I'm talking root password, etc - really important ones.

I'm guessing online password generators are bad as they could be hacked.

I found this that looks quite good:

http://www.transdig.com/products/pcp/pcp.cfm

Opinions/suggestions/etc greatfully received.

Simon

I still remember I have onced my password as ISO9001

lolz! Well remember, mixture of numbers and letters will be the best best best!

some in the front..some as the end....dont use generator!

On Windows a neat trick is to include Alt+keypad number characters. Try hacking THAT password with any brute force generator out there. I have never seen one that takes into account characters that cannot be produced on a standard keyboard. Plus it makes it almost impossible to shoulder surf.

Originally posted by WCHost
dont use generator!

Why not? Surely if the generator is on my local computer there can't be a problem?

Simon

I dont see any reason you couldnt use a generator. As long as the password being created wasnt simple, and someone couldnt turn to the generator to retreive the password.

Personally I just make something up like

br9F47gH

and for some reason or anouther manage to be able to remember it.

Hostmonger

slamming head on keyboard; then add random capitalization and semi colons... That works pretty good... until you hurt your head and forget it that is...

Originally posted by Alfarin
slamming head on keyboard; then add random capitalization and semi colons... That works pretty good... until you hurt your head and forget it that is...


Brilliant! The best answer yet :)

Simon

echo `head -c 100 /dev/random|encode-base64|head -c 20`

20 chars password. Random enough?

echo and head used for cosmetic reasons.

:)

I use a little program called Password Administrator, this also has a password generator in it.

i use a php function i created

I flip coins, and encode the result in base64.

You're all making this far too difficult:

All our passwords are simply "password".

While I'm here can anyone help me understand why our servers keep getting hacked :D

Kevin

Originally posted by cperciva
I flip coins, and encode the result in base64.

Hah! I love it...

I have 3 categories of passwords:

1) Root pw's, billing pw's and the like.. For these I smack random keys and alternate caps and lowercase, with numbers scattered around until it's long enough. They change on a regular basis... These go into my palm so I don't lock myself out, which is password protected with a password of the next type:
2) Shorter passwords that I can remember, with numbers in them. Often use acronyms that I make up from sentances for these. These are for the less important things (personal email accounts and the like) or things that require direct access (palm, et al)
3) garbage passwords for sites that *insist* of a login, but I really don't care if anyone breaks into. Like nytimes.com , for example...

So the secret to getting root from me is to mug me, steal my palm, crack the easier password on there, and figure out which box goes to which pw... :)

Which reminds me, it's about time to change the #1's..

Originally posted by H-U.net
You're all making this far too difficult:

All our passwords are simply "password"

Maybe you should change it to 12345...

"The combination is 1 - 2 - 3 - 4 - 5. That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!"

:D

I LOVE that movie hahaha good one thedavid :)

Originally posted by thedavid
Hah! I love it...

I have 3 categories of passwords:

1) Root pw's, billing pw's and the like.. For these I smack random keys and alternate caps and lowercase, with numbers scattered around until it's long enough. They change on a regular basis... These go into my palm so I don't lock myself out, which is password protected with a password of the next type:
2) Shorter passwords that I can remember, with numbers in them. Often use acronyms that I make up from sentances for these. These are for the less important things (personal email accounts and the like) or things that require direct access (palm, et al)
3) garbage passwords for sites that *insist* of a login, but I really don't care if anyone breaks into. Like nytimes.com , for example...

So the secret to getting root from me is to mug me, steal my palm, crack the easier password on there, and figure out which box goes to which pw... :)

Which reminds me, it's about time to change the #1's..

hmmm arent u screwed if one day u forget ur level 2) password? or ur palm goes down due to hardware failure... :D

Nah, I generally tend to remember the level 2's :) After a while, the level 1's I type in I generally start remembering.

Hardware failure I haven't had to deal with yet - we'll see how that works out - it's been a lil workhorse so far though...

-David

Originally posted by Nedani
echo `head -c 100 /dev/random|encode-base64|head -c 20`

Ooooh - I like this! Is there a length limit on unix passwords?

Simon

Heh, my basement floor is painted up like a keyboard. Whenever we need a new pass for something we take a dancing monkey down there, crank up some tunes and write down the letters/numbers he steps on.

Nobody has cracked one yet :)

http://www.romanlab.com/apw/

My passwords are randomly generated by writing down the first letter/number/symbol that comes to mind, and once I have something *at least* 10 digits long, I use it.

we generally use something like this:

http://www.winguides.com/security/password.php

I use the old fashion method of putting on a helmet and slamming my head on the keyboard, then enabling sticky keys and doing it again until ive got a 14 character long password that doesn't make any sense if you try to read it out loud.

I use this.

A standalone program under 800k

http://quickysoftware.com/passwordgenerator.html

Great program, highly recommend it for creating passwords.

Hello,

I usally just take MD5 or 2fish encryption keys/codes and use the first 10/20 chars and toss in a ALT CODE at the end or front. Usally if someone trys to crack the password it will get confused, or if it does crack it 100% the person is usally dumb founded.

Example:

mvbR.XAu$FTYFqSL
VTDkKFRTnhBD6
4$4WAcNQjY
$1annG2UEo$PRguZ
uasKqxZ

=P

I use 12 character alpha numberic passwords for everything, I find that for some passwords you can't use certain symbols so I tend to stick with letters and numbers, uppercase and lowercase if applicable. For root passwords though, definatly use some hyphens, etc.

Actually, come to think of it, at my desktop computer I use a biometric fingerprint scanner. Nice and fast for desktop use and their pretty cheap now too, would be nice if I could use it for my server and other things as well.

Originally posted by 93.3
Actually, come to think of it, at my desktop computer I use a biometric fingerprint scanner. Nice and fast for desktop use and their pretty cheap now too, would be nice if I could use it for my server and other things as well.



Where do I get one? :D

http://digitalpersona.com/, I've had one for over a year now and it's great. :)

Well it won't work with linux servers because they currently only have drivers for Windows.

Forgot to mention, my desktop computer is running Windows XP, the only operating system it supports I belive. Sorry bout that.

Originally posted by xperience
Ooooh - I like this! Is there a length limit on unix passwords?

Simon

It depends on the OS. If you are using a "real" UNIX (solaris, IRIX, etc) you are sort of limited. These OS' will only use the first 8 characters of your password though it can be as long as you want.
Linux and the *BSD's typically will use as long of a password as you want.

It doesn't matter what your root password is. If you've got some lame "look, ma, i'm a programmer" open-source script on your box, the Boyz From Brazil (or the hax0rz du jour) will whack it in a heartbeat and own you. By my lights, brute-forcing passwords is the crack of last resort.

I typically pick passwords that I can remember by their location on the keyboard but I always include things lik :)-=... random characters..

my passwords usually look like A)(341"a;sdL

except in a pattern a bit easier to remember by keyboard positioning.

Originally posted by alchiba
It doesn't matter what your root password is. If you've got some lame "look, ma, i'm a programmer" open-source script on your box, the Boyz From Brazil (or the hax0rz du jour) will whack it in a heartbeat and own you. By my lights, brute-forcing passwords is the crack of last resort.

I hope you aren't installing those scripts setuid root ;) And I hope you've secured your server otherwise.

Kevin

:o we've all been subjected to some subtle social engineering! heh kidding.

Originally posted by sigma
And I hope you've secured your server otherwise.


You betcha. The first step was to dress up my servers so they look like the Wiggles. That way, I figure no one will want to go near them. :D