BashItOut

Random Seriousness with Python and Password Generation

My last post was a little light hearted look at playing with randomness , but randomness can be a much more useful tool in many areas of computing. My favourite being Monte Carlo Simulations, but I’ll save that for another article. Today we’re generating passwords and using Python on Linux to help us do so.

Thinking up unique, high entropy passwords that are hard to guess and easy to remember is a difficult thing for people to do. From what I’ve seen, the 2 things tend to be inversely related, if only FqcA632yK(G^gdM6Z}Pk1xAZFYLVhE}Wy would stick in your mind after a couple of repetitions.

Here I’m introducing a couple of scripts that I’ve used occasionally over the last few years to give myself and other people some fairly sane unique passwords.

You can get them here on Github:

https://github.com/terzza/random-tools

Random Words Pass Phrase

This one’s similar to an idea depicted in the XKCD Passwords Comic , generating a ‘pass phrase’ from randomly selected common words. These can be fairly easily remembered or spoken over the phone.

$ rand_words 
mahoganies stamped goof 1@\
$ rand_words 
franchise Slavonic Copeland 0],
$ rand_words 
relishes odorous velour 58[
$ rand_words 
urination cajoled escapist 945
$ rand_words 
fulfilment slowdown infrared .0#
$ rand_words 
Rocco submerging stilted 2&9

It uses the Linux dictionary in /usr/share/dict/words for its source of words. To set it up as a command in your path so that you can use anywhere, you might want to symlink it with something like:

$ sudo ln -s /path/to/your/directory/rand_words \ 
/usr/local/bin/rand_words

There’s a few optional arguments to the script to fine tune your password generation.

They come in the form:

$ rand_words \
"$NUMBER_OF_WORDS"\
"$LENGTH_OF_SUFFIX_SALT"\
"$MAX_LENGTH_OF_EACH_WORD"

Play around and see what suits you best.

$ rand_words 4 10 4
Joy rage dopy Sims 8@174127*[
$ rand_words 4 0 6
toots plinth shuts cheep 
$ rand_words 6 5 3
leg Tex hex met out Fr |00~6

Windows Users

If you’re running Windows or an OS without an easily available dictionary to use, there are many freely available options on the web e.g.

http://www.cs.duke.edu/~ola/ap/linuxwords

Compact High Entropy Passwords

rand_words does the job, but occasionally you’ll be faced with software or services enforcing daft password requirements / restrictions like “Your password must be less than 10 characters”. For these situations rand_chars helps you generate a bunch of random printable characters that you can select your password from:

$ rand_chars 10 50
g10w1%v+kXnxw[ZA}mTY?yDe{AEa6uzO29Rcdx7vZ=VRb\5AIm
Ka8kOFPRCNYszoV:_OM7^m6"3Ahv9[SIwD{hXkfpTixQTqvrMi
3R13ur6qGL35(QIIm9`7uygw%Qq22pib74n7M-21N1lqY\x9tb
KnvJVwUGz3OJR.oT7VtFDtoOk45gO&8mHCujcvS6Mqji&`9G96
xSdHlZIGcwzxruZk20Lx$s{xqtaw0uvBYPx/XKKESffz0aR}b_
kB:4dT1z9I3p2ZTQ(Rp8z22onhrU3oJNZsBCX7vW92olvS]Sq5
OTFMtc\jpbJoY2aBcdHhU%hF7J?iDEYS9buD2/b1dIcop6!w74
96rTdW$Gfa0Fte2aZx6cFD9Z@6oOifyBbnrqzAy87z_5yVIxLe
J+d0fGHQmgjBTXN24@ZV6X4zah"PIYf0lL9e2uD513WG-ypFgw
Ws51WvYY2d413OW3nlMNpY\spwjA7DKIXZq*vVF3Pv|B:4VKMP

The first argument is the number of lines to generate and the second is the length of those lines. The script defaults to 10 lines of 80 characters long.

You may find it useful to symlink rand_chars, as we did before with rand_words.

Conclusion

I think Randall Munroe’s quote says it best:

“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”

Let’s stop using (and re-using) crappy passwords and start trying to do simple security better. It’s a Wild West out there on the Web and the Internet, make sure you don’t become easy prey to the highwaymen.

Tags: Linux, Security