OT: passwords

[Robert Baer]

Start with the reasonably decent tester
https://www.cryptool.org/en/cto-highlights/passwordmeter

As i mentioned before it does have at least one lame attribute, it
tends to give email addresses very high total rating (all green!).

I know very little about those checkers/encoders/whatever.
Is there a password generator that will produce a randumb string
(given limits, say no special characters and not longer than specified
vale)?

Thanks

 

[Robert Baer]

Robert Baer wrote:

  Start with the reasonably decent tester
https://www.cryptool.org/en/cto-highlights/passwordmeter

  As i mentioned before it does have at least one lame attribute, it
tends to give email addresses very high total rating (all green!).

  I know very little about those checkers/encoders/whatever.
  Is there a password generator that will produce a randumb string
(given limits, say no special characters and not longer than specified
vale)?

  Thanks
That checker tends to be lame with repeated sequence(s):

#S4LWU$kz4#S4LWU$kz with 19 characters passes all, gives 93% and yet
first 9 are repeated.

So...are there other maybe "better" checkers that will not "rook" you?

Still, a half-way decent generator seems better.

Thanks

 

[Jan Panteltje]

On a sunny day (Tue, 9 Jul 2019 20:54:54 -0800) it happened Robert Baer
<robertbaer@localnet.com> wrote in <8kdVE.18949$KR4.17786@fx31.iad>:

Start with the reasonably decent tester
https://www.cryptool.org/en/cto-highlights/passwordmeter

As i mentioned before it does have at least one lame attribute, it
tends to give email addresses very high total rating (all green!).

I know very little about those checkers/encoders/whatever.
Is there a password generator that will produce a randumb string
(given limits, say no special characters and not longer than specified
vale)?

Thanks

In Linux, in a terminal, for 2 seconds then use ctrlC, type
cat /dev/random > q1

To get get valid ASCII
strings q1 > q2

Edit q2, remove any fontrol characters...

¸<çú
žÚ{¤ŤˇĂ
ŁQC3
měFZ8
4ŕ?uŰö˙iŃż
đš4W%sM



Edit q1 with a text editor, keep valid characters you want working backwards
MsW4i0u48FZ

Good enough?

Other variants of processing output from /dev/random are OK too, if you are paranoid
swap some characters..


You could also use the radioactive decay form the uranium hexafluoride
from you enrichment plant.

 

[Gerhard Hoffmann]

Am 10.07.19 um 06:54 schrieb Robert Baer:

  Start with the reasonably decent tester
https://www.cryptool.org/en/cto-highlights/passwordmeter

  As i mentioned before it does have at least one lame attribute, it
tends to give email addresses very high total rating (all green!).

  I know very little about those checkers/encoders/whatever.
  Is there a password generator that will produce a randumb string
(given limits, say no special characters and not longer than specified
vale)?

You can always use the password generator of the crack program.

Gerhard

 

[jack jack]

all password managers do that.

 

[Jan Panteltje]

PS,
Just after I replied I decided to keep the fingers moving and wrote a simple
password generator in See:
http://panteltje.com/panteltje/newsflex/download.html#passgen

It does exactly what I wrote, see below, and I also added a check
for /dev/random being not some hack and a file.

This is Linux software, unpack with
tar -zxvf passgen-0.1.tgz
make
make install

Run:
~ # passgen
read 99 of 100 bytes, please wait
ready, your password is
7hrCv98P

It takes a minute or 2 to get enough randomness.

It is version 0.1 and I wrote it in a few frmtoseconds, so YMMV.
also do not use THIS password for anything.
Make your own and one for each application.

Check the source code for any secret commi-nukations.

I wrote
In Linux, in a terminal, for 2 seconds then use ctrlC, type
cat /dev/random > q1

To get get valid ASCII
strings q1 > q2

Edit q2, remove any fontrol characters...

¸<çú
žÚ{¤ŤˇĂ
ŁQC3
měFZ8
4ŕ?uŰö˙iŃż
đš4W%sM



Edit q1 with a text editor, keep valid characters you want working backwards
MsW4i0u48FZ

Good enough?

Other variants of processing output from /dev/random are OK too, if you are paranoid
swap some characters..


You could also use the radioactive decay form the uranium hexafluoride
from you enrichment plant.

 

[Paul]

Robert Baer wrote:

Start with the reasonably decent tester
https://www.cryptool.org/en/cto-highlights/passwordmeter

As i mentioned before it does have at least one lame attribute, it
tends to give email addresses very high total rating (all green!).

I know very little about those checkers/encoders/whatever.
Is there a password generator that will produce a randumb string
(given limits, say no special characters and not longer than specified
vale)?

Thanks

I would write that code myself, to make
sure "the NSA hasn't compromised the randomness"

Then I would pick up some extra tinfoil hats
at the TinFoil Hat store.

#include <stdio.h>
/* gcc -o mypassword.exe mypassword.c */

int main(int argc, char *argv[])
{
if (argc != 2) {
printf("Mypassword.exe RandomSeedString\n");
printf("Generate password based on random seed string\n");
return 1;
}
printf("\nYour new password is: %s\n", argv[1]);
return 0;
}

Your result is only limited by your own imagination.

mypassword.exe abcd1234

Your new password is: abcd1234

And, "I did it with a computer" (tip of the hat to the
Patent Department).

*******

Using stepwise refinement, we try again.
Still no rands, mersenne twisters, or the like.

#include <stdio.h>
#include <windows.h>
/* gcc -o mypassword2.exe mypassword2.c */

int main() {
/* Define your allowed alphabet here. String length prime ? */
char a[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ012345678";
int len = strlen(a); /* modulo, but subtract one when used as index */
__int64 time1;
int i,j,k,m;
char c[2048]; /* OK, already, you can stop typing now... */

if (!QueryPerformanceCounter((LARGE_INTEGER *)&time1)) {
printf("QueryPerformanceCounter failed\n");
return 1;
}

printf("Enter as many letters as the length of the desired\n");
printf("password, followed by Enter key. The time when each\n");
printf("letter is entered, is the random factor selecting\n");
printf("the letter used\n\n");
printf("Current alphabet has %d character choices\n\n", len);

j=k=0;

while ( (m = getch()) != 13 ) {
QueryPerformanceCounter((LARGE_INTEGER *)&time1);
/* Try to remove systematic bias in sample times using time scales */
i = ( (time1 >> 16) ^ (time1 >> 8) ^ time1 ) % len;
c[j] = a[i-1];
j++;
printf("%c", m); /* tactile feedback saved for last */
}

printf("\n\nYour password is: ");
while (j > 0) {
printf("%c", c[k]);
j--;
k++;
}
printf("\n");
}

Paul (who is not a programmer and
never took Krypto in HighSkool)

 

[Phil Hobbs]

On 7/10/19 1:18 AM, Robert Baer wrote:

Robert Baer wrote:
   Start with the reasonably decent tester
https://www.cryptool.org/en/cto-highlights/passwordmeter

   As i mentioned before it does have at least one lame attribute, it
tends to give email addresses very high total rating (all green!).

   I know very little about those checkers/encoders/whatever.
   Is there a password generator that will produce a randumb string
(given limits, say no special characters and not longer than specified
vale)?

   Thanks
  That checker tends to be lame with repeated sequence(s):

#S4LWU$kz4#S4LWU$kz with 19 characters passes all, gives 93% and yet
first 9 are repeated.

  So...are there other maybe "better" checkers that will not "rook" you?

  Still, a half-way decent generator seems better.

  Thanks

Try Diceware. Good randomness, easy to remember, impossible to backdoor.

Cheers

Phil Hobbs

--
Dr Philip C D Hobbs
Principal Consultant
ElectroOptical Innovations LLC / Hobbs ElectroOptics
Optics, Electro-optics, Photonics, Analog Electronics
Briarcliff Manor NY 10510

http://electrooptical.net
http://hobbs-eo.com

 

On Wednesday, 10 July 2019 15:18:59 UTC+1, Phil Hobbs wrote:

On 7/10/19 1:18 AM, Robert Baer wrote:
Robert Baer wrote:
   Start with the reasonably decent tester
https://www.cryptool.org/en/cto-highlights/passwordmeter

   As i mentioned before it does have at least one lame attribute, it
tends to give email addresses very high total rating (all green!).

   I know very little about those checkers/encoders/whatever..
   Is there a password generator that will produce a randumb string
(given limits, say no special characters and not longer than specified
vale)?

   Thanks
  That checker tends to be lame with repeated sequence(s):

#S4LWU$kz4#S4LWU$kz with 19 characters passes all, gives 93% and yet
first 9 are repeated.

  So...are there other maybe "better" checkers that will not "rook" you?

  Still, a half-way decent generator seems better.

  Thanks


Try Diceware. Good randomness, easy to remember, impossible to backdoor.

Cheers

Phil Hobbs

Ha. I have some very unrandom dice.


NT

 

[Don Kuenz]

Jan Panteltje <pNaOnStPeAlMtje@yahoo.com> wrote:

PS,
Just after I replied I decided to keep the fingers moving and wrote a simple
password generator in See:
http://panteltje.com/panteltje/newsflex/download.html#passgen

It does exactly what I wrote, see below, and I also added a check
for /dev/random being not some hack and a file.

This is Linux software, unpack with
tar -zxvf passgen-0.1.tgz
make
make install

Run:
~ # passgen
read 99 of 100 bytes, please wait
ready, your password is
7hrCv98P

It takes a minute or 2 to get enough randomness.

It is version 0.1 and I wrote it in a few frmtoseconds, so YMMV.
also do not use THIS password for anything.
Make your own and one for each application.

Check the source code for any secret commi-nukations.

apg excels at generating pronounceable nonsense of any length:

$ apg -m 16 -a 0
NuocKiUvJusfeat~
nicOpEdfondErceb
RhastAcPoivektoi
oajPheanodfiedTi
SlatCyChroodfeir
GheyRawjeOctyab`
------------------------------------------------------------------------
https://github.com/Distrotech/apg
------------------------------------------------------------------------
$ apg -h

apg Automated Password Generator
Copyright (c) Adel I. Mirzazhanov

apg [-a algorithm] [-r file]
[-M mode] [-E char_string] [-n num_of_pass] [-m min_pass_len]
[-x max_pass_len] [-c cl_seed] [-d] [-s] [-h] [-y] [-q]

-M mode new style password modes
-E char_string exclude characters from password generation process
-r file apply dictionary check against file
-b filter_file apply bloom filter check against filter_file
(filter_file should be created with apgbfm(1) utility)
-p substr_len paranoid modifier for bloom filter check
-a algorithm choose algorithm
1 - random password generation according to
password modes
0 - pronounceable password generation
-n num_of_pass generate num_of_pass passwords
-m min_pass_len minimum password length
-x max_pass_len maximum password length
-s ask user for a random seed for password
generation
-c cl_seed use cl_seed as a random seed for password
-d do NOT use any delimiters between generated passwords
-l spell generated password
-t print pronunciation for generated pronounceable password
-y print crypted passwords
-q quiet mode (do not print warnings)
-h print this help screen
-v print version information
------------------------------------------------------------------------

Thank you, 73,

--
Don Kuenz KB7RPU
There was a young lady named Bright Whose speed was far faster than light;
She set out one day In a relative way And returned on the previous night.

 

[Robert Baer]

Jan Panteltje wrote:

PS,
Just after I replied I decided to keep the fingers moving and wrote a simple
password generator in See:
http://panteltje.com/panteltje/newsflex/download.html#passgen

It does exactly what I wrote, see below, and I also added a check
for /dev/random being not some hack and a file.

This is Linux software, unpack with
tar -zxvf passgen-0.1.tgz
make
make install

Run:
~ # passgen
read 99 of 100 bytes, please wait
ready, your password is
7hrCv98P

It takes a minute or 2 to get enough randomness.

It is version 0.1 and I wrote it in a few frmtoseconds, so YMMV.
also do not use THIS password for anything.
Make your own and one for each application.

Check the source code for any secret commi-nukations.




I wrote
In Linux, in a terminal, for 2 seconds then use ctrlC, type
cat /dev/random > q1

To get get valid ASCII
strings q1 > q2

Edit q2, remove any fontrol characters...

¸<çú
žÚ{¤ŤˇĂ
ŁQC3
měFZ8
4ŕ?uŰö˙iŃż
đš4W%sM



Edit q1 with a text editor, keep valid characters you want working backwards
MsW4i0u48FZ

Good enough?

Other variants of processing output from /dev/random are OK too, if you are paranoid
swap some characters..


You could also use the radioactive decay form the uranium hexafluoride
from you enrichment plant.

Sounds good,but cannot use it.
To make a bad pun, as ONE a have to NIX it.

 

Don Kuenz <g@crcomp.net> wrote in news:20190710a@crcomp.net:

Jan Panteltje <pNaOnStPeAlMtje@yahoo.com> wrote:

PS,
Just after I replied I decided to keep the fingers moving and
wrote a simple password generator in See:
http://panteltje.com/panteltje/newsflex/download.html#passgen

It does exactly what I wrote, see below, and I also added a check
for /dev/random being not some hack and a file.

This is Linux software, unpack with
tar -zxvf passgen-0.1.tgz
make
make install

Run:
~ # passgen
read 99 of 100 bytes, please wait
ready, your password is
7hrCv98P

It takes a minute or 2 to get enough randomness.

It is version 0.1 and I wrote it in a few frmtoseconds, so YMMV.
also do not use THIS password for anything.
Make your own and one for each application.

Check the source code for any secret commi-nukations.

apg excels at generating pronounceable nonsense of any length:

Pronounce this little tid bit...

My real name is Mike Coxmaul, but I go by Michael.

 

[Robert Baer]

Phil Hobbs wrote:

On 7/10/19 1:18 AM, Robert Baer wrote:
Robert Baer wrote:
   Start with the reasonably decent tester
https://www.cryptool.org/en/cto-highlights/passwordmeter

   As i mentioned before it does have at least one lame attribute, it
tends to give email addresses very high total rating (all green!).

   I know very little about those checkers/encoders/whatever.
   Is there a password generator that will produce a randumb string
(given limits, say no special characters and not longer than
specified vale)?

   Thanks
   That checker tends to be lame with repeated sequence(s):

#S4LWU$kz4#S4LWU$kz with 19 characters passes all, gives 93% and yet
first 9 are repeated.

   So...are there other maybe "better" checkers that will not "rook" you?

   Still, a half-way decent generator seems better.

   Thanks


Try Diceware.  Good randomness, easy to remember, impossible to backdoor.

Cheers

Phil Hobbs

WOW!

 

[Don Kuenz]

Robert Baer <robertbaer@localnet.com> wrote:

Don Kuenz wrote:
Jan Panteltje <pNaOnStPeAlMtje@yahoo.com> wrote:

PS,
Just after I replied I decided to keep the fingers moving and wrote a simple
password generator in See:
http://panteltje.com/panteltje/newsflex/download.html#passgen

It does exactly what I wrote, see below, and I also added a check
for /dev/random being not some hack and a file.

This is Linux software, unpack with
tar -zxvf passgen-0.1.tgz
make
make install

Run:
~ # passgen
read 99 of 100 bytes, please wait
ready, your password is
7hrCv98P

It takes a minute or 2 to get enough randomness.

It is version 0.1 and I wrote it in a few frmtoseconds, so YMMV.
also do not use THIS password for anything.
Make your own and one for each application.

Check the source code for any secret commi-nukations.

apg excels at generating pronounceable nonsense of any length:

$ apg -m 16 -a 0
NuocKiUvJusfeat~
nicOpEdfondErceb
RhastAcPoivektoi
oajPheanodfiedTi
SlatCyChroodfeir
GheyRawjeOctyab`
* Not to bad.
By replacing one randomly chosen character with a random digit, you
can almost always make an improvement, especially more green bars with
https://www.cryptool.org/en/cto-highlights/passwordmeter.
Fiddling with which character to replace might give slight added
improvement.
That last line is the best at 78%, 4 green bars.
Randomly chose the w for a digit gives 80% 5 green bars.

Although apg can generate long random characters, it's a little over the
top for mere mortal me.

$ apg -m 64 -a 1
?2-ydS{'2*PK"16\>M*+ayri,X0KT_gnxcz=vNgG@l,q>K-mZ!EAlf(Ty?/Q,#K)
)|cnYKoj^rS!=X'#Phi~DeTXHsa+VsB"<mY@d4'\;,0Va46z<Ya7t&Cu:hp]sn1R
N0FtjTT%=un>K.u=(m~/.@Dco:cBk[gHm|07XmdpY\X[H{/?^n)c3M4h**gUk0$i
c-_[h-.Xc'H%#~9p.`kTNR;x}WP\b?'Ikkr/iHkOkTA\.FgrTQfS&*dr=a8)3GJO
AM.>$)8\H5|q<JgCkpt-5xt_7SJDMbh4Nar>3{"x6~;;T+>%}!L(?vUIO/Z4lB@@
]89|xMpRl]gzP^8R"W{i/81ZHpt]GU]:\(b@cOld}Y5cV7j,>mxkcq\"*HiO]ptH

It works better for me to start with a pronounceable string and then add
special characters and digits if need be.

$ apg -m 16 -a 0 -t
Liojtanith@Knep# (Li-oj-tan-ith-AT_SIGN-Knep-CROSSHATCH)
LyecpapIvbibPigs (Lyec-pap-Iv-bib-Pigs)
neeshiBegbytRot@ (nees-hi-Beg-byt-Rot-AT_SIGN)
gennEabempOwcyb4 (genn-Eab-emp-Ow-cyb-FOUR)
veByTweydbivQuor (ve-By-Tweyd-biv-Quor)
DyeratfeOtDeabNi (Dyer-at-fe-Ot-Deab-Ni)

Thank you, 73,

--
Don Kuenz KB7RPU
There was a young lady named Bright Whose speed was far faster than light;
She set out one day In a relative way And returned on the previous night.

 

[Robert Baer]

Don Kuenz wrote:

Jan Panteltje <pNaOnStPeAlMtje@yahoo.com> wrote:

PS,
Just after I replied I decided to keep the fingers moving and wrote a simple
password generator in See:
http://panteltje.com/panteltje/newsflex/download.html#passgen

It does exactly what I wrote, see below, and I also added a check
for /dev/random being not some hack and a file.

This is Linux software, unpack with
tar -zxvf passgen-0.1.tgz
make
make install

Run:
~ # passgen
read 99 of 100 bytes, please wait
ready, your password is
7hrCv98P

It takes a minute or 2 to get enough randomness.

It is version 0.1 and I wrote it in a few frmtoseconds, so YMMV.
also do not use THIS password for anything.
Make your own and one for each application.

Check the source code for any secret commi-nukations.

apg excels at generating pronounceable nonsense of any length:

$ apg -m 16 -a 0
NuocKiUvJusfeat~
nicOpEdfondErceb
RhastAcPoivektoi
oajPheanodfiedTi
SlatCyChroodfeir
GheyRawjeOctyab`

* Not to bad.
By replacing one randomly chosen character with a random digit, you
can almost always make an improvement, especially more green bars with
https://www.cryptool.org/en/cto-highlights/passwordmeter.
Fiddling with which character to replace might give slight added
improvement.
That last line is the best at 78%, 4 green bars.
Randomly chose the w for a digit gives 80% 5 green bars.

------------------------------------------------------------------------
https://github.com/Distrotech/apg
------------------------------------------------------------------------
$ apg -h

apg Automated Password Generator
Copyright (c) Adel I. Mirzazhanov

apg [-a algorithm] [-r file]
[-M mode] [-E char_string] [-n num_of_pass] [-m min_pass_len]
[-x max_pass_len] [-c cl_seed] [-d] [-s] [-h] [-y] [-q]

-M mode new style password modes
-E char_string exclude characters from password generation process
-r file apply dictionary check against file
-b filter_file apply bloom filter check against filter_file
(filter_file should be created with apgbfm(1) utility)
-p substr_len paranoid modifier for bloom filter check
-a algorithm choose algorithm
1 - random password generation according to
password modes
0 - pronounceable password generation
-n num_of_pass generate num_of_pass passwords
-m min_pass_len minimum password length
-x max_pass_len maximum password length
-s ask user for a random seed for password
generation
-c cl_seed use cl_seed as a random seed for password
-d do NOT use any delimiters between generated passwords
-l spell generated password
-t print pronunciation for generated pronounceable password
-y print crypted passwords
-q quiet mode (do not print warnings)
-h print this help screen
-v print version information
------------------------------------------------------------------------

Thank you, 73,

 

[Don Kuenz]

DecadentLinuxUserNumeroUno@decadence.org wrote:

Don Kuenz <g@crcomp.net> wrote in news:20190710a@crcomp.net:

Jan Panteltje <pNaOnStPeAlMtje@yahoo.com> wrote:

PS,
Just after I replied I decided to keep the fingers moving and
wrote a simple password generator in See:
http://panteltje.com/panteltje/newsflex/download.html#passgen

It does exactly what I wrote, see below, and I also added a check
for /dev/random being not some hack and a file.

This is Linux software, unpack with
tar -zxvf passgen-0.1.tgz
make
make install

Run:
~ # passgen
read 99 of 100 bytes, please wait
ready, your password is
7hrCv98P

It takes a minute or 2 to get enough randomness.

It is version 0.1 and I wrote it in a few frmtoseconds, so YMMV.
also do not use THIS password for anything.
Make your own and one for each application.

Check the source code for any secret commi-nukations.

apg excels at generating pronounceable nonsense of any length:

Pronounce this little tid bit...

My real name is Mike Coxmaul, but I go by Michael.

That password's a little long and it needs some digits. A better
password may be something along the lines of:

In 2019 DLU said he's Coxmaul!

Although some systems do not accommodate passwords with spaces many
?most? do. Using an easily remembered sentence with the usual mix of
special characters, caps, and digits works for me.

Thank you, 73,

--
Don Kuenz KB7RPU
There was a young lady named Bright Whose speed was far faster than light;
She set out one day In a relative way And returned on the previous night.

 

[Paul]

Paul wrote:

Robert Baer wrote:
Start with the reasonably decent tester
https://www.cryptool.org/en/cto-highlights/passwordmeter

As i mentioned before it does have at least one lame attribute, it
tends to give email addresses very high total rating (all green!).

I know very little about those checkers/encoders/whatever.
Is there a password generator that will produce a randumb string
(given limits, say no special characters and not longer than specified
vale)?

Thanks

(Corrected version)

#include <stdio.h>
#include <windows.h>

int main() {
/* Define your allowed alphabet here. */
char a[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ012345678";
int len = strlen(a); /* modulo */
__int64 time1;
int i,j,k,m;
char c[2048];

if (!QueryPerformanceCounter((LARGE_INTEGER *)&time1)) {
printf("QueryPerformanceCounter failed\n");
return 1;
}

printf("Enter as many letters as the length of the desired\n");
printf("password, followed by Enter key. The time when each\n");
printf("letter is entered, is the random factor selecting\n");
printf("the letter used\n\n");
printf("Current alphabet has %d character choices\n\n", len);

j=k=0;

while ( (m = getch()) != 13 ) {
QueryPerformanceCounter((LARGE_INTEGER *)&time1);
/* Try to remove systematic bias in sample times using time scales */
i = ( (time1 >> 16) ^ (time1 >> 8) ^ time1 ) % len;
c[j] = a; /* modulo has the right range, fixed */
j++;
printf("%d ", i); /* choice feedback */
}

printf("\n\nYour password is: ");
while (j > 0) {
printf("%c", c[k]);
j--;
k++;
}
printf("\n");
}

*******

Sample output:

L:\>mypassword2
Enter as many letters as the length of the desired
password, followed by Enter key. The time when each
letter is entered, is the random factor selecting
the letter used

Current alphabet has 61 character choices

57 51 24 45 2 18 50 15 0 1 42 39 24 36 22 23 13 32 8 13 6

Your password is: 5ZyTcsYpabQNyKwxnGing

L:\>