 Generating
Passwords with Easypass.pl
Matt Lesko
This article describes a method of choosing secure passwords and
a tool that I wrote to generate passwords of that nature. The tool
is called easypass.pl and was inspired by Mark Pors' SortOfPronounceable-Password-Generator
(available from http://www.dreamzpace.com/perl.html) along
with a number of improvements. The generator presented here has
many additional features, all designed to facilitate the use of
secure passwords, and is licensed under the GPL.
Secure Password Theory
There are two main methods of cracking a password from the cipher-text
(assuming the cipher is known and secure): dictionary attacks and
brute force attacks. A dictionary attack is based on the fact that
most passwords will appear in the dictionary (e.g., "password"
or "snowball"). Simply trying all English words will crack
a large number of passwords. Brute forcing tries every single character
combination, often just the alphanumerics, and will crack passwords
such as "july1984" without much more difficulty than the
dictionary attack. A common solution is to require users to use
passwords such as Gy43^%zA. A password of this sort is quite secure
against password-cracking tools, but fails one important test: memorability.
When forced to use passwords like this, most users will write down
the password and attach it to their monitor, keyboard, desk, etc.,
thereby compromising security.
Easypass.pl creates passwords that will hold up against a password
cracker, but are far easier to remember. Essentially, the program
will (when executed to do so with appropriate options) take two
random words from the system's dictionary file, insert a random
digit and a special character (as in, $, %, &, etc.), and output
the sum of these elements as a password. An example of the typical
output is:
troop78%boost
Installation and Configuration
Before you use easypass.pl, be sure that you have Perl installed,
and know the location (often /usr/bin/perl). The script is
reproduced in its entirety in Listing 1. It can also be obtained from
the Sys Admin Web site or:
http://mattlesko.dyndns.org:8080/easypass.html
The only configuration that is required is to edit the location of
your dictionary file. On most systems that I have encountered, this
is located at /usr/dict/words or /usr/share/dict/words.
If your system is different, edit line 14 ("my $dictionary =
...") so that it points to the correct place. If for some reason
your system does not have a functioning dictionary file, I suggest
you contact your vendor. Foreign language dictionaries have not been
tested with this script, but I anticipate no reason why they would
not work.
Once you have pointed easypass.pl in the right direction, copy
it to a central location, such as /usr/local/bin, and inform
your users of its presence and usage. My recommendation is to secure
it with the permissions 0755 so that it will be globally executable
by users on the system, who can then use it to create new passwords.
If you wish to impose a certain password policy upon your users,
you can write a shell script that calls easypass.pl with only the
arguments that you specify. Due to the nature of the script, there
is little reason not to make it available to your users as a general
purpose tool; the only file read is /usr/dict/words, and
the script does not have to be executed by a trusted user --
all users can use it without fear of causing any damage.
Execution
When executed without any options, easypass.pl will return ten
passwords, consisting solely of two random words from the dictionary,
concatenated together. If the dictionary file is missing, or not
located in /usr/dict/words, the program will cease execution
until you update the script with the location of your dictionary
file (located at line 14). As discussed previously, two dictionary
words alone are not very secure; therefore, we should add some options.
The script accepts standard-style options (-h) and GNU-style
options (--help). To get a list of the options from the program
itself, run it with the help option -- either -h or --help.
The options supported by easypass.pl are:
-h, --help -- This option prints the options list,
and a brief summary of the program.
-1, --oneword -- This option will force the program
to use only one random word, as opposed to two; the default is "off"
(or, to print two words). This option should be used when passwords
have a limited effective length (such as older UNIX systems) where
only eight characters have any effect on security.
-n, --number -- Adds a random, two-digit number to
the password (the number of digits can be changed). By default,
this option is off.
-s, --special -- Prints one special character (~, !,
@, #, $, %, ^, &, *, (, ), _, -, +, or =) in the password (the
number of special characters can be changed). By default, this option
is off.
-l, --l33t -- Forces "l33t-sp34k" style passwords,
(i.e., replaces "e" with "3", "o"
with "0" (zero), "i" with "1", "a"
with "4", "t" with "7", and "s"
with "$").
-w=x, --word=x -- Forces the words chosen at random
to be of a certain character length. The default setting is five,
and can range from three to eight.
-d=x, --digit=x -- Forces the number of digits to be
a certain length. For this option to have any use, the number option
must be added (obviously). The number of digits can range from one
to eight, and the default is two.
-g=x, --slength=x -- Forces the number of special characters
to be a certain length. The default is one, and there can be up
to eight.
-p=x, --passwords=x -- Forces a certain number of passwords
to be printed. The default is ten.
I recommend using at least at a two-digit number and one special
character, and possibly "l33t-sp34k" if your brain can
easily remember it. Some machines have an eight-character effective
limit, so don't get carried away and create a gargantuan password
if only the first eight characters will be used. And, most importantly,
remember that this generator is for password suggestions. If you
don't care for the passwords suggested, run it again, or simply
invent your own. I welcome any questions, comments, or additions
you might have.
Further Reading
This article is not an exhaustive attempt at creating secure passwords.
It should mainly be used for those organizations and users that
need passwords that are easy to remember, yet not susceptible to
attack. For information on implementing password security, see the
FIPS 112 document, available at:
http://www.itl.nist.gov/fipspubs/fip112.htm
For a pronounceable password tool, see FIPS 181 for the theory:
http://www.itl.nist.gov/fipspubs/fip181.htm
and
http://www.multicians.org/thvv/gpw.html
for a Java applet similar to FIPS 181. Both of these rely on creating
the password from random English syllables as opposed to words. Also,
the APG (Automatic Password Generator), written by Adel I. Mirzazhanov,
at:
http://www.adel.nursat.kz/apg/
provides random passwords in both a standalone and network version,
in accordance with RFC972 (http://www.ietf.org/rfc/rfc0972.txt).
Matt Lesko has worked as a systems administrator supporting
Solaris, AIX, Linux, and OpenBSD for the past three years. He can
be contacted at: matt@advancedatatools.com.
|
