A Password Generator - Questions

[Glenn9999]

Referencing thread1117-1615821

I mentioned throwing together a password generator then, and I ended up getting one done now. The main questions I had as a result:

1) What are the rules for entering WPA-style passwords in most devices? Could you get away with any standard printable character in these devices or are there some restrictions (hex-strings, some characters not allowed)? I really don't find any good documentation on this.

2) Are there any good set rules for what makes a good "strong" password in terms of entropy? I found sites like

http://www.passwordmeter.com/

which seem to be a good benchmark, but I really haven't found any good rules which qualify something as an "ideal strong password"...

Any suggestions?

It is not possible for anyone to acknowledge truth when their salary depends on them not doing it.

 

[MasterRacker]

My understanding is that conventional wisdom on strong passwords may be flawed anyway. Simple passphrases minus the random character stuff could be better due to length. This xkcd comic is actually a good summary:

http://xkcd.com/936/

Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]

 

[Glenn9999]

A lot depends on scheme and exposure, I would think. The intention I had with the password generator was more for WEP/WPA though I did set an option for fewer characters. The idea being if I don't know someone is trying the network (is there a way?), how long would it last?

While the second example in the comic would work well for a limited password setup (lockout after X wrong attempts), it would fall easily to a dictionary attack if one knew common English phrases were used since there are only about 2000 or so commonly used words.

Add to that memory tends to logical experience and the order of the words come into play (try the second link below and see how many of the phrases you can remember after 10 seconds, psychology says most only can handle 3-5 in the short term). Entropy of word phrases are low, too, since people stick to one case, so the possibilities can be limited further.

To assume 1000 guesses a sec, you'd have the password within a minute or two assuming not too many words are used. Of course the issue with many systems is that password length is highly controlled (like 8-14 characters) or only that number is taken in the first place.

Six of this, half a dozen of that, I suppose, depending on what the system is and what you are looking for. The problem as I see it is more predictability than anything else. Some reading:

http://www.baekdal.com/insights/password-security-usability

http://preshing.com/20110811/xkcd-password-generator

http://security.stackexchange.com/q...omplex-password-or-long-dictionary-passphrase

http://www.explainxkcd.com/2011/08/10/password-strength/

It is not possible for anyone to acknowledge truth when their salary depends on them not doing it.

 

[Glenn9999]

BTW, on question #1 I located a wireless printer and found it only allowed 8 of the keyboard symbols in its config for a WPA password, so that's kind of the thing I was wondering. What is standard for hardware in this regard?

It is not possible for anyone to acknowledge truth when their salary depends on them not doing it.

 

[Glenn9999]

And regarding question #1, I just read that Linux/Unix doesn't play well with spaces in WPA passwords...so there's another rule I suppose...

It is not possible for anyone to acknowledge truth when their salary depends on them not doing it.