Random 64 character string

[Stephen]

Any suggestions on the best way to generate a random 64 character string?

 

[sfx2000]

https://www.grc.com/passwords.htm - this site makes it pretty handy

 

[sfx2000]

pwgen is a handy package on most linux variants... for example

$ pwgen 64
viw8shawaihaiwif1aireequio7ailairi9mietou4tae2uow4ei5aifoveochuV
cait8chi2iruecie3bileeraithe0soehahng5DeeMie6phai0Eixoox7xohsup1
eitho2Goo1ahSh6Shaiphi0pa0dao0Roothie4Loun4iin3eeb4eerio8ieBah3o
Eb8Xouteu2eeG7fagho1saeVooz5ooqu1egh8ariig1oi6aiGha5chah1ebue8re
ka3Zogh3deeLo0jahvoh8uezei8Oo0ooShoo0aoquae6ma0uphahthoceph9Oil9

 

[htismaqe]

https://www.grc.com/passwords.htm - this site makes it pretty handy

Actually, if you take a peek around at Steve's site, you'll see that he's into "password haystacks" now. While 64-character randomly-generated passwords are highly secure, they're also nearly impossible to use in a practical fashion.

"Padded" passwords are, in most cases, more secure and infinitely easier to remember (and thus use).

https://www.grc.com/haystack.htm

I used to use 32-character (lower + upper + number + special) random PSKs for wireless and if I wanted to add a new device or similar, I had to open my password manager on my PC or phone and slowly do a stare-and-compare.

I now use 32-character "word combos" (lower + upper case), padded with numbers and specials. I can remember them verbatim and input them into any device at any time. And according to the haystack calculator, they're every bit as secure.

For example, here's a couple of 28-character examples that are completely equal in terms of brute force protection:

t9]$xoJNV^:tBnFp8''R'\2%p:tF
B.B.King.*.RIP2015.*.DaBlues

 

[Nullity]

dd if=/dev/urandom bs=1 count=64 2>/dev/null | base64 | cut -c -64


If you are on a Unix-based OS, /dev/urandom gives you many options.

There is also the 'openssl rand' command, but it is not found everywhere.

 

[sfx2000]

I now use 32-character "word combos" (lower + upper case), padded with numbers and specials. I can remember them verbatim and input them into any device at any time. And according to the haystack calculator, they're every bit as secure.

For example, here's a couple of 28-character examples that are completely equal in terms of brute force protection:

t9]$xoJNV^:tBnFp8''R'\2%p:tF
B.B.King.*.RIP2015.*.DaBlues

On some platforms, one might run into issues with some characters - depends on where those characters show up, and how the backend uses them...

I tend to stay away from certain ones... like the list below (and why) - the passwd entry should parse and ensure that characters that could put the platform at risk are not allow...

; Command separator
& Background execution
( ) Command grouping
| Pipe
* ? [ ] ~ Filename metacharacters
{ } String expansion characters. Usually don't require quoting.
> < & ! Redirection symbols
! ^ History substitution, quick substitution
" ' \ Using in quoting other characters
$ Variable substitution
newline space tab Word separators

 

[Nullity]

Actually, if you take a peek around at Steve's site, you'll see that he's into "password haystacks" now. While 64-character randomly-generated passwords are highly secure, they're also nearly impossible to use in a practical fashion.

"Padded" passwords are, in most cases, more secure and infinitely easier to remember (and thus use).

https://www.grc.com/haystack.htm

I used to use 32-character (lower + upper + number + special) random PSKs for wireless and if I wanted to add a new device or similar, I had to open my password manager on my PC or phone and slowly do a stare-and-compare.

I now use 32-character "word combos" (lower + upper case), padded with numbers and specials. I can remember them verbatim and input them into any device at any time. And according to the haystack calculator, they're every bit as secure.

For example, here's a couple of 28-character examples that are completely equal in terms of brute force protection:

t9]$xoJNV^:tBnFp8''R'\2%p:tF
B.B.King.*.RIP2015.*.DaBlues

I do not buy that last comment. "King", "2015", and "Blues" would be on any word-list, dropping entropy way below the truly random character string.


Let's say a 10,000 word wordlist has those 3 words.
10,000 ^ 3 = 1e12 possibilities using 13 characters
vs
13 random alphanum chrs
~64 ^ 13 = 3e23 possibilities using 13 characters

Random wins by a land-slide.

Disclaimer: I doesn't math.

 

[sfx2000]

I do not buy that last comment. "King", "2015", and "Blues" would be on any word-list, dropping entropy way below the truly random character string.


Let's say a 10,000 word wordlist has those 3 words.
10,000 ^ 3 = 1e12 possibilities using 13 characters
vs
13 random alphanum chrs
~64 ^ 13 = 3e23 possibilities using 13 characters

Random wins by a land-slide.

Disclaimer: I doesn't math.

Yeash, but as soon as one changes King to K1ng, 2015 to 2oI5, and 8lu3s, then rainbow tables go out the window... and we get the entropy back

 

[Nullity]

Yeash, but as soon as one changes King to K1ng, 2015 to 2oI5, and 8lu3s, then rainbow tables go out the window... and we get the entropy back

Kinda, pass crackers are aware of all these tricks, meaning it us still just a word with a changed letter or a l33t speak permutation.


The haystack thing does not consider the human element at all. Brute-forcing every character is the last resort and best-case scenario for the password's chances.

We need something better than passwords already... not CAPTCHAS, lol.

 

[htismaqe]

I do not buy that last comment. "King", "2015", and "Blues" would be on any word-list, dropping entropy way below the truly random character string.


Let's say a 10,000 word wordlist has those 3 words.
10,000 ^ 3 = 1e12 possibilities using 13 characters
vs
13 random alphanum chrs
~64 ^ 13 = 3e23 possibilities using 13 characters

Random wins by a land-slide.

Disclaimer: I doesn't math.

Dictionary attacks use predetermined word lengths. A dictionary attack can find "dog" and "d0g" but it won't find dog* because it's not a 3-letter word.

A dictionary attack would never break the B.B. King password above because even though those individual words exist in every dictionary, the likelihood of them appearing together, in that exact order, with all the padded characters, in a pre-compiled attack dictionary is virtually nil. Furthermore, keep in mind that what I have there is only an example. You can do character replacement and other things to make them more complex (even though that's really unnecessary).
At that point, the attacker is forced to the last resort, brute force. And at that point then, the random password is no more secure than the B.B. King password because it's all about possible mathematical combinations.

If you didn't already, you should check out the article. Entropy isn't the be-all-end-all they once thought it to be.

 

[htismaqe]

The haystack thing does not consider the human element at all. Brute-forcing every character is the last resort and best-case scenario for the password's chances.

Actually that's precisely what it does.

 

[sfx2000]

see this - http://project-rainbowcrack.com/index.htm

 

[Nullity]

Dictionary attacks use predetermined word lengths. A dictionary attack can find "dog" and "d0g" but it won't find dog* because it's not a 3-letter word.

A dictionary attack would never break the B.B. King password above because even though those individual words exist in every dictionary, the likelihood of them appearing together, in that exact order, with all the padded characters, in a pre-compiled attack dictionary is virtually nil. Furthermore, keep in mind that what I have there is only an example. You can do character replacement and other things to make them more complex (even though that's really unnecessary).
At that point, the attacker is forced to the last resort, brute force. And at that point then, the random password is no more secure than the B.B. King password because it's all about possible mathematical combinations.

If you didn't already, you should check out the article. Entropy isn't the be-all-end-all they once thought it to be.

I think you are mistaken about how dictionary attacks gain efficiency over per-character brute-forcing. If your pass includes words, or any grouping, you lose entropy. Multi-word passwords are cracked just like single-word or multi-character passwords.

http://en.m.wikipedia.org/wiki/Password_strength#Examples_of_weak_passwords

As with any security measure, passwords vary in effectiveness (i.e., strength); some are weaker than others. For example, the difference in weakness between a dictionary word and a word with obfuscation (i.e., letters in the password are substituted by, say, numbers — a common approach) may cost a password cracking device a few more seconds; this adds little strength.

 

[Nullity]

see this - http://project-rainbowcrack.com/index.htm

I think salting renders that obsolete. Rainbow tables are mostly useful on legacy operating systems, I think.

 

[sfx2000]

Well.. I don't think any of us are NSA grade cryptologists...

I still like pwgen - it makes passwords of any length that are reasonably secure...

 

[Nullity]

Well.. I don't think any of us are NSA grade cryptologists...

I still like pwgen - it makes passwords of any length that are reasonably secure...

Passwords are annoying even when you do not care about security, even more annoying when you realize how tough it will be to remember "secure" passwords, but passwords are most annoying when you struggle to memorize secure passwords that are not actually secure.

Been there, done that.

 

[sfx2000]

I think we've beaten this horse down - we've answered the OP's questions with a number of alternatives...



sfx

 

[Nullity]

I think we've beaten this horse down - we've answered the OP's questions with a number of alternatives...



sfx

Continue beating the horse if you think someone will gain from it. Nothing wrong with hurting a few egos (mine included) to hinder the spread misinformation. The topic of password security seems apt in the thread, perhaps even the more important topic.

Humans suck at recognizing random. We need patterns. Humans are insecure, lol.

 

[htismaqe]

I think you are mistaken about how dictionary attacks gain efficiency over per-character brute-forcing. If your pass includes words, or any grouping, you lose entropy. Multi-word passwords are cracked just like single-word or multi-character passwords.

Multi-word passwords padded with special characters are not multi-word passwords. I can assure you that Steve Gibson's research on haystacks has been verified. There's a HUGE difference, when it comes to dictionary attacks, between "weakpassword" and "weak#password".

Humans suck at recognizing random. We need patterns. Humans are insecure, lol.

TRUTH

 

[Nullity]

Multi-word passwords padded with special characters are not multi-word passwords. I can assure you that Steve Gibson's research on haystacks has been verified. There's a HUGE difference, when it comes to dictionary attacks, between "weakpassword" and "weak#password".

But both are poor choices since they include dictionary words.

Personally, I remember just 1 super-ultra-mega, takes-a-while-to-type password that unlocks my database of truly random character passwords.