Reply To: Ways to create the strongest possible password?

Forums Hardware & Software General Software Discussions Ways to create the strongest possible password? Reply To: Ways to create the strongest possible password?

    You can build your own very good password generator at home. You will need a spreadsheet, and Excel is top-of-the-range on Windows systems. Excel is still a thing on Macs, and for Linux it appears that Gnumeric is well-thought of. I personally use Lotus 123, which probably will run on Win10.

    Lots of good souls will immediately rise and cry “You can’t get truly random on a spreadsheet!” And they are absolutely completely correct. But here’s the thing: you don’t need “true randomness“. All good spreadsheets take their seeds from the computer clock, which counts up the number of seconds from the appropriate epoch, and this is what makes life difficult for the black-hats. The seed is generated at spreadsheet start-up, ready for the first usage of the RND function, and there is no way known in the universe how this start-up time on your computer can be predicted or inferred. The spreadsheet random number generator is as close to true randomness as you will ever find.

    So, my generator starts with 64 columns containing a counting number in the first row:


    This gives me strings that look like


    Next, we need some hex characters:




    And because some systems don’t believe in “funny characters” a simple case selector:




    Why don’t I include a space character? Because I can always insert one. Or several. “Printable” non-alphameric can be iffy on many systems due mostly to laziness on the designer’s part.

    In 123 the function key F9 will immediately recalculate the entire sheet… The trick is, if somebody is actually capable of seeing exactly when I start or recalculate, I have a lot more real immediate problems than merely generating a password.

    How long should the password be? Let’s assume the black-hat has a rack of 10 GPUs. 11 characters will take him/her/it a day or so. 13 characters will take about a week. 15 characters, about a month. 17 characters, most of a year; and 19 characters will be cracked some time in the next century. However, don’t forget that the attacker will most likely be seeing a hash, so multiply all of those by 10.

    If it’s a direct attack, many systems have begun inserting programmed delays of about half a second between attempts, so everything then gets multiplied by 500… The attacker must generate a “complete” password before presenting it for evaluation, and he/she/it has no idea of the length or density. So any attack must begin with the smallest believeable number of characters, usually 8.

    All my passwords are stored in a you-beaut encrypted flat-file called “Cobbler”, written by svenfaw, see the Wilders thread for the gory details.


    Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall"]