passphrase

Passphrase generator


     Tip: to change a single word, just click on it!

How it works?
This generator consists of 2659 nouns, 3977 adjectives, 8 bounding words and 11 symbols.
You can generate new passphrase by clicking “Re-Generate All” button or by clicking on the word you would like to change.
It uses JavaScript to generate your passphrase – no information is sent to server when you use it and it doesn’t save any information as cookies on your computer.
But don’t trust me – modify your generated passphrase. Just make sure that your modifications won’t make it more vulnerable to attacks.
Safety
Well, there is no such thing as a safe passphrase, some passphrases can be cracked in time that takes to make your-self a cup of coffee and some would be obtained in time that takes our sun to stop shining.
If someone evil-minded is able to attack your system or file with "brute-force" (computer checks all possible values until the correct value is found) it is only a matter of time when he/she will succeed. As computers get faster every day, the time to find the right value decreases.
In case of abc attack - when different combinations of letters, numbers and symbols are inserted into password field until match is found, this generator would generate a very safe passphrase, because in case of abc attack size does matter, and smallest passphrase that it generates is twenty characters long.
If attacker knows that you used this generator and acquire words used in this generator…
This generator can generate:
174 988 x 116 996 x 8 x 174 988 x 116 996= 3 353 115 780 737 712 146 432 combinations
… he/she has to try all of these combinations, what would take up to 310 603 581 hours of computation (see brute force attack time table). That is substantial amount of time (35 457 years of continuous computation). Any hacker in his/her right mind would probably seek for some other type of attack for obtaining your passphrase.
Do I have to use those pesky #%@123456789
Simple answer - YES YOU DO! Because this passphrase generator is using simple English words to compute you a nice and simple passphrase. And if you don’t use symbols or numbers in your passphrase, then computation time in case of dictionary attack is reduced from 35 457 years to some days or even minutes.
Do I have to use capital letters
Again, simple answer - YES YOU DO! And try to avoid capitalizing only first letter of first word.
Why should I use this passphrase generator?
Because you are human (for all my nonhuman readers: "next sentence is true", "previous sentence is false") and humans tend to use passes that are somewhat predictable.
If you are English speaking, then you use possibly e-s more and less y-s in your passwords or passphrases.
Possibly your favorite color is blue and least favorite is white.
You probably will use only numbers 1 or 2 or 3.
You will use your or other person name in forming of your pass.
Why to bother? Nobody wants my account, there is nothing valuable!
Hacked accounts are valuable by themselves. Most valuable thing on your social network or mail account is “access” to other accounts. Your hacked account is used to send spam or phishing messages to accounts found at your account. People tend to trust mails or messages from their friends or known contacts, and click on any links they get from them.
One or two hacked accounts are usually useless, but thousands or even tens of thousands accounts are valuable commodity. So if you don’t want to be in that group, you better change your weak password to some good passphrase.
This passphrase makes no sense!

That is great! The less sense passphrase makes the better. When in the progress of picking your passphrase words, try to pick a memorable ones, but don't pick words that are compatible with you or your lifestyle (for example if you play football avoid words like "ball", "football", "field" etc.).

Responsibility
This passphrase generator should be used "as it is". Owner of this site or developer of generator holds no responsibility for any harm that may occur while using this generator.
 
Short password vs long password
At first we used passwords,
Now we use passphrases,
Soon we will be using passbooks

Days, when you could feel yourself secure using six character passwords, belong to the nineties.
Nowadays six lettered pass can be cracked by twelve year olds.
So, how much time passwords have before preschool children start to crack them?
Moore’s Law states that computers computation ability doubles every two years. So, let’s make a table. I use 2 000 000 000 computations per second as a starting point, as in my opinion it is somewhat close what someone interested in cracking would achieved by using commercially available components at the moment.


Year
Computations per second
2012
2000000000
2014
4000000000
2016
8000000000
2018
16000000000
2020
32000000000
2022
64000000000
2024
128000000000
2026
256000000000
2028
512000000000
2030
1024000000000
2032
2048000000000
2034
4096000000000
2036
8192000000000
2038
16384000000000
2040
32768000000000
2042
65536000000000
2044
131072000000000
2046
262144000000000
2048
524288000000000
2050
1048576000000000
2052
2097152000000000
2054
4194304000000000
2056
8388608000000000
2058
16777216000000000
2060
33554432000000000
2062
67108864000000000
2064
134217728000000000
 

So by using brute force attack time table I can predict the year when password consisting of lower- and uppercase plus numbers and symbols will be cracked.

Size
Year when gets obsolete
1 character
obsolete already
2 characters
obsolete already
3 characters
obsolete already
4 characters
obsolete already
5 characters
obsolete already
6 characters
obsolete already
7 characters
obsolete already
8 characters
2014
9 characters
2026
10 characters
2040
11 characters
2050
12 characters
2064
Table. Year when certain sized password gets obsolete
So it looks that passwords are quite safe? All you have to do is use a 12 character pass and it will be safe until you die?

Let’s try another way
Usually when security breach occurs, attackers get all passwords in database. To protect those passwords they are encrypted. Nowadays one of the most used encryption is MD5.
So all the attackers see is a 32 character long hexadecimal string of numbers and letter, like:
5c622b5559b8022365b8419f98989872
This is useless. So they compute all possible values to mach that string,
a - 0cc175b9c0f1b6a831c399e269772661 no mach, next string
b- 92eb5ffee6ae2fec3ad71c777531578f no mach, next string
...
siv1usfa - cb187af7f5e26a98ff1c9e1a91cb7dfd no mach, next string
until...
mypass - 5c622b5559b8022365b8419f98989872 mach!!!

This method will be more time consuming than simple brute force abc attack described earlier, because MD5 encryption key consists of 32 characters, so there are a lot more bites to compute than 1-12 character long letter combinations.
But there is a workaround, by pre-computing all possible password values and store and index them on HDD. That collection of encrypted passwords is sometimes called “rainbow table”.
So how much storage space is needed:
If used passwords with lower and upper case, numbers and some symbols…

Size of password
size of storage TB
if compressed up to 90%
1
0
0
2
0
0
3
0
0
4
0
0
5
0
0
6
4
0
7
321
32
8
23111
2311
9
1663958
166396
10
119805000
11980500
11
8625959983
862595998
12
621069118776
62106911878
13
44716976551907
4471697655191
14
3219622311737330
321962231173733
15
231812806445088000
23181280644508800
16
16690522064046300000
1669052206404630000
17
1201717588611330000000
120171758861133000000
18
86523666380016100000000
8652366638001610000000
19
6229703979361160000000000
622970397936116000000000
20
448538686514003000000000000
44853868651400300000000000

According to Kryder’s Law (something similar to Moor’s Law but about HDD storage size) HDD storage size expands 10 times every five years or so.

Year
Size of HDD-s TB
2000
0,01
2005
0,1
2010
1
2015
10
2020
100
2025
1 000
2030
10 000
2035
100 000
2040
1 000 000
2045
10 000 000
2050
100 000 000
2055
1 000 000 000

So as seen in tables above – passwords with length up to seven characters are already vulnerable to these types of attack. Passwords with eight chars will be under attack somewhere in 2020.
Use passwords that are at least 12 characters long, consist of mixed lower and upper case, some number(s) and symbol(s).
 
Things that programmers should remember when making a password field
1. All password identification forms or log-in forms should be equipped with brute force attack prevention mechanism. For instance, webpage is equipped with code that in case of page loading 100 times in a minute will redirect attacking user to some other site or page. It may even save attacking IP address to database and send E-mail to webmaster.
2. Don’t eliminate symbols like = “ ” > < etc. Change them as they are sent to server instead. For example "<" changes to "signleft" , ">" changes to "signright". I know that those symbols can be used to implement attacker code inside a database line, but there are multiple ways to avoid that. As seen in brute force attack time table additional extra characters (like: #%&()! ) in passphrase can increase cracking time by thousands.
3. Don’t limit the size of a password or passphrase. Why I can’t have a passphrase like “fatcatsatontheporchandwasdrunk”? Can’t password field be limited to, let’s say 100 chars? Was programmer really afraid that users will use very long passphrases and it will use all database memory?
Well again, limiting password field size is a matter of security, as it limits the size of code that may be implemented inside a input field and from there to database. But in my opinion attacker can use some other site as code source and even thinify url of site where that code comes from. So if input field is big enough to do so, then whole point of limiting size of password field is pointless, it only makes people choose shorter passwords.
4. If you restrict minimum password length to six characters users will make six character passwords, but six letter passwords are outdated a long time ago.

When making registration form, all passwords/passphrases should be set to be 10 chars minimum. It is risky, because some users will get frustrated and leave registration form, but it will pay off when major security breach occurs, attackers may have obtained encrypted passwords/passphrases, but as they all are ten or more characters long decrypting those will be very time consuming process.

To lower frustration make a little hinting paragraph or div with text that encourages to use passphrase instead a simple password, like:
Your password must be at least 10 characters long, try to use some sentence instead a single word.
5. Don’t eliminate space character. In case of passphrase usage, space character can make a lot of difference when attacked by cracker. For instance difference in passphrases “fatcatsatontheporchandwasdrunk” and “fat cat sat on the porch and was drunk” is seven additional characters. Plus a lot of so called password recovery software that is used to crack passwords and passphrases has separate option for including space character into cracking sequence. So if attacker would take a risk and speculate that you did not use space in your passphrase he will have to repeat his/her attack, thus doubling the time that takes to crack your passphrase.
6. Don’t let users register passwords that are weak or have users name or part of name in it. Under weak passwords I mean: 123456, password, qwerty, 654321, Mark123 and so on.
7. Don’t use master key that unlocks all other passwords/passphrases. It is quite obvious to see where the weak spot is in this case.
8. Making at least ONE capital letter mandatory won’t help, because most users will capitalize only first letter. As an example let’s have a look on two seven digit passwords – one capitalized and other not. Let’s look at all possible permutations:
Seven char, all lower case password: 8 031 810 176 permutations
Seven char password with firs letter capitalized: 8 031 810 176 permutations.
…so the difference between these two is 0 times. It is because if you know position of capitalized letter you just change 26 lower case chars to 26 upper case chars and number of combinations remains the same.

But making TWO capitalized letters mandatory would push users to insert this second capital letter to some place other than in front of word (let’s hope that it won’t be second letter, but it is still better than nothing). Permutations when password has at least two capitalized letters: 32 127 240 704 permutations. That is 4 times more than one capitalized first letter or password in all lower case.
9. Use salt! Salt may be harmful for your, if you have a cardiovascular disease, but it is certainly a good method to increase security of your users hashed passwords or passphrases. It will take you less than five minutes to write that code.

Things you should not do with your passphrases
Not all web developers or programmers are law abiding citizens with calmed hair. Some of them are assholes, who will use registration form on their site to lure out your password or passphrase and then sell your coordinates, name, E-mail and pass to some Romanian spammer or to some “nice” fellows in Nigeria. Because of this, there are some things to have in mind:
1. Try to avoid sites that ask for your mail address and password to verify your account. If there are no other possibilities to log on to that kind of site, make new mail account and use fresh passphrase on registration.
2. Avoid sites like “password strength checker” where you write your password to check if it is weak or strong.
3. Your password or passphrase should be written only to password field of site where it was registered.
4. Don’t use verification system of one major social network site (name beginning with F), their logo and buttons can be easily copied to any site.
5. Don’t use only one passphrase. If one of your accounts is hacked all others will be hacked as well.
Don’t share your passphrase with others. Quite obvious isn’t it?
Don’t use names of persons or places, even if they are not related to you. First things that dictionary attack software will check are common names with different combinations of numbers or letters in front or after them (like: Jessy223).
It is not recommended to write your passphrase down, but if you do, then for example divide it into two pieces and store them separately.
Avoid sequences of letters (like: abcdefgh or opqrstuv), numbers (123456 or 987654) or keyboard sequences (qwerty or mnbvcxz).
Most internet security specialists would say, that coping your passphrase from literature, especially form Bible, encyclopedia or any bestseller, is not recommended. Although in my opinion, if you have a lot of books on your shelf, you may find that old dusty book that nobody have ever read, in fact you don’t even know what was in your mind when you bought that book. For example I have books about mycology or seashells. I think if you take some good longer line from that kind of books, add some symbol (like # or !) in front of your picked line, you should be safe.
I read one webpage that advised to use passphrases like: "My fellow Americans!" or "Houston, we have a problem". That is a bad advice! Those passphrases are what I would call “cliché” and they are weak. They are commonly found on search engines, so if someone builds password cracker using phrases indexed in search engines – he/she will probably succeed in hacking your account.
Password or passphrase resetting with control questions is a threat. Weak link in that chain is password of your mailbox. If your mailbox is hacked, all other accounts can be easily hacked as well.
What is the point of password or passphrase when anyone can get it just by knowing your mother maiden name? If you are required to insert a resetting phrase or word, insert your passphrase instead your mother maiden name.
Once I was a client of one small local bank, and I forgot my password to my online bank account, I called to the bank and they sent me my password to my mailbox. I was shocked. The most shocking thing is that lady on other side of the phone asked me if I still use e-mail that I provided. The other thing that was shocking is that they don’t use hashes. My passphrase was freely wondering across the internet without any cryptographic protection. I don’t use that bank anymore.
When making a passphrase try to avoid major languages like English, French, Spanish, Russian, German or Chinese, but if you don’t speak any other languages, well then try to make phrase as long and complicated as you can.

How to remember your passphrase
Some suggest splitting your passphrase in two and give one piece each to separate friends or relatives, but it is quite problematic.

First method
Instead of writing your passphrase down try to draw or scribble it, unless you are an artist nobody but you would understand that picture anyway.
For instance:
ballistic #sock and Arrested giraffe
Note to all art curators and collectors who may read this blog, yes this drawing was made by me, and yes I am talented, and yes I can make a lot of these masterpieces.
This picture gives some clues away, like sock or giraffe (somewhat) and # symbol and maybe someone will even figure out that arrow stands for capital letter. So you still have to hide it, but even if it gets to the wrong hands it will be quite difficult to understand what it stands for.

Second method
Instead of writing down your passphrase try to write two clues for your passphrase.
Let’s take previous example: “ballistic #sock and Arrested giraffe”
First clue: flying grandma’s made
Second clue: cuffed long necked

Most internet security specialist would say that writing down your passphrase is not safe. Well I am not so radical on that matter. Writing it down is not a problem, but writing it down on a sticky-note and sticking it on computer monitor or leaving it into drawer next to your work desk is.
It will be safe enough if you store it in your clothes closet.

After you feel that you have memorized your passphrase, it is recommended that you tear your clues or your art masterpieces into tiny pieces and throw them away.

Exception: passwords or passphrases that are used in money transferring should be unique and should not be written down in any form.

 

No comments:

Post a Comment