fri, 25-nov-2005, 11:06

Following up on yesterday's discussion of making passwords that look random to the computer, but contain some pattern that's easily remembered, I wrote a little password generator in Python. It requires the 'fortune' program (fortune-mod, fortunes packages in Debian), as well as Python. The script takes two optional arguments, the number of passwords to generate, and if the script should create "difficult" passwords.

The output looks like this:

    $ ./ 1
    16422 : 4Dcfpnsfe#
    Don't compare floating point numbers solely for equality.
or if you've chosen the "difficult" version:
    $ ./ 1 d
    55424 : ya8=Ithotmk
    You are in the hall of the mountain king.

The difficult version puts the number, symbol and upper case letter in the middle of the string of letters, rather than at the beginning and end with the simpler version. I suppose the difficult version is slightly more "random" and is better as a result, but there's probably not much difference when it comes to how long it would take to crack it.

Of course, despite the way the passwords look, they're not actually random. So if the cracker knows that you've used a password generator based on the fortune command, they can generate a wordlist based on fortunes and use that in a dictionary attack instead of having to use a brute force attack.

tags: sysadmin 
Meta Photolog Archives