I got inspired by this xkcd webcomic:
The topic is also discussed here: https://www.ted.com/talks/lorrie_faith_cranor_what_s_wrong_with_your_pa_w0rd
Now I wonder:
How can I create a password out of four random dictionary words without using the internet?
Locally installed dictionaries are stored in /usr/share/dict/, for example:
$ ls -1 /usr/share/dict/
american-english
british-english
cracklib-small
README.select-wordlist
words
words.pre-dictionaries-common
Here the first two are interesting, those dictionaries are simple word lists with one word per line. We can use shuf to output 4 random lines from one of them (and awk to replace newlines with spaces):
shuf -n4 /usr/share/dict/american-english | awk NF=NF RS= OFS=' '
Here's some example output:
contributions autumn's catalepsy's hemline's
footlights Levi's awfuller rascals
fogies flavoring preregistering requital's
Coleman's cartel halfpennies Williamson
étude's maintainers reviler's dapperest
pizazz Galahads McDowell derby
corroborate bureaucracies anchovy meager
filet Tawney feudalistic backstabbing
Beatriz sitcom surpasses guttural's
warehouse's unfamiliarity's Ashlee's sanguinary
Use a method, that provides sufficient randomness alias entropy, often measured in bits.
Accept the first offered choice from the random process. Otherwise the entropy decreases (often more than you would think), and your security level will be lower.
Considering the human aspect it is important that you can
accept
remember
spell
the words in the password/passphrase.
In order to preserve randomness, entropy, it is very important the you accept the first offered choice, and the word list can make a difference.
Using a big word-list provides more entropy per word, but chances are that you or users in the group, whose IT security you are managing, refuse to use the first offered password/passphrase. Your name, city or other personal data might be selected from the word list in an extremely rare case, but more often you might be offended by a political, ethnical, religious, sexual or generally rude word. Of course, if you like such words, you can add them to your own word list ;-) but don't force them onto other people.
It will make it easier to accept, remember and spell the password/passphrase, if you use a list of the most common words, where the words are selected for this particular purpose.
You can create such a list yourself (and in your own language, and remove words with special characters, because they might cause problems with some software).
The following shellscript pruner might help. You get only lowercase words, which makes the typing easier (special characters are removed) and only words in the interval [4,10] letters (not too short, not too long). But there is no sorting of these files according to how easy to accept they are. You need other information to remove uncommon, difficult and potentially offensive words, or you can do it manually.
#!/bin/bash
LANG=C
for wordlist in \
$(find /usr/share/dict/ /usr/lib/python3/dist-packages/xkcdpass/static -type f -size +10k) \
$(ls -1 word-list.txt 2> /dev/null)
do
# prunedlist="${wordlist##*/}"
prunedlist="${wordlist//\//_}"
prunedlist="${prunedlist/.txt}-pruned.txt"
echo "source: $wordlist"
echo -n "Total number of words in list: "
< "$wordlist" wc -l
echo "target: $prunedlist"
echo -n "Used lower case words ( 4 < length < 10 ): "
< "$wordlist" tr -d '\015'| \
grep '^[a-z]\{4,10\}$' | \
tee "$prunedlist" | \
wc -l
echo "-------"
done
The shellscript will find the default word lists and also word lists for xkcdpass and cracklib, if installed.
Now you can run your shuf command line to test the pruned word lists,
$ for i in *pruned*; do echo "$i:";shuf -n4 "$i"| awk NF=NF RS= OFS=' ';echo "-----";done
but I would prefer xkcdpass.
You can download such a list (check that it consists of unique words and is long enough, at least 2048 words = 2^11 words, which corresponds to 11 bits of entropy).
Downloading, checking and using such a file from the internet should be safe. As usual, you should only use reliable web sites.
The important thing for the security is not the words themselves, but that you let a random process (for example dice) or a good pseudo-random computer process select the words. Do not tamper with the random process by selecting or modifying the password manually.
At this Ubuntu help wiki page: The XKCD method - xkcdpass you can find a
Custom word list - 'word-list.txt'
Decide what works best for the security level you need in your particular case,
It may be vary between persons (and groups of people, if you are considering how to set a policy or custom tool for an organization).
You can let xkcdpass compute randomness alias entropy in bits by adding the verbosity option -V. These examples use the default word list and the custom word list from the Ubuntu help page word-list.txt,
xkcdpass -V -n 3
xkcdpass -V -n 4 --min 4 --max 10 -d . -w word-list.txt
Using the default word file: lower number of words that are strange and complicated
# Normal security level at home, entropy = 45 bits;
$ xkcdpass -n 3
demeanour basely extrude
# Next security level, entropy = 60 bits:
$ xkcdpass -n 4
metal cottager advocacy soursop
# High security level, entropy = 76 bits:
$ xkcdpass -n 5
hostile impounder Caledonia ramie Goddard
# Very high security level, entropy = 91 bits:
$ xkcdpass
ambrosia Cossack vivify Barbudan royal Campinas
Please notice that this is the default setting. But the security level is very high only if the user
Using a custom word file: higher number of words that are common and easy
# Normal security level at home, entropy = 47 bits:
$ xkcdpass -n 4 --min 4 --max 10 -d . -w word-list.txt
sharp.hockey.steal.backyard
# Next security level, entropy = 59 bits:
$ xkcdpass -n 5 --min 4 --max 10 -d . -w word-list.txt
initially.assistant.barely.framework.regional
# Next security level, entropy = 71 bits:
$ xkcdpass -n 6 --min 4 --max 10 -d . -w word-list.txt
snake.food.dress.perception.club.waste
# High security level, entropy = 83 bits:
$ xkcdpass -n 7 --min 4 --max 10 -d . -w word-list.txt
stand.mentor.know.cream.automatic.treatment.effect
There's probably any number of XKCD password generator implementations out there:
xkcdpass, available from the xkcdpass package, Python (doesn't seem to use a CSPRNG)
$ xkcdpass
baroque viand blindfold hooch notion ravening
$ xkcdpass -n4
useless elated liveable overfly
xkcd-password, NodeJS modulediceware, which follows a similar process, but using websitesPick your poison.
Also see:
Please don't do this.
I know it's a pain, but use a password manager instead. Have it generate unique, random passwords for every site. If you're paranoid like me, you can change a couple characters in the suggested password in case the generator's (pseudo-)random algorithm is ever compromised. I like KeePassX with the database backed up in DropBox, but LastPass is easier for some people to use. There are many paid password managers as well.
The human brain is good at imposing order, even when there is none. You can remember random characters by staring at them until you perceive order in the chaos. There is no order. This is just what your brain does. For instance:
bJbRpZ2S9
Means something to you. If you type it enough times, you'll come up with something like this to remember it:
black Jack beyond Re post Zaps 2 Surly 9's
You can eventually remember 2 or 3 master passwords that way. One for your OS, and one for your password manager. That's all you need.
P.S. When using a password manager, periodically print out your passwords and put them in a tamper-evident envelope in a safe somewhere so you don't lose them. Ideally where your next-of-kin can get them if something happens to you, like a safe deposit box.
