
16777216000000000
|
2060
|
33554432000000000
|
2062
|
67108864000000000
|
2064
|
134217728000000000
|
So by using
brute force attack time table I can predict the year when
password consisting of lower- and uppercase plus numbers and symbols will be
cracked.
Size
|
Year when
gets obsolete
|
1 character
|
obsolete
already
|
2
characters
|
obsolete
already
|
3
characters
|
obsolete
already
|
4
characters
|
obsolete
already
|
5
characters
|
obsolete
already
|
6
characters
|
obsolete
already
|
7
characters
|
obsolete
already
|
8
characters
|
2014
|
9
characters
|
2026
|
10
characters
|
2040
|
11
characters
|
2050
|
12
characters
|
2064
|
Table. Year
when certain sized password gets obsolete
So it looks
that passwords are quite safe? All you have to do is use a 12 character pass
and it will be safe until you die?
Let’s try
another way
Usually
when security breach occurs, attackers get all passwords in database. To
protect those passwords they are encrypted. Nowadays one of the most used
encryption is MD5.
So all the
attackers see is a 32 character long hexadecimal string of numbers and letter,
like:
5c622b5559b8022365b8419f98989872
This is
useless. So they compute all possible values to mach that string,
a -
0cc175b9c0f1b6a831c399e269772661 no mach, next string
b-
92eb5ffee6ae2fec3ad71c777531578f no mach, next string
...
siv1usfa -
cb187af7f5e26a98ff1c9e1a91cb7dfd no mach, next string
…
until...
mypass - 5c622b5559b8022365b8419f98989872
mach!!!
This method
will be more time consuming than simple brute force abc attack described
earlier, because MD5 encryption key consists of 32 characters, so there are a
lot more bites to compute than 1-12 character long letter combinations.
But there
is a workaround, by pre-computing all possible password values and store and
index them on HDD. That collection of encrypted passwords is sometimes called
“rainbow table”.
So how much
storage space is needed:
If used
passwords with lower and upper case, numbers and some symbols…
Size of
password
|
size of
storage TB
|
if
compressed up to 90%
|
1
|
0
|
0
|
2
|
0
|
0
|
3
|
0
|
0
|
4
|
0
|
0
|
5
|
0
|
0
|
6
|
4
|
0
|
7
|
321
|
32
|
8
|
23111
|
2311
|
9
|
1663958
|
166396
|
10
|
119805000
|
11980500
|
11
|
8625959983
|
862595998
|
12
|
621069118776
|
62106911878
|
13
|
44716976551907
|
4471697655191
|
14
|
3219622311737330
|
321962231173733
|
15
|
231812806445088000
|
23181280644508800
|
16
|
16690522064046300000
|
1669052206404630000
|
17
|
1201717588611330000000
|
120171758861133000000
|
18
|
86523666380016100000000
|
8652366638001610000000
|
19
|
6229703979361160000000000
|
622970397936116000000000
|
20
|
448538686514003000000000000
|
44853868651400300000000000
|
According
to Kryder’s Law (something similar to Moor’s Law but about HDD storage size)
HDD storage size expands 10 times every five years or so.
Year
|
Size of
HDD-s TB
|
2000
|
0,01
|
2005
|
0,1
|
2010
|
1
|
2015
|
10
|
2020
|
100
|
2025
|
1 000
|
2030
|
10 000
|
2035
|
100 000
|
2040
|
1 000 000
|
2045
|
10 000
000
|
2050
|
100 000
000
|
2055
|
1 000 000
000
|
So as seen in
tables above – passwords with length up to seven characters are already
vulnerable to these types of attack. Passwords with eight chars will be under
attack somewhere in 2020.
Use
passwords that are at least 12 characters long, consist of mixed lower and
upper case, some number(s) and symbol(s).
Things that
programmers should remember when making a password field
1. All
password identification forms or log-in forms should be equipped with brute
force attack prevention mechanism. For instance, webpage is equipped with code
that in case of page loading 100 times in a minute will redirect attacking user
to some other site or page. It may even save attacking IP address to database
and send E-mail to webmaster.
2. Don’t
eliminate symbols like = “ ” > < etc. Change them as they are sent to server instead. For example "<" changes to "signleft" , ">" changes to "signright". I know that those symbols can be
used to implement attacker code inside a database line, but there are multiple
ways to avoid that. As seen in brute force attack time table additional extra characters
(like: #%&()! ) in passphrase can increase cracking time by thousands.
3. Don’t
limit the size of a password or passphrase. Why I can’t have a passphrase like
“fatcatsatontheporchandwasdrunk”? Can’t password field be limited to, let’s say
100 chars? Was programmer really afraid that users will use very long
passphrases and it will use all database memory?
Well again,
limiting password field size is a matter of security, as it limits the size of
code that may be implemented inside a input field and from there to database.
But in my opinion attacker can use some other site as code source and even
thinify url of site where that code comes from. So if input field is big enough
to do so, then whole point of limiting size of password field is pointless, it
only makes people choose shorter passwords.
4. If you
restrict minimum password length to six characters users will make six
character passwords, but six letter passwords are outdated a long time ago.
When making
registration form, all passwords/passphrases should be set to be 10 chars
minimum. It is risky, because some users will get frustrated and leave
registration form, but it will pay off when major security breach occurs,
attackers may have obtained encrypted passwords/passphrases, but as they all
are ten or more characters long decrypting those will be very time consuming
process.
To lower
frustration make a little hinting paragraph or div with text that encourages to
use passphrase instead a simple password, like:
Your password must be at least 10 characters long, try to use some sentence instead a single word.
Your password must be at least 10 characters long, try to use some sentence instead a single word.
5. Don’t
eliminate space character. In case of passphrase usage, space character can
make a lot of difference when attacked by cracker. For instance difference in
passphrases “fatcatsatontheporchandwasdrunk” and “fat cat sat on the porch and
was drunk” is seven additional characters. Plus a lot of so called password
recovery software that is used to crack passwords and passphrases has separate
option for including space character into cracking sequence. So if attacker
would take a risk and speculate that you did not use space in your passphrase
he will have to repeat his/her attack, thus doubling the time that takes to
crack your passphrase.
6. Don’t
let users register passwords that are weak or have users name or part of name
in it. Under weak passwords I mean: 123456, password, qwerty, 654321, Mark123
and so on.
7. Don’t
use master key that unlocks all other passwords/passphrases. It is quite
obvious to see where the weak spot is in this case.
8. Making
at least ONE capital letter mandatory won’t help, because most users will
capitalize only first letter. As an example let’s have a look on two seven
digit passwords – one capitalized and other not. Let’s look at all possible
permutations:
Seven char,
all lower case password: 8 031 810 176 permutations
Seven char
password with firs letter capitalized: 8 031 810 176 permutations.
…so the
difference between these two is 0 times. It is because if you know position of
capitalized letter you just change 26 lower case chars to 26 upper case chars
and number of combinations remains the same.
But making
TWO capitalized letters mandatory would push users to insert this second
capital letter to some place other than in front of word (let’s hope that it
won’t be second letter, but it is still better than nothing). Permutations when
password has at least two capitalized letters: 32 127 240 704 permutations.
That is 4 times more than one capitalized first letter or password in all lower
case.
9. Use
salt! Salt may be harmful for your, if you have a cardiovascular disease, but
it is certainly a good method to increase security of your users hashed
passwords or passphrases. It will take you less than five minutes to write that
code.
Things you
should not do with your passphrases
Not all web
developers or programmers are law abiding citizens with calmed hair. Some of
them are assholes, who will use registration form on their site to lure out
your password or passphrase and then sell your coordinates, name, E-mail and
pass to some Romanian spammer or to some “nice” fellows in Nigeria. Because of
this, there are some things to have in mind:
1. Try to
avoid sites that ask for your mail address and password to verify your account.
If there are no other possibilities to log on to that kind of site, make new
mail account and use fresh passphrase on registration.
2. Avoid
sites like “password strength checker” where you write your password to check
if it is weak or strong.
3. Your
password or passphrase should be written only to password field of site where
it was registered.
4. Don’t
use verification system of one major social network site (name beginning with
F), their logo and buttons can be easily copied to any site.
5. Don’t
use only one passphrase. If one of your accounts is hacked all others will be
hacked as well.
Don’t share
your passphrase with others. Quite obvious isn’t it?
Don’t use
names of persons or places, even if they are not related to you. First things
that dictionary attack software will check are common names with different
combinations of numbers or letters in front or after them (like: Jessy223).
It is not
recommended to write your passphrase down, but if you do, then for example
divide it into two pieces and store them separately.
Avoid
sequences of letters (like: abcdefgh or opqrstuv), numbers (123456 or 987654)
or keyboard sequences (qwerty or mnbvcxz).
Most
internet security specialists would say, that coping your passphrase from
literature, especially form Bible, encyclopedia or any bestseller, is not
recommended. Although in my opinion, if you have a lot of books on your shelf,
you may find that old dusty book that nobody have ever read, in fact you don’t
even know what was in your mind when you bought that book. For example I have
books about mycology or seashells. I think if you take some good longer line
from that kind of books, add some symbol (like # or !) in front of your picked
line, you should be safe.
I read one
webpage that advised to use passphrases like: "My fellow Americans!"
or "Houston, we have a problem". That is a bad advice! Those
passphrases are what I would call “cliché” and they are weak. They are commonly
found on search engines, so if someone builds password cracker using phrases
indexed in search engines – he/she will probably succeed in hacking your
account.
Password or
passphrase resetting with control questions is a threat. Weak link in that
chain is password of your mailbox. If your mailbox is hacked, all other
accounts can be easily hacked as well.
What is the
point of password or passphrase when anyone can get it just by knowing your mother
maiden name? If you are required to insert a resetting phrase or word, insert
your passphrase instead your mother maiden name.
Once I was
a client of one small local bank, and I forgot my password to my online bank
account, I called to the bank and they sent me my password to my mailbox. I was
shocked. The most shocking thing is that lady on other side of the phone asked
me if I still use e-mail that I provided. The other thing that was shocking is
that they don’t use hashes. My passphrase was freely wondering across the
internet without any cryptographic protection. I don’t use that bank anymore.
When making
a passphrase try to avoid major languages like English, French, Spanish,
Russian, German or Chinese, but if you don’t speak any other languages, well
then try to make phrase as long and complicated as you can.
How to
remember your passphrase
Some
suggest splitting your passphrase in two and give one piece each to separate
friends or relatives, but it is quite problematic.
First method
Instead of writing your passphrase down try to draw or scribble it, unless you are an artist nobody but you would understand that picture anyway.
For instance:
First method
Instead of writing your passphrase down try to draw or scribble it, unless you are an artist nobody but you would understand that picture anyway.
For instance:
ballistic
#sock and Arrested giraffe
This picture gives some clues away, like sock or giraffe (somewhat) and # symbol and maybe someone will even figure out that arrow stands for capital letter. So you still have to hide it, but even if it gets to the wrong hands it will be quite difficult to understand what it stands for.
Second method
Instead of writing down your passphrase try to write two clues for your passphrase.
Let’s take previous example: “ballistic #sock and Arrested giraffe”
First clue: flying grandma’s made
Second clue: cuffed long necked
Most internet security specialist would say that writing down your passphrase is not safe. Well I am not so radical on that matter. Writing it down is not a problem, but writing it down on a sticky-note and sticking it on computer monitor or leaving it into drawer next to your work desk is.
It will be safe enough if you store it in your clothes closet.
After you feel that you have memorized your passphrase, it is recommended that you tear your clues or your art masterpieces into tiny pieces and throw them away.
Exception: passwords or passphrases that are used in money transferring should be unique and should not be written down in any form.
No comments:
Post a Comment