Ad
Ad
Ad
Pages: [1]   Bottom of Page
Print
Author Topic: Security: random password generator for OS X  (Read 3605 times)
Ellis Vener
Sr. Member
****
Offline Offline

Posts: 1801



WWW
« on: December 04, 2012, 12:42:50 PM »
ReplyReply

Did you know that Apple OS X has a built in random password generator? Neither did I until a few minutes ago. See http://www.iclarified.com/entry/index.php?enid=23680 for details
Logged

Ellis Vener
http://www.ellisvener.com
Creating photographs for advertising, corporate and industrial clients since 1984.
kikashi
Sr. Member
****
Offline Offline

Posts: 4003



« Reply #1 on: December 04, 2012, 01:21:25 PM »
ReplyReply

Great! More passwords which mean nothing to me and so are even harder to remember. (Yes, I know, I don't have to use it.)

Jeremy
Logged
BJL
Sr. Member
****
Offline Offline

Posts: 5129


« Reply #2 on: December 04, 2012, 05:59:24 PM »
ReplyReply

Great! More passwords which mean nothing to me and so are even harder to remember. (Yes, I know, I don't have to use it.)
I guess the idea is to then put these generated passwords into Keychain, so you only need to memorize one master password. Seeing that the password generator is a part of Keychain and all.

So thanks for the tip, Ellis!
« Last Edit: December 04, 2012, 06:02:32 PM by BJL » Logged
digitaldog
Sr. Member
****
Offline Offline

Posts: 9098



WWW
« Reply #3 on: December 04, 2012, 06:58:31 PM »
ReplyReply

1Password makes this super easy. Not free but very effective.

https://agilebits.com/onepassword/mac
Logged

Andrew Rodney
Author “Color Management for Photographers”
http://digitaldog.net/
francois
Sr. Member
****
Offline Offline

Posts: 6819


« Reply #4 on: December 05, 2012, 03:42:16 AM »
ReplyReply

1Password makes this super easy. Not free but very effective.

https://agilebits.com/onepassword/mac

Another vote for 1Password!
Logged

Francois
popnfresh
Guest
« Reply #5 on: December 06, 2012, 11:34:38 AM »
ReplyReply

I hate random password generators, because I can never remember the passwords they generate. The truth is, one can come up with their own passwords which are not only much easier to remember, but very secure as well. The ideal password is one that both keeps intruders out yet is easily remembered so you don't have to refer to your password database every time you need to use it.

In making my own passwords I follow a few rules.
• The password should be nonsense, and never an actual word and never a logical sequence of numbers or a sequence based on things like your phone number, street address or social security number.
• It should always be a mix of letters and numbers or symbols.
• It should be between 8 and 15 characters long.
• if your password is based around a real word, make it at least 2 characters longer than that word.
• Passwords used for anything financial should always be unique. For example, the password for your online bank account should not be the same one you use for your brokerage or your email.

I could make an easily remembered and secure password based on the name of a loved one, for example. Let's say that her name is Barbara. From her name I could make this 9-character password: $bar3?Ara. This password would be much easier for me to remember than one that was completely random. But it would be just as secure as any randomly generated 9-character password.
« Last Edit: December 06, 2012, 03:14:51 PM by popnfresh » Logged
Chairman Bill
Sr. Member
****
Online Online

Posts: 1520


« Reply #6 on: December 06, 2012, 02:01:35 PM »
ReplyReply

Best passwords - a string of words. Iwanderedlonelyasacloud. Tobeornottobe. Roundmanywesternislandshaveibeen.

Every password-breaking program is designed to deal with passwords that contain uper & lower case letters & numbers. Most people do things such as replace an o with a 0, or an i with a 1. F00tball, or something similar. Easy for software to crack.
Logged
popnfresh
Guest
« Reply #7 on: December 06, 2012, 02:47:44 PM »
ReplyReply

Best passwords - a string of words. Iwanderedlonelyasacloud. Tobeornottobe. Roundmanywesternislandshaveibeen.

Every password-breaking program is designed to deal with passwords that contain uper & lower case letters & numbers. Most people do things such as replace an o with a 0, or an i with a 1. F00tball, or something similar. Easy for software to crack.

Those programs are based on a dictionary attack which assumes that the password is the same length as a real word. And even then, usually only an English word. Otherwise, it would have to examine every possible permutation of a string. And if it didn't know how long the string was it would be starting from scratch. For a 9-digit alphanumeric password, you're looking at over 14 million possible combinations. And it would most likely try every permutation of shorter strings before it attempted a 9-digit string. Considering that most financial websites will freeze access to your account after three failed attempts (at which point you would change your password anyway), anyone trying to parse your password will probably not be able to gain access before the sun goes nova. There are much easier ways for criminals to gain access to your accounts.
« Last Edit: December 06, 2012, 03:25:21 PM by popnfresh » Logged
John.Murray
Sr. Member
****
Offline Offline

Posts: 893



WWW
« Reply #8 on: December 06, 2012, 04:36:02 PM »
ReplyReply

https://www.random.org/passwords/

I had a client, complaining about her network's policy of 45 day password aging,  actually brag about "having *all* of her passwords set to the same thing - scary...

some php code (not perfect as the rand() function gets seeded with the same string(s) every time)
Code:
<?php
 
function generatePassword($length=9$strength=0) {
$vowels 'aeuy';
$consonants 'bdghjmnpqrstvz';
if ($strength 1) {
$consonants .= 'BDGHJLMNPQRSTVWXZ';
}
if ($strength 2) {
$vowels .= "AEUY";
}
if ($strength 4) {
$consonants .= '23456789';
}
if ($strength 8) {
$consonants .= '@#$%';
}
 
$password '';
$alt time() % 2;
for ($i 0$i $length$i++) {
if ($alt == 1) {
$password .= $consonants[(rand() % strlen($consonants))];
$alt 0;
} else {
$password .= $vowels[(rand() % strlen($vowels))];
$alt 1;
}
}
return $password;
}
 
?>
« Last Edit: December 06, 2012, 04:44:08 PM by John.Murray » Logged

mac_paolo
Sr. Member
****
Offline Offline

Posts: 423


« Reply #9 on: December 06, 2012, 04:56:21 PM »
ReplyReply

Another vote for 1Password!
+2
Logged
PierreVandevenne
Sr. Member
****
Offline Offline

Posts: 510


WWW
« Reply #10 on: December 12, 2012, 03:13:10 AM »
ReplyReply

Those programs are based on a dictionary attack which assumes that the password is the same length as a real word. And even then, usually only an English word. Otherwise, it would have to examine every possible permutation of a string. And if it didn't know how long the string was it would be starting from scratch. For a 9-digit alphanumeric password, you're looking at over 14 million possible combinations. And it would most likely try every permutation of shorter strings before it attempted a 9-digit string. Considering that most financial websites will freeze access to your account after three failed attempts (at which point you would change your password anyway), anyone trying to parse your password will probably not be able to gain access before the sun goes nova. There are much easier ways for criminals to gain access to your accounts.

Your math is way way off on the low side.

Your analysis of the problem is incorrect: the risk for online services is not brute forcing from the outside, but matching the hashes to leaked data. For local access, passwords will only annoy the dumbest and most casual thieves anyway, unless you use encryption.

The root of the problem is that we are still mostly using quick to compute hashes.

Current state of the art (for amateurs, that is) is this http://phys.org/news/2012-12-password-cracking-feats-blistering-shown-oslo.html which goes through 350 000 000 000 (yes, billions) of guesses per second.

Such a machine can be set up for a bit less than the price of a phase back and a few lenses.

One thing to take into account as well is the persistance of information: I was recently informed that an Israeli company I corresponded with in 1998-1999 had been hacked. Within hours, friends could find traces of my exchanges with that company in the publicly available dumps of hacked data.
Logged
popnfresh
Guest
« Reply #11 on: December 12, 2012, 07:25:59 PM »
ReplyReply

Your analysis of the problem is incorrect: the risk for online services is not brute forcing from the outside, but matching the hashes to leaked data. For local access, passwords will only annoy the dumbest and most casual thieves anyway, unless you use encryption.


Hence the last sentence in my post.
Logged
PierreVandevenne
Sr. Member
****
Offline Offline

Posts: 510


WWW
« Reply #12 on: December 13, 2012, 02:38:31 AM »
ReplyReply

Yup, re-reading it I see that you left the door open, I am a bit sorry for the somewhat harsh tone of my response. Was probably having a bad day.
Logged
mac_paolo
Sr. Member
****
Offline Offline

Posts: 423


« Reply #13 on: December 13, 2012, 03:38:05 AM »
ReplyReply

1Password for iOS got a complete restyle, and it's even better.
I know OS X password generator since years. Never used anything except for 1Password since I bought it.
Logged
chrismurphy
Jr. Member
**
Offline Offline

Posts: 77


« Reply #14 on: December 14, 2012, 05:57:15 PM »
ReplyReply

Lastpass is free and supports multifactor authentication with Google Authenticator (a free app for iOS and Android). It's particularly handy if you use multiple web browsers or computers as it keeps the encrypted database in sync for all instances.

Another good resource for passwords is Diceware, in particular the FAQ. What you need are more words for a good passphrase. Not stupid capitalization and weird characters rules which makes passphrases difficult for people to remember and easy for computers to guess.
Logged
kikashi
Sr. Member
****
Offline Offline

Posts: 4003



« Reply #15 on: December 15, 2012, 03:48:53 AM »
ReplyReply

Not stupid capitalization and weird characters rules which makes passphrases difficult for people to remember and easy for computers to guess.

That was, as you may observe, the entire point of the cartoon I posted earlier.

Jeremy
Logged
LA30
Full Member
***
Offline Offline

Posts: 206


« Reply #16 on: December 16, 2012, 02:49:31 PM »
ReplyReply

Another vote for 1Password!
Logged
BJL
Sr. Member
****
Offline Offline

Posts: 5129


« Reply #17 on: December 16, 2012, 08:21:29 PM »
ReplyReply

... the risk for online services is not brute forcing from the outside, but matching the hashes to leaked data.
Another common problem is when finding any one password on a system can harm or inconvenience a great number of other users, for example by leading to misuse of an email system that causes all mail from that system to be blocked as likely spam. This happens at least once a month at my workplace, The weakness there is that a botnet can distribute its rapid-fire password guessing over a large number of accounts, without triggering login attempt limits on any one account. That and the fact that blocking access after a few wrong guesses is not always acceptable, since it allows "denial of service" mischief.

So I would greatly like a method where all online accessible accounts are required to have very hard to guess passwords, even at the cost of being very hard to remember, and so requiring tools like 1Password. Less secure,,mor mnemonic passwords could be fine for local-access-only authentication.
« Last Edit: December 16, 2012, 08:23:04 PM by BJL » Logged
Joe Roy
Newbie
*
Offline Offline

Posts: 2


« Reply #18 on: December 19, 2012, 10:31:17 PM »
ReplyReply

Thanks for this discussion. I find it helpful.
In the last issue of Wired, Dec. 2010, the cover article by Mat Honan shares his experience of being hacked and his research into better security given the power of hacking people and systems. A thoughtful review with a few good recommendations. 
Logged
Pages: [1]   Top of Page
Print
Jump to:  

Ad
Ad
Ad