How can I generate safe passwords?
You can't. The key word here is GENERATE. Once an algorithm for
creating passwords is specified using upon some systematic method, it
merely becomes a matter of analysing your algorithm in order to find
every password on your system.
Unless the algorithm is very subtle, it will probably suffer from a very
low period (ie: it will soon start to repeat itself) so that either:
- a cracker can try out every possible output of the password
generator on every user of the system, or
- the cracker can analyse the output of the password program,
determine the algorithm being used, and apply the algorithm to other
users to determine their passwords.
A beautiful example of this (where it was disastrously assumed that a
random number generator could generate an infinite number of random
passwords) is detailed in [Morris & Thompson].
The only way to get a reasonable amount of variety in your passwords
(I'm afraid) is to make them up. Work out some flexible method of your
own which is NOT based upon:
- modifying any part of your name or name+initials
- modifying a dictionary word
- acronyms
- any systematic, well-adhered-to algorithm whatsoever
For instance, NEVER use passwords like:
- alec7
- it's based on the users name (& it's too short anyway)
- tteffum
- based on the users name again
- gillian
- girlfiends name (in a dictionary)
- naillig
- ditto, backwards
- PORSCHE911
- it's in a dictionary
- 12345678
- it's in a dictionary (& people can watch you type it easily)
- qwertyui
- ...ditto...
- abcxyz
- ...ditto...
- 0ooooooo
- ...ditto...
- Computer
- just because it's capitalised doesn't make it safe
- wombat6
- ditto for appending some random character
- 6wombat
- ditto for prepending some random character
- merde3
- even for french words...
- mr.spock
- it's in a sci-fi dictionary
- zeolite
- it's in a geological dictionary
- ze0lite
- corrupted version of a word in a geological dictionary
- ze0l1te
- ...ditto...
- Z30L1T3
- ...ditto...
I hope that these examples emphasise that ANY password derived from ANY
dictionary word (or personal information), modified in ANY way,
constitutes a potentially guessable password.
For more detailed information in the same vein, you should read the
APPENDIX files which accompany Crack [Muffett].