Pages: [1]   Go Down

Author Topic: Security: random password generator for OS X  (Read 8199 times)

Ellis Vener

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 2151
    • http://www.ellisvener.com
Security: random password generator for OS X
« on: December 04, 2012, 01:42:50 pm »

Did you know that Apple OS X has a built in random password generator? Neither did I until a few minutes ago. See http://www.iclarified.com/entry/index.php?enid=23680 for details
Logged

Jeremy Roussak

  • Global Moderator
  • Sr. Member
  • *****
  • Offline Offline
  • Posts: 8961
    • site
Re: Security: random password generator for OS X
« Reply #1 on: December 04, 2012, 02:21:25 pm »

Great! More passwords which mean nothing to me and so are even harder to remember. (Yes, I know, I don't have to use it.)

Jeremy
Logged

BJL

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 6600
Re: Security: random password generator for OS X
« Reply #2 on: December 04, 2012, 06:59:24 pm »

Great! More passwords which mean nothing to me and so are even harder to remember. (Yes, I know, I don't have to use it.)
I guess the idea is to then put these generated passwords into Keychain, so you only need to memorize one master password. Seeing that the password generator is a part of Keychain and all.

So thanks for the tip, Ellis!
« Last Edit: December 04, 2012, 07:02:32 pm by BJL »
Logged

digitaldog

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 20614
  • Andrew Rodney
    • http://www.digitaldog.net/
Re: Security: random password generator for OS X
« Reply #3 on: December 04, 2012, 07:58:31 pm »

1Password makes this super easy. Not free but very effective.

https://agilebits.com/onepassword/mac
Logged
http://www.digitaldog.net/
Author "Color Management for Photographers".

francois

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 13757
Re: Security: random password generator for OS X
« Reply #4 on: December 05, 2012, 04:42:16 am »

1Password makes this super easy. Not free but very effective.

https://agilebits.com/onepassword/mac

Another vote for 1Password!
Logged
Francois

popnfresh

  • Guest
Re: Security: random password generator for OS X
« Reply #5 on: December 06, 2012, 12:34:38 pm »

I hate random password generators, because I can never remember the passwords they generate. The truth is, one can come up with their own passwords which are not only much easier to remember, but very secure as well. The ideal password is one that both keeps intruders out yet is easily remembered so you don't have to refer to your password database every time you need to use it.

In making my own passwords I follow a few rules.
• The password should be nonsense, and never an actual word and never a logical sequence of numbers or a sequence based on things like your phone number, street address or social security number.
• It should always be a mix of letters and numbers or symbols.
• It should be between 8 and 15 characters long.
• if your password is based around a real word, make it at least 2 characters longer than that word.
• Passwords used for anything financial should always be unique. For example, the password for your online bank account should not be the same one you use for your brokerage or your email.

I could make an easily remembered and secure password based on the name of a loved one, for example. Let's say that her name is Barbara. From her name I could make this 9-character password: $bar3?Ara. This password would be much easier for me to remember than one that was completely random. But it would be just as secure as any randomly generated 9-character password.
« Last Edit: December 06, 2012, 04:14:51 pm by popnfresh »
Logged

Chairman Bill

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 3352
    • flickr page
Re: Security: random password generator for OS X
« Reply #6 on: December 06, 2012, 03:01:35 pm »

Best passwords - a string of words. Iwanderedlonelyasacloud. Tobeornottobe. Roundmanywesternislandshaveibeen.

Every password-breaking program is designed to deal with passwords that contain uper & lower case letters & numbers. Most people do things such as replace an o with a 0, or an i with a 1. F00tball, or something similar. Easy for software to crack.

popnfresh

  • Guest
Re: Security: random password generator for OS X
« Reply #7 on: December 06, 2012, 03:47:44 pm »

Best passwords - a string of words. Iwanderedlonelyasacloud. Tobeornottobe. Roundmanywesternislandshaveibeen.

Every password-breaking program is designed to deal with passwords that contain uper & lower case letters & numbers. Most people do things such as replace an o with a 0, or an i with a 1. F00tball, or something similar. Easy for software to crack.

Those programs are based on a dictionary attack which assumes that the password is the same length as a real word. And even then, usually only an English word. Otherwise, it would have to examine every possible permutation of a string. And if it didn't know how long the string was it would be starting from scratch. For a 9-digit alphanumeric password, you're looking at over 14 million possible combinations. And it would most likely try every permutation of shorter strings before it attempted a 9-digit string. Considering that most financial websites will freeze access to your account after three failed attempts (at which point you would change your password anyway), anyone trying to parse your password will probably not be able to gain access before the sun goes nova. There are much easier ways for criminals to gain access to your accounts.
« Last Edit: December 06, 2012, 04:25:21 pm by popnfresh »
Logged

John.Murray

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 886
    • Images by Murray
Re: Security: random password generator for OS X
« Reply #8 on: December 06, 2012, 05:36:02 pm »

https://www.random.org/passwords/

I had a client, complaining about her network's policy of 45 day password aging,  actually brag about "having *all* of her passwords set to the same thing - scary...

some php code (not perfect as the rand() function gets seeded with the same string(s) every time)
<?php
 
function generatePassword($length=9, $strength=0) {
$vowels = 'aeuy';
$consonants = 'bdghjmnpqrstvz';
if ($strength & 1) {
$consonants .= 'BDGHJLMNPQRSTVWXZ';
}
if ($strength & 2) {
$vowels .= "AEUY";
}
if ($strength & 4) {
$consonants .= '23456789';
}
if ($strength & 8) {
$consonants .= '@#$%';
}
 
$password = '';
$alt = time() % 2;
for ($i = 0; $i < $length; $i++) {
if ($alt == 1) {
$password .= $consonants[(rand() % strlen($consonants))];
$alt = 0;
} else {
$password .= $vowels[(rand() % strlen($vowels))];
$alt = 1;
}
}
return $password;
}
 
?>
« Last Edit: December 06, 2012, 05:44:08 pm by John.Murray »
Logged

mac_paolo

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 431
Re: Security: random password generator for OS X
« Reply #9 on: December 06, 2012, 05:56:21 pm »

Logged

PierreVandevenne

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 512
    • http://www.datarescue.com/life
Re: Security: random password generator for OS X
« Reply #10 on: December 12, 2012, 04:13:10 am »

Those programs are based on a dictionary attack which assumes that the password is the same length as a real word. And even then, usually only an English word. Otherwise, it would have to examine every possible permutation of a string. And if it didn't know how long the string was it would be starting from scratch. For a 9-digit alphanumeric password, you're looking at over 14 million possible combinations. And it would most likely try every permutation of shorter strings before it attempted a 9-digit string. Considering that most financial websites will freeze access to your account after three failed attempts (at which point you would change your password anyway), anyone trying to parse your password will probably not be able to gain access before the sun goes nova. There are much easier ways for criminals to gain access to your accounts.

Your math is way way off on the low side.

Your analysis of the problem is incorrect: the risk for online services is not brute forcing from the outside, but matching the hashes to leaked data. For local access, passwords will only annoy the dumbest and most casual thieves anyway, unless you use encryption.

The root of the problem is that we are still mostly using quick to compute hashes.

Current state of the art (for amateurs, that is) is this http://phys.org/news/2012-12-password-cracking-feats-blistering-shown-oslo.html which goes through 350 000 000 000 (yes, billions) of guesses per second.

Such a machine can be set up for a bit less than the price of a phase back and a few lenses.

One thing to take into account as well is the persistance of information: I was recently informed that an Israeli company I corresponded with in 1998-1999 had been hacked. Within hours, friends could find traces of my exchanges with that company in the publicly available dumps of hacked data.
Logged

popnfresh

  • Guest
Re: Security: random password generator for OS X
« Reply #11 on: December 12, 2012, 08:25:59 pm »

Your analysis of the problem is incorrect: the risk for online services is not brute forcing from the outside, but matching the hashes to leaked data. For local access, passwords will only annoy the dumbest and most casual thieves anyway, unless you use encryption.


Hence the last sentence in my post.
Logged

PierreVandevenne

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 512
    • http://www.datarescue.com/life
Re: Security: random password generator for OS X
« Reply #12 on: December 13, 2012, 03:38:31 am »

Yup, re-reading it I see that you left the door open, I am a bit sorry for the somewhat harsh tone of my response. Was probably having a bad day.
Logged

mac_paolo

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 431
Re: Security: random password generator for OS X
« Reply #13 on: December 13, 2012, 04:38:05 am »

1Password for iOS got a complete restyle, and it's even better.
I know OS X password generator since years. Never used anything except for 1Password since I bought it.
Logged

chrismurphy

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 77
Re: Security: random password generator for OS X
« Reply #14 on: December 14, 2012, 06:57:15 pm »

Lastpass is free and supports multifactor authentication with Google Authenticator (a free app for iOS and Android). It's particularly handy if you use multiple web browsers or computers as it keeps the encrypted database in sync for all instances.

Another good resource for passwords is Diceware, in particular the FAQ. What you need are more words for a good passphrase. Not stupid capitalization and weird characters rules which makes passphrases difficult for people to remember and easy for computers to guess.
Logged

Jeremy Roussak

  • Global Moderator
  • Sr. Member
  • *****
  • Offline Offline
  • Posts: 8961
    • site
Re: Security: random password generator for OS X
« Reply #15 on: December 15, 2012, 04:48:53 am »

Not stupid capitalization and weird characters rules which makes passphrases difficult for people to remember and easy for computers to guess.

That was, as you may observe, the entire point of the cartoon I posted earlier.

Jeremy
Logged

LA30

  • Full Member
  • ***
  • Offline Offline
  • Posts: 213
Re: Security: random password generator for OS X
« Reply #16 on: December 16, 2012, 03:49:31 pm »

Another vote for 1Password!
Logged

BJL

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 6600
Re: Security: random password generator for OS X
« Reply #17 on: December 16, 2012, 09:21:29 pm »

... the risk for online services is not brute forcing from the outside, but matching the hashes to leaked data.
Another common problem is when finding any one password on a system can harm or inconvenience a great number of other users, for example by leading to misuse of an email system that causes all mail from that system to be blocked as likely spam. This happens at least once a month at my workplace, The weakness there is that a botnet can distribute its rapid-fire password guessing over a large number of accounts, without triggering login attempt limits on any one account. That and the fact that blocking access after a few wrong guesses is not always acceptable, since it allows "denial of service" mischief.

So I would greatly like a method where all online accessible accounts are required to have very hard to guess passwords, even at the cost of being very hard to remember, and so requiring tools like 1Password. Less secure,,mor mnemonic passwords could be fine for local-access-only authentication.
« Last Edit: December 16, 2012, 09:23:04 pm by BJL »
Logged

Joe Roy

  • Newbie
  • *
  • Offline Offline
  • Posts: 2
Re: Security: random password generator for OS X
« Reply #18 on: December 19, 2012, 11:31:17 pm »

Thanks for this discussion. I find it helpful.
In the last issue of Wired, Dec. 2010, the cover article by Mat Honan shares his experience of being hacked and his research into better security given the power of hacking people and systems. A thoughtful review with a few good recommendations. 
Logged
Pages: [1]   Go Up