[Cryptography] Brute-force password crackers?

Jerry Leichter leichter at lrw.com
Mon Dec 27 18:01:44 EST 2021 

> Yes, change the password.
>    Are there better tools than apg.
>   apg "generates several random passwords. It uses several password generation algorithms (currently two)"
>    If you suspect generated passwords are guessable, grab some physical dice to chop generated passwords into 1-6 char chunks.
This is the first I've seen of apg.

MacOS keychain will generate passwords of different forms for you.  Up until recently, it could generate "memorable" passwords, which consisted of a dictionary word, a number, a special character, and another dictionary word.  While not necessarily really memorable, these did have the advantage of being easy to type - important if you have to transfer one from one system to another, especially to a phone where typing is a pain.  And if you use one of these with any regularity it does end up being fairly easy to remember.

I guess they decided this form of password had become too risky, as it's been eliminated from recent versions of Keychain.  I wrote a program to do the same thing, with a couple of variations for somewhat increased security:  Two words from a dictionary of 49415 (all lower case) words.  Either, both, or neither is randomly capitalized.  One integer from 1 to 9999.  Combine with equal probability as either word||number||special||word or word|special||number||word.  All told, just under 1e14 possible outputs.  Yes, it could be brute-forced - anything most people could memorize and type could be - but for most purposes it's pretty good - certainly better than a human could come up with unaided.  Here a some outputs:

Emailing{9737Xxii
Uprising!7101Youre
alas6931`Vegeta
revamped931>Ecliptic
Caused/6960Heatwave

Some of the "words" in the list are ... strange.

At the moment its implemented as two shell scripts - one creates strong random numbers using /dev/random - but relying on a couple of little C tools of my own, so not readily distributable.  I may get 'round to turning it into something more broadly usable.
                                                        -- Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20211227/20cb71d3/attachment.htm>

More information about the cryptography mailing list