How Can We Create Secure Passwords?

What makes a password secure?

We have to keep the bad guys out while letting the legitimate user in.

We need to protect authentication and prevent user identity masquerading or spoofing, so it must be impractical for the attacker to guess it.

I didn’t say “impossible” because any string could be guessed eventually. But impractical, so that it would require enough guesses that a rational attacker would give up.

We must also protect availability by using something that the legitimate user has a chance of remembering.

As we discuss in Learning Tree’s System and Network Security Introduction course, we must provide all the needed security aspects, and prevent one from interfering with another.

This will require a pass phrase rather than a pass word. Let’s think about how we might try to solve this problem.


We Need Randomness

As I have mentioned before, security needs randomness, and this is yet another example. But why?

We said that it must be impractical to guess the secret.

That’s another way of saying that it must be unpredictable.

And that’s just another way of saying that it must be random.

We Need Words (Approximately)

The problem is that highly random strings are impractical. People won’t remember anything like this:


So, sticky notes go onto the monitors. And even with a string like that on paper, it is very difficult to type such a long random string when you can’t see what you’re typing.

The bad guy can learn what the password is with a glance at the monitor or laptop, while the legitimate user will be locked out after three sequential typing errors.

We need things that are more like words. Not necessarily words, but words or at least pronounceable word fragments.

Linux Has The Tools We Need

The file /usr/share/dict/words is used by the various spell-checking tools. It’s very large, with 483,523 words and word fragments on the distribution I’m using here. Let’s see how many of those are 4, 5, or 6 characters long.

$ wc -l /usr/share/dict/words
 483523 /usr/share/dict/words
$ egrep '^....$|^.....$|^......$' /usr/share/dict/words | wc -l

Learning Tree’s Linux introduction course and the Linux power tools course teach you the fundamental command-line tools and regular expressions. The regular expression above means:

  • Start-of-line, any 4 characters, end-of-line, or
  • Start-of-line, any 5 characters, end-of-line, or
  • Start-of-line, any 6 characters, end-of-line

The egrep command retrieves lines matching extended regular expressions from that file, and then it is piped into the wc command with an option asking for the number of lines only (not words and not characters).

Consider that 216 = 65,536. One word randomly selected out of a list of 80,489 means a little over 16 bits of entropy, as in unpredictability, randomness, and security in this setting. Five such words would mean a little over 80 bits of security.

It’s almost as easy to use Linux command-line tools to generate pass phrases of 5 word-like strings each. Let’s extract the 4-, 5-, and 6-character strings from that file, send those through 5 rounds of shuffling with the shuf command, the last round selecting just the first five, and format the result onto a single line with the fmt command, repeating until I get something I think I have a chance of remembering:

$ egrep '^....$|^.....$|^......$' /usr/share/dict/words |
        shuf | shuf | shuf | shuf | shuf -n 5 | fmt
pecite glub haleru diamin Ellyn
$ egrep '^....$|^.....$|^......$' /usr/share/dict/words |
        shuf | shuf | shuf | shuf | shuf -n 5 | fmt
witted Rowan Aenius twang stul
$ egrep '^....$|^.....$|^......$' /usr/share/dict/words |
        shuf | shuf | shuf | shuf | shuf -n 5 | fmt
barbs clonic Teryl rictus vestas

Yes, I know what the security policy is going to insist: I must use mixed case and digits and special characters. So how about simply capitalizing them and adding sequential digits plus punctuation. Now I only have to remember five “words” and a punctuation mark. The result:

Barbs1! Clonic2! Teryl3! Rictus4! Vestas5!

Hmmm. That looks like some sort of cheer for the gladiators. Well, if that helped me to remember it, that would be great.


Hopefully That Was Useful

I doubt that I could remember this quasi-gibberish for one pass phrase, let alone multiple unique ones for multiple servers and web sites!

Check back here next week as I have a recommendation for a cross-platform solution that provides far stronger password strings and it does the remembering for you!

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.