Generate a Password
It is recommended to generate a password instead of trying to think yourself about a good password. Use the ways below to generate a password.
Generate a password with pwgen. According to NIST recommendations 800-63-3 at least 8 characters are recommended; the longer the better. In our Acceptable Use Policy we define a minimum of 12 characters.
Example to generate a 12-character password:
# 12 chars with special character (relatively easy to remember) and `-y` for at least one special character
pwgen 12 -1 -y
# 12 chars with special character, 'completely random' (`-s`) and `-y` for at least one special character
# most secure way (according to https://www.starlab.io/blog/why-enforced-password-complexity-is-worse-for-security-and-what-to-do-about-it ) but copy paste from terminal not that easy
pwgen -y -s 12 1
# Example to generate a password for disk encryption:
pwgen 32 -1 -s
If you want to exclude ambiguous characters, you can use
If you want to generate a password that is memorable, then you could use the XKCD password generator. The relevant XKCD comic is number 936.
How to generate such a password:
Install XKCD-Password-Generator (github.com/redacted/XKCD-password-generator)
pip3 install --user xkcdpass # or for homebrew/linuxbrew pip3 install xkcdpass
Optional: Download the German word list: wordlist-german.txt. This word list is based on a German diceware wordlist from world.std.com/~reinhold/diceware_german.txt without numbers and symbols. It consists of 7536 words.
An alternative word list with only nouns wordlist-German-Nouns.txt consisting of 66225 words.
Generate a password with:
$ xkcdpass struggle stencil doily unmindful pureness swiftly # with the german wordlist $ xkcdpass -w wordlist-german.txt muendig suchte irrweg erstes duengt schule # create password with first letter upper case and dashes instead of space for direct copy paste $ xkcdpass -n5 --case first -w wordlist-german.txt --delimiter="-" Ungarn-Stutzer-Hammeln-Herdes-Polaris
Now you have to remember these 6 words. Bonus for adding your preferred special character to separate the words.
If an attacker has your hash and knows about how your password was generated, then you could calculate the entropy like that:
According to www.pleacher.com/mp/mlessons/algebra/entropy.html, a password above 60bits of entropy is strong:
— David Pleacher
If the attacker does not know your way to generate a password, but correctly assumes you have a lower case password (26 possibilities), then the entropy would be:
Password managers usually have a password generator, you could use that.
NIST recommends to prove whether the password ever was part of a security breach and is already known. There is an API to check already known password hashes at haveibeenpwned.com/API/v2 and the full hash list is downloadable from haveibeenpwned.com/Passwords. A small bash script to check if your password ever was used and in a password leak can be found in github.com/chloesoe/pwcheck/blob/master/password-check.sh.