What is Digg?151 Comments
- griz, on 10/12/2007, -0/+64...and if someone wants your password they can just beat it out of you by repeatedly applying your face to your keyboard.
- frank3000, on 10/12/2007, -4/+67to make the most secure passwords possible:
1. smash face against keyboard
2. repeat - Weaselboy, on 10/12/2007, -2/+35Steve Gibson has mentioned this on the Security Now podcast several times. Good, random WPA/WEP password generator.
- speedmaster, on 10/12/2007, -3/+33These would be great on a Post-It note on my monitor! ;-)
- rhnet, on 10/12/2007, -2/+28Except, the face has certain patterns...
- ochito, on 10/12/2007, -1/+25No need to recall it if you're going to use it for WPA. Generate, copy, paste on both ends, and you're done. You'll never have to use it again. These are not general purpose, web e-mail kind of passwords.
- ihatebillg, on 10/12/2007, -2/+16save it in a text file on an old keychain drive that you keep in your or your bosses safe
- deut, on 10/12/2007, -1/+14You know, there is a new law in the UK that now requires you to hand over your passwords if the police have reasonable grounds for suspicion. Failure to do so can result in five years imprisonment.
- scrubadub, on 10/12/2007, -1/+10Quick and useful, and Steve did it right with an https page although if you are really worried about the randomness of your passwords it's best to cat /dev/random. This way you can provide your own entropy and you're not relying on someone else's code
http://en.wikipedia.org/wiki//dev/random - AF-Geek, on 10/12/2007, -6/+14Steve Gibson and GRC have some of the BEST utilities available (free and purchased).
Try his ShieldsUp service (free scan).
I also bought his SpinRite6 disk maint/recovery software - WELL worth the money!
Get ready to be Dugg, Steve! - kakapu4u, on 10/12/2007, -1/+9@deut,
I use shapes for my passwords. T shape, L shape, O shape all on the keyboard like "werd8IKL" because it's like a T shape with the left hand, then an L shape with the right hand.
Because I do it with shapes, I just memorize the starting points. Then I can honestly say I don't know my password. I can type it, but I don't know what it is. I just know where my fingers go. If you asked me what my password is, I would have an idea where to start but not the whole thing. Pretty cool if you change it every 6 months so you stay ahead of your memory. - coolbru, on 10/12/2007, -0/+8And to add insult to injury, it's about the first instance in which you have to prove your innocence, as it's required that you prove that you DON'T have the required passwords. Someone suggested, as a little thought experiment, that you email encrypted illegal imagery to the home secretary, then report him for possession of said images. In refusing to decrypt the images, he is guilty under this law. Great huh?
- jeriqo, on 10/12/2007, -2/+10Paranoia.
Come on, no one cares about your passwords.
Get a life. - nofelix, on 10/12/2007, -1/+9This is not for generating a password for your furry forum account, it's for things like WEP where you only need to use the password a few times.
- SoberEmu, on 10/12/2007, -0/+8@deut
That's why TrueCrypt is so good. When you use it, it provides plausible deniability by making the cipher text look like random data. Or you can hide one truecrypt volume inside of another. So they cannot prove that you have encrypted data on your machine. At least that's the theory; I don't think there's been any court rulings to show if that defense works or not.
http://www.truecrypt.org/user-guide/?s=plausible-deniability - marnaq, on 10/12/2007, -3/+10Rule #1:
Decide you passwords by yourself. Never let a UNTRUSTED application (IE. THIS PAGE) to do it for you. What if it logs the password? It'd be a weak link for sure. - systemghost, on 10/12/2007, -2/+9Um, it redirects you to https with a VeriSign RC4 128bit SSL certificate. You should actually try clicking the link next time.
- FriscoTony, on 10/12/2007, -2/+8Here's another thought... isn't it a bit silly to be getting your passwords from someone else (who can log your IP and potentially learn more about you). To tout that this password is "just for you" when it came from a third party is a bit absurd.
- titlesaysitall, on 10/12/2007, -0/+6Thats like saying don't lock up your house and put a sign on the door that says open, come on in.
- loyd, on 10/12/2007, -1/+7@kakapu4u
What happens if you are not using a Qwerty keyboard. Those shapes aren't going to work very well! - cogsprocket, on 10/12/2007, -3/+9@ihatebillg
I do the same. For most passwords I don't bother with this sort of thing but for things I really want to be secure I use 512 bit random passwords. Why is remembering them so important? Sure an 8 character password is easily remembered but even if it's randomly generated 64 bits is easily brute force attacked.
What is an even better method, however, is to use a utility like True-crypt to encrypt a single file containing all passwords (no logins) and memorize the order in which they are stored or use a cryptic method for marking their relevance. True-crypt's password protection then turns your thumb drive into a form of digital wallet and if you use a good pseudo-random pass phrase of 128 bits or more you can be fairly confident that your data is adequately protected and you don't need to memorize a bunch of long passwords.
Moreover, IQ70, the ability to memorize a password is not a requisite requirement. The truly security conscious are aware that if it can be memorized it's a liability. If you generate a password yourself then it's a pretty safe assumption that that password can be guessed. Truly secure passwords are not easily memorized or guessed, that's what makes them strong.
While it's not a convenient method and somewhat impractical it is secure and that's the importance of this password generator. Not that it generates passwords for the average end-user to use for their Windows login. Joe User isn't interested in that. For instances when security is top priority, no you don't need to remember the password. - jamesivie, on 10/12/2007, -2/+7While there are HTTPS iframes and images on the page, if you use a web spy tool, you will see that the passwords themselves are transmitted in the clear. The response to the original page is as follows:
HTTP/1.1 200 OK
Date: Mon, 31 Jul 2006 13:55:58 GMT
Connection: close
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-control: no-cache
Pragma: no-cache
...
64 random hexadecimal characters (0-9 and A-F):350CDBFDDD91CBFDE453567F8019DCE0913A2FE79F7096C8C235AE59E1B29790
63 random printable ASCII characters:xMGD+&t.,>a>{.u66I`DCovdO~Wftgo%8f"Hybit$i}[jd#RLoj%y^|jThMLg[E
63 random alpha-numeric characters (a-z, A-Z, 0-9):ecTdduDDYputT9PzTNcAOz0LrSShCXTYDa4BKRNaolzVsrHedGL5yR2CPs4FXuF
...
Not only that, but as another poster pointed out, the passwords are generated on the SERVER with your IP address as a known destination. Go ahead, use those passwords. Just don't complain when your network gets hacked by somone who somehow knew the "most secure password". - doolittle, on 10/18/2007, -1/+6ugghh!
How about don't lock down your wifi, run it in standalone access point mode (on a dedicated, firewalled interface) and only allow ssh tunnels or OpenVPN... - foolfromhell, on 10/12/2007, -0/+5I think what loyd means if you are using a computer that uses dvorak, and your password is set to QWERTY. Well, how many public places uses dvorak? im sure 99.99% of public places use Qwerty.
- rcook, on 10/12/2007, -3/+71. It doesn't use rand. He is using commercial RSA entropy generation from multiple sources.
2. Don't use the pages as is. Refresh several times taking a piece from each page. When you have the desired length, shuffle the passwords further locally using cut'n'paste.
Secure, even for the paranoid. - nahteecirp, on 10/12/2007, -2/+6Since it is an ULTRA HIGH security password generator, it has to be good ;). Seriously though, I've always had good experiences with GRC products, so I would bet that this program also does its proclaimed job and does it well.
- tdyer, on 10/12/2007, -2/+6ughhh...
how often do you really need to enter a wpa passkey? once? save it in a text file, you have wpa on, nobody is going to get it. burn it to a cd or a jumpdrive and put it on manually to a visitors cpu. the whole idea is to keep the bad guys out, and the bad guys arent going to guess one of those. and yeah...i guess if you are able to come into my apartment and take a look at my cpu you would be able to steal my info, but then again it would be just as easy to steal my cpu and have the data without hacking...so whats the point? - cyclo, on 10/12/2007, -0/+4@PJBonoVox: You will most likely not succeed if your neighbor is using WPA / TKIP... TKIP rehashes passwords periodically so even if you manage to use brute force to crack it (which will take a long time with 63 random characters), it has already changed by the time you apply it to your neighbors WiFi.
- cyclo, on 10/12/2007, -0/+4@niiru: RTFA, these 63 character length passwords are meant to be used for WPA to secure WiFi. Generate the password, copy and paste it into a textfile using notepad, copy the textfile into a diskette or thumbdrive and apply this to all your WPA enabled devices at home. When everything is securely connected, delete the textfile.
No need to memorize the password because you only need to enter it once in all WPA enabled devices. This is because WPA / TKIP is supposedly uncrackable if you use sufficiently long and random characters. It can only be cracked (as of now) by using brute force dictionary attack technique which is thwarted by using long and random characters.
If you need to reconfigure your WPA again, just generate a new passoword and repeat the process. - Ikioi, on 10/12/2007, -0/+4Heh, well, while I agree its not hard to make a seemingly unguessable password... I hate to point out the flaw, the human brain isn't random. Every one of your passwords has a 9 and a 3 in it. You also heavily use the e (probably from typing repetition), and you used 8 and h/H in 3 of 4. You also used h twice in one, u twice in the next, r twice in the next, and e twice in the last. And, your first three start out letter-number-letter (probably because it looks pleasing to the eye as "mixed up").
Patterns are everywhere. Entropy is a real b*tch to truly achieve. - CopyNinja, on 10/12/2007, -4/+8Yeah definitely Spinrite=godly software and Gibson in my opinion is a genius. I love security now and already knew about this password gen, but dugg anyway. Hes probably gonna talk about this on the next SN.
- deut, on 10/12/2007, -0/+3@kakapu4u
I have been using the pattern approach for years but not because I want to forget it but because it is is easier to remember a pattern and it is darn quick to type in as well.
(For those who don't understand what I mean, a simple example "qazxc", draws an "L" on the left hand side of the keyboard.) - deadzone, on 10/12/2007, -0/+3http://keepass.sourceforge.net
http://www.truecrypt.org
KeePass does the same thing without requiring internet access AND can store them in encrypted format for additional security. Combined with TrueCrypt I wonder what you'd want to use that webpage for. - gorkish, on 10/12/2007, -1/+4This boils down to the fact that you have to trust his end not to keep that around or feed it to a big federal database or something. You have to keep in mind that your own computer has the ability to generate passwords of equivalent cryptographic strength without batting an eye (after all it did just to retrieve his webpage). Steve Gibson is a very good marketer and an incredibly underwhelming computer security person.
- upsilonh24, on 10/12/2007, -3/+6//////////////Did he mention on his podcast how this random password cannot be remembered by any normal human? Isnt it atleast important that a password have a basis in recall?////////////////
He did mention it was the particular reason it was secure. If a password is too complex to be remembered, it'll probably be harder to crack. Besides... nothing prevents you from writing it down and keep it secretly in your wallet. If you loose your wallet, just change the password. At least you'll know it has been compromised. - jswaby, on 10/12/2007, -4/+7I've been using this password generator for about a year now. I'm surprised it's just now being posted on digg.
Gibson is the man. - akkuma, on 10/12/2007, -1/+4My own personal way to create pretty secure passwords is through the use of 1337 speak with a sentence. You get the benefit of using all possible characters and something you can actually remember.
- coolbru, on 10/12/2007, -2/+5That fooled me too - the 1 minute is the time until you have to FINISH your edit, not start it. I think that the edit time should be suspended while you're actually editing.
- senfo, on 10/12/2007, -2/+5You're wrong. The link was to a http page (non-secure); however, the GRC web server redirects visitors to the https page (secure).
- jedi6, on 10/12/2007, -0/+2Does anyone know how the security differs from "KeePass Password Safe"? I have used that program for quite a while and love how it manages all my passwords, but I want to make sure they are as secure as using grc's password generator.
- innate, on 10/12/2007, -0/+2@IQ70: for passwords you can remember, but which are still reasonably secure, try APG online: http://www.adel.nursat.kz/apg/online/index.php
Of course, APG online can generate the same type of long random passwords as Steve Gibson's web site, except that APG is open source, its method for generating passwords is well-documented, and you can run it on your own computer or over the web. - setfree, on 10/12/2007, -3/+5Those questionable critisisms seem very small when compared to the amount of good Steve has done for the security community. He gives his time every week to the free 'Security Now' podcast, educating many people about security issues. He has released many freeware security applications. And he seems to have a ginuine cocern for computing saftey.
- Ikioi, on 10/12/2007, -0/+2Well, if you are "anal" enough to try to get a truly random Wifi password, then yeah, this isn't good enough.
Nobody is saying it doesn't make good passwords (but nobody can prove it is, either), but what most are saying is pretty simple. Don't get passwords from strangers, ever, period. No feature he has is even remotely special to warrant breaking that security commandment.
As Benjamin Franklin said (paraphrasing), three people can keep a secret, if two of them are dead. Even old Ben knew good password security. :) - Ikioi, on 10/12/2007, -0/+2Nothing on his page says RSA, nor anything spectacular about his random number generator. Read my comment below. His characterization of his PRNG is the same used to described the PRNG in Linux (which uses it to do some real crypto operations, like SSL servers for banks, so it's by no means unfit for crypto).
From his page: "Electrical and mechanical noise found in chaotic physical systems can be tapped and used as a source of true randomness, but this is much more than is needed for our purposes here. High quality algorithms are sufficient."
At least if he did that, he'd have a claim to better randomness. As far as I'm concerned, he's sweet talking his way around /dev/random or /dev/urandom, using as many big words as he can to make it sound good, market his page and himself, and dupe others into giving him free press on Digg. - inactive, on 10/12/2007, -0/+2hey, it's not meant to be "perfect"; just ultra high ;)
- inactive, on 10/12/2007, -0/+2@cyclo
Nah, I mean letting people connect to _my_ open access point and watching their behaviour :) - acceptab1euname, on 10/12/2007, -0/+2@SoberEmu: Most folks tend to have beef with the way Gibson presents his "findings", in that they're sensationalized ad absurdum and generally contain more PR than reality.
- carniv0re, on 10/12/2007, -1/+3Personally, I just use this one: http://www.winguides.com/security/password.php
Much more customizable - senfo, on 10/12/2007, -0/+2You'll get an untrusted certificate to say you're microsoft.com, but you won't get somebody like Verisign to do it.
- YourTechSupport, on 10/12/2007, -1/+3I was about to say that too. Whenever I need a quick and dirty password (that I'll have to note down) I fire up this baby. Then I use LockNote to store the passwords in case I actually need them later.
-
Show 51 - 100 of 147 discussions
Check out the new & improved 
© Digg Inc. 2009
— Content created and posted by Digg users is