Thursday, December 29, 2011

How To Generate Strong Passwords in Ubuntu

Generating Strong Passwords in Ubuntu


Now that we've establish what constitutes a strong password. How do we have our computers help generate strong passwords automatically? This section will cover the Automatic Password Generator application (APG) which is available in Ubuntu via System Administration (universe). APG does precisely what its name implies: it automatically generates passwords. Not only does APG generate passwords, it will generate strong passwords for you as well. If you wish to study APG further, you may find all information at the APG website. (see the Resources section of this guide)
IconsPage/IconTip.png It should be noted here that Ubuntu's password functions for user accounts do provide some means of enforcing strong passwords for user accounts, but there are cases, and applications where the strength of the password cannot be enforced in this manner, and so this guide exists to help the user generate acceptable strong passwords.

Installing APG


To install APG, ensure you have enabled the Universe Packages,  and have a live connection to the Internet, then issue the following command at a command prompt:
 sudo apt-get install apg
You will be prompted for a password. The password being requested is your user password, or the same password you use when issuing commands with the sudo command. After authentication, the APG package will be downloaded, and installed. You are now ready to begin using, and further configuring APG to your liking.

Using APG


The default behavior of APG installed on Ubuntu via apt-get when executed, is to prompt for random data from standard input (typically the keyboard) and upon pressing enter, display six (6) strong "pronounceable" passwords. They are referred to as "pronounceable" because the passwords may actually be pronounced like regular words. In fact, APG includes the pronunciation in parentheses () to the right of each password. Additionally, they are strong passwords because they include a mix of lowercase, uppercase, and numeric characters. An example of executing apg and the default output of APG is presented here:
apg
APG prompts for the input of random keyboard keys, and then, after pressing ENTER, produces output similar to this:
queafWodEis5 (queaf-Wod-Eis-FIVE)
WoudElIc6 (Woud-El-Ic-SIX)
GorIacNewt8 (Gor-Iac-Newt-EIGHT)
ShratUplEov7 (Shrat-Upl-E-ov-SEVEN)
hexLyafByff1 (hex-Lyaf-Byff-ONE)
Irkyorn9 (Irk-yorn-NINE)

If you would like to enforce different behavior from APG, there are many options you may pass to the apg command for the purpose of changing the default output, and behavior of APG. For example, to generate random character passwords instead of the pronounceable passwords, you may invoke APG with the -a 1 option, where -a is the algorithm APG uses, and 1 selects random mode. The following command would produce six (6) random character passwords with no prompting to input random data:
 apg -a 1
Upon executing the above command, APG outputs a list of six (6) random character passwords similar to these:
S:w[AOe<
!_IlD#_G/~
)lL`avASe6
SgzlI:lU?h
~Wc(0b"{
'4fU25w%}

If you wish to always enforce prompting for random data from standard input (keyboard), to ensure the most secure passwords possible, you should explicitly tell APG to do so with the -s option.
Another example would be the generation of four (4) WiFi Protected Access (WPA) Pre Shared Keys (WPA PSKs) having the maximum supported WPA PSK length of 63 random characters for use with modern WiFi equipment, such as a Wireless Access Point (WAP). To generate such a sequence, and use random data prompting, issue the following command at a command prompt:
apg -s -a 1 -m 63 -n 4
After supplying the random keyboard data, and pressing ENTER a list of strong WPA PSKs will be presented, similar to these:
+DIaz*<DmO6VAFR/cQ>B^'[mtB;J1ABi*n"B<=|_My"5bZv#*iRJH!0oCcf!,@Z
os#?3;sC2}/A>lG^e*9%9}pd^&A\'eLkdC,lk#jB,bcg70I|q@U:^VZP"}>3z?G
rj??<_Ej%-:2LW;4q_?53$ab$U_~1I(({`^LN1Hd&&gKj+Dw;EqR<\qH_VQ{`s!
"x3up};b~/jU6Vo,t">Dr~f_U`NSNr30JmOD@c'Y:p2wvc"0s?$MtT<S5Qr\AZi

Many other options are available. You should consult the APG manual page, and the APG website for further information. (see the Resources section of this guide)

Generating Strong Passwords Manually


Some people find that they remember their password better when they come up with one on their own. This section provides an example of how to manually generate a strong password. Keep in mind that because the examples here are viewable by anyone, these exact results should be avoided.
The first step is to choose a phrase which you can easily remember, but is at least 8 words long. This can be a favourite quote, a line from your favourite song, something you heard randomly while walking around, or even an obscure reference to a movie you like. For this example, we'll choose "To be or not to be, that is the question".
Now, convert your phrase to a single word. Exactly how you do so is not important, as long as you remember how you did it! We'll take the first letter of each word, which gives us "tbontbtitq". Now, we have one character class, the lower case letter. To get upper case letters, simply randomly capitalize letters. We'll capitalize each third letter, and end up with "tbOntBtiTq".
Now, we'll get some numbers. That 'O' looks a lot like the number zero, so let's replace 'O' with '0': "tb0ntBtiTq". There's a lot of 'T' characters in there, so let's also replace one of them with the number '7': "tb0n7BtiTq". Finally, we'll go after a symbol or two. With a little imagination, you can see how the symbol '^' and the letter 'l' beside each other somewhat resemble the general shape of the letter 'N', so replace the 'n' with those: "tb0^l7BtiTq". Just to make it a little better, we'll add one last symbol. You'll notice that the exclaimation point (!) resembles a lower case 'i' upside down. Replace the 'i' with '!' to get the final password: "tb0^l7Bt!Tq".
Just keep in mind that certain characters (like: ^,`,',~,ß,...) might be hard to locate or enter on a foreign keyboard (e.g. when travelling or using a different keyboard layout - think US 104-key layout vs. Canadian French layout).

Write Your Passwords Down


While it's clearly a bad idea to store passwords in a publicly-visible place, it's a very good idea to keep your passwords written somewhere private. It can take weeks or months to remember a strong password, and you can suddenly forget one letter of even the oldest password.
One way to have both complex passwords and memorable passwords is to generate a core password that is used as a part of all you passwords and then write down the additional parts for each site.
example:
remembered passwords:
 * core password: UbuntuR0cks

written down passwords:
 * bank A: #29G%7
 * bank B: $FF09@
 * forum 1: &*LJK2
 * forum 2: FGB&*13

Then the two elements would be combined:
 * bank A: !UbuntuR0cks#29G%7
 * bank B: !UbuntuR0cks$FF09@
 * forum 1: !UbuntuR0cks&*LJK2
 * forum 2: UbuntuR0cksFGB&*13

Don't use online password generators


The command-line tools described above are very secure. Using an online password generator means that you're relying on
  • the algoritm implemented by the online service -- is the proprietor of the online service an experienced security researcher using a well-studied algorithm? Making secure algorithms is notoriously hard and even experienced researchers are not surprised when their algorithms get broken.
  • any key material used by the online service never being compromised -- what if the site is hacked after it generates your password; could an attacker examine the algorithm and key and use it to regenerate your password later? If you don't know, then don't trust it!
  • the integrity of the online service -- do you really trust the proprietor of the online service? What if they were arrested/coerced; would you still trust them not to sell out your password?
The above password generators rely on the cryptographic primitives supplied by the linux kernel. Those primitives are battle-hardened, heavily researched and designed not to leak your password off your machine.
Retweet this story

No comments:

Post a Comment