Generating passwords.

May 20 2018

A fact of life in the twenty-first century are data breaches - some site or other gets pwned and tends to hundreds of gigabytes of data get stolen.  If you're lucky just the usernames and passwords for the service have been taken; if you're not, credit card and banking information has been exfiltrated.  Good times.

You've probably wondered why stolen passwords are dangerous.  There are a few reasons for this: The first is that people tend to re-use passwords on multiple sites or services.  Coupled with the fact that many online services use e-mail addresses as usernames, this means that all someone has to do is try to log into... well, everything.. with those stolen credentials and see which ones work.  The second is that attackers now have lists of passwords that people actually use, and not huge dictionaries of potential passwords assembled for completeness.  This means that password cracking attacks can be much more precisely targeted and will probably take less time.

There is no shortage of helpful suggestions for generating passwords that are relatively strong and easy to remember.  The one that I find the most useful is the Diceware technique, which is fairly straightforward.

  • Get a handful of six sided dice.
  • Take a large dictionary of words where each word is numbered, and each number consists only of the digits 1 through 6, i.e., 41524
  • Roll the dice.  Find the word with the corresponding number in the dictionary.
  • Do this until you have a long passphrase.

It's a bit tedious, though.  Of course, people have written their own implementations of Diceware for various platforms and with varying states of usability.  I use plain old diceware on Windbringer, mostly because it's available through the AUR but it lacks a few features that I really find useful.  For one, to mix things up I like to sprinkle numbers over my generated passwords, like so: rerun-anteater-idly-00877-lining-paddling-8283

(No, I don't really use that passphrase anywhere.  Come on.)

So, I decided to write my own Diceware utility in Python.  I wrote it to be as self-contained as possible, which is to say as long as you have Python installed on a system it should run.  The wordlist is built into the utility (which accounts for most of its size) and it's as easy to use as I can make it.  I deliberately did not make some options I prefer defaults because I wanted it to be as helpful to people as possible.  Per GNU standard, running ./diceware.py --help will print the online help.  It's also open source so feel free to use it anywhere you like.  I've tested it on Arch Linux and Mac OSX, and I don't see any reason why it wouldn't work on, say, Ubuntu or Raspbian.

Share and enjoy!

Neologism: Hopepothesis

Dec 18 2016

Hopepothesis - noun - What you come up with when you really don't know what you're doing or what's going on, but you pull something out of your ass anyway.  If anybody asks, that's your working hypothesis.