Generate a Password

It is recommended to generate a password instead of trying to think yourself about a good password. Use the ways below to generate a password.

pwgen

Generate a password with pwgen. According to NIST recommendations 800-63-3 at least 8 characters are recommended; the longer the better. In our Acceptable Use Policy we define a minimum of 12 characters.

Example to generate a 12-character password:

# 12 chars with special character (relatively easy to remember) and `-y` for at least one special character
pwgen 12 -1 -y

# 12 chars with special character, 'completely random' (`-s`) and `-y` for at least one special character
# most secure way (according to https://www.starlab.io/blog/why-enforced-password-complexity-is-worse-for-security-and-what-to-do-about-it ) but copy paste from terminal not that easy
pwgen -y -s 12 1

# Example to generate a password for disk encryption:
pwgen 32 -1 -s

If you want to exclude ambiguous characters, you can use -B. This is also known as Base58, without Il0O, see de.wikipedia.org/wiki/Base58

pwgen 12 -1 -s -B

Generate a Memorable Password

If you want to generate a password that is memorable, then you could use the XKCD password generator. The relevant XKCD comic is number 936.

How to generate such a password:

  1. Install XKCD-Password-Generator (github.com/redacted/XKCD-password-generator)

    pip3 install --user xkcdpass
    # or for homebrew/linuxbrew
    pip3 install xkcdpass
  2. Optional: Download the German word list: wordlist-german.txt. This word list is based on a German diceware wordlist from http://world.std.com/~reinhold/diceware_german.txt (broken link) without numbers and symbols. It consists of 7536 words.

    1. An alternative word list with only nouns wordlist-German-Nouns.txt consisting of 66225 words.

  3. Generate a password with:

    $ xkcdpass
    struggle stencil doily unmindful pureness swiftly
    
    # with the german wordlist
    $ xkcdpass -w wordlist-german.txt
    muendig suchte irrweg erstes duengt schule
    
    # create password with first letter upper case and dashes instead of space for direct copy paste
    $ xkcdpass -n5 --case first -w wordlist-german.txt --delimiter="-"
    Ungarn-Stutzer-Hammeln-Herdes-Polaris
  4. Now you have to remember these 6 words. Bonus for adding your preferred special character to separate the words.

Entropy Calculations

If an attacker has your hash and knows about how your password was generated, then you could calculate the entropy like that:

  • There are 7536 possible words

  • Entropy per word is log2(7536) ≃ 12.88 bits

  • Entropy for a 6 word password: 6 * log2(7536) ≃ 77.3 bits

According to www.pleacher.com/mp/mlessons/algebra/entropy.html, a password above 60bits of entropy is strong:

Password strength is determined with this chart:

  • < 28 bits = Very Weak; might keep out family members

  • 28 - 35 bits = Weak; should keep out most people, often good for desktop login passwords

  • 36 - 59 bits = Reasonable; fairly secure passwords for network and company passwords

  • 60 - 127 bits = Strong; can be good for guarding financial information

  • 128+ bits = Very Strong; often overkill

— David Pleacher

If the attacker does not know your way to generate a password, but correctly assumes you have a lower case password (26 possibilities), then the entropy would be:

  • 26 possible characters (all lower letters)

  • 37 characters used in password:

  • Entropy: log2(26)*37 ≃ 174

Password Generator of Your PW Manager

Password managers usually have a password generator, you could use that.

Check Your Password

NIST recommends to prove whether the password ever was part of a security breach and is already known. There is an API to check already known password hashes at haveibeenpwned.com/API/v2 and the full hash list is downloadable from haveibeenpwned.com/Passwords. A small bash script to check if your password ever was used and in a password leak can be found in github.com/chloesoe/pwcheck/blob/master/password-check.sh.