#title Strong Passwords ||<>|| = Introduction = Many security mechanisms present in Ubuntu and elsewhere require a password. Passwords are the most commonly used security tactic in computing, and are frequently used to protect sensitive information, such as your e-mail account, or your Ubuntu user account. Choosing a strong password for any application, or service which may require one is extremely important. If the password you choose is based on common information such as a dictionary word, an attacker may use a so-called [[http://en.wikipedia.org/wiki/Dictionary_attack|"dictionary attack"]] method of determining your password, and subsequently compromise the account, or data protected with that password. This guide demonstrates the generation of strong passwords with applications available to Ubuntu. This guide ''does not'' recommend a formal password policy, including rotation/change scheduling, re-use prevention strategies, and the like. Such principles are beyond the scope of this guide, and the reader is requested to see the resources presented at the end of this guide for further information on passwords, and formal password policies. = Target Audience = This guide is for anyone with sufficient experience with the GNU/Linux command-line, including installing packages using {{{apt-get}}}, and executing command-line tools who also has an interest in passwords, and generating strong passwords with a command-line utility. = "Strong Passwords" or "Strength of a password generation process" = == Strong passwords == Applications, and libraries exist for your Ubuntu system to assist in generating, or enforcing strong passwords. A strong password is defined as any password which meets the following criteria: * At least ''fifteen'' (15) characters in length. * Does not contain your user name, real name, organization name, family member's names or names of your pets. * Does not contain your birth date. * Does not contain a complete dictionary word. * Is significantly different from your previous password. * Should contain ''three'' (3) of the following character types. * Lowercase Alphabetical (a, b, c, etc.) * Uppercase Alphabetical (A, B, C, etc.) * Numerics (0, 1, 2, etc.) * Special Characters (@, %, !, etc.) == "There is only the strength of a password generation process" == The idea of “password strength” is a myth. It's a myth that's spread by a lot of websites, but it's still a myth. There is no such thing as the strength of a password, there is only the strength of a password generation process. Having special characters in a password does not make it stronger. A password is a compromise between ease of memorizing and ease of cracking, and special characters make password significantly harder to memorize but not significantly harder to crack. === So how should I choose passwords? === ||<#CCFF99> '''Randomly.''' If your method to choose a password doesn't include a source of randomness (with a computer, or rolling a dice if you like it old-school), it's no good. See [[https://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase/6096#6096|this link]]. Make sure there is enough entropy, usually counted in bits!|| [[http://world.std.com/~reinhold/diceware.html|Diceware]] is a popular choice (using physical dice + wordlist), but any method that follows the XKCD pattern — pick multiple “words” at random from some dictionary — is good. We are focusing on 'xkcdpass' here. = Generating Passwords in Ubuntu = Now that we've establish what constitutes a strong password. How do we have our computers help generate strong passwords automatically? This section will cover the ''Automatic Password Generator'' application (APG) which is available in Ubuntu via the repository Universe. APG does precisely what its name implies: it ''automatically generates passwords''. Not only does APG generate passwords, it will generate ''strong passwords'' for you as well. Another useful tool is 'xkcdpass', which uses the XKCD method, which is a very different method to create a password. Also 'xkcdpass' is available via the repository Universe. If you wish to study APG and 'xkcdpass' further, you may find information at the [[#Resources|Resources]] section of this guide. '''Read the available information, take some time to think about it, and use the method that you find is the best one for your purposes.''' {{attachment:IconsPage/tip.png}} ''It should be noted here that Ubuntu's password functions for user accounts do provide some means of enforcing strong passwords for user accounts, but there are cases, and applications where the strength of the password cannot be enforced in this manner, and so this guide exists to help the user generate acceptable strong passwords''. == Universe repository == The software described is available via the Ubuntu repository Universe. If it is not enabled, you can use the Synaptic Package Manager or the following command lines {{{ sudo add-apt repository universe sudo apt update }}} == APG == === Installing APG === To install APG, ensure you have enabled the repository Universe and have a live connection to the Internet, then issue the following command at a command prompt: {{{ sudo apt-get install apg}}} You will be prompted for a password. The password being requested is ''your user password'', or the same password you use when issuing commands with the {{{sudo}}} command. After authentication, the APG package will be downloaded, and installed. You are now ready to begin using, and further configuring APG to your liking. === Using APG === The default behavior of APG installed on Ubuntu via apt-get when executed, is to prompt for random data from standard input (typically the keyboard) and upon pressing enter, display ''six'' (6) strong "pronounceable" passwords. They are referred to as "pronounceable" because the passwords may actually be pronounced like regular words. In fact, APG includes the pronunciation in parentheses () to the right of each password. Additionally, they are ''strong passwords'' because they include a mix of lowercase, uppercase, and numeric characters. An example of executing {{{apg}}} and the default output of APG is presented here: {{{apg}}} APG prompts for the input of random keyboard keys, and then, after pressing '''ENTER''', produces output similar to this: {{{ queafWodEis5 (queaf-Wod-Eis-FIVE) WoudElIc6 (Woud-El-Ic-SIX) GorIacNewt8 (Gor-Iac-Newt-EIGHT) ShratUplEov7 (Shrat-Upl-E-ov-SEVEN) hexLyafByff1 (hex-Lyaf-Byff-ONE) Irkyorn9 (Irk-yorn-NINE) }}} If you would like to enforce different behavior from APG, there are many options you may pass to the '''apg''' command for the purpose of changing the default output, and behavior of APG. For example, to generate ''random character passwords'' instead of the ''pronounceable'' passwords, you may invoke APG with the '''-a 1''' option, where '''-a''' is the ''algorithm'' APG uses, and '''1''' selects random mode. The following command would produce ''six'' (6) random character passwords with no prompting to input random data: {{{ apg -a 1}}} Upon executing the above command, APG outputs a list of ''six'' (6) random character passwords similar to these: {{{ S:w[AOe< !_IlD#_G/~ )lL`avASe6 SgzlI:lU?h ~Wc(0b"{ '4fU25w%} }}} If you wish to always enforce prompting for random data from standard input (keyboard), to ensure the most secure passwords possible, you should explicitly tell APG to do so with the {{{-s}}} option. Another example would be the generation of four (4) !WiFi Protected Access (WPA) Pre Shared Keys (WPA PSKs) having the maximum supported WPA PSK length of 63 random characters for use with modern !WiFi equipment, such as a Wireless Access Point (WAP). To generate such a sequence, and use random data prompting, issue the following command at a command prompt: {{{apg -s -a 1 -m 63 -n 4}}} After supplying the random keyboard data, and pressing '''ENTER''' a list of strong WPA PSKs will be presented, similar to these: {{{ +DIaz*B^'[mtB;J1ABi*n"B<=|_My"5bZv#*iRJH!0oCcf!,@Z os#?3;sC2}/A>lG^e*9%9}pd^&A\'eLkdC,lk#jB,bcg70I|q@U:^VZP"}>3z?G rj??<_Ej%-:2LW;4q_?53$ab$U_~1I(({`^LN1Hd&&gKj+Dw;EqR<\qH_VQ{`s! "x3up};b~/jU6Vo,t">Dr~f_U`NSNr30JmOD@c'Y:p2wvc"0s?$MtT '''Security at the expense of usability comes at the expense of security'''|| === Custom word list === Considering the human aspect it is important that you can * '''accept''' * '''remember''' * '''spell''' the words in the password/passphrase. '''In order to preserve randomness, entropy, it is very important the you accept the first offered choice.''' Using a big word-list provides more entropy per word, but chances are that you refuse to use the first offered password/passphrase. Your name, city or other personal data might be selected from the word list in an extremely rare case, but more often you might be offended by a political, ethnical, religious, sexual or generally rude word. It will make it easier to accept, remember and spell the password/passphrase, if you use a '''list of the most common words''', where the words are selected for this particular purpose. You can '''create such a list yourself''' (and in your own language, and remove words with special characters, because they might cause problems with some software), or you can '''download such a list''' (check that it consists of unique words and is long enough, at least 2048 words = 2^11 words, which corresponds to 11 bits of entropy). The following list is based on a list of the [[https://www.wordfrequency.info|5000 most common words in American English]], and modified (many words were removed, a few words were added). It contains 3723 words, which corresponds to 11.86 bits of entropy. [[attachment:word-list.txt|Download 'word-list.txt']] {{{ $ md5sum word-list.txt 885a786e1bb2926f61baf28f7b6b60b6 word-list.txt $ sort word-list.txt | uniq -cd $ (no output <---> no duplicates found) $ wc -l word-list.txt 3723 word-list.txt $ for i in Jack Brown Lisa Smith;do grep -i "^$i$" /usr/share/dict/words word-list.txt;done|sort/usr/share/dict/words:brown /usr/share/dict/words:Brown /usr/share/dict/words:jack /usr/share/dict/words:Jack /usr/share/dict/words:Lisa /usr/share/dict/words:smith /usr/share/dict/words:Smith word-list.txt:brown }}} === Installing xkcdpass === To install xkcdpass, ensure you have enabled the repository Universe and have a live connection to the Internet, then issue the following command at a command prompt: sudo apt-get install xkcdpass You will be prompted for a password. The password being requested is your user password, or the same password you use when issuing commands with the sudo command. After authentication, the xkcdpass package will be downloaded, and installed. You are now ready to begin using, and further configuring xkcdpass to your liking. === Using xkcdpass === You can select settings to get a good balance between * Difficulty to guess - entropy (bits) * Difficulty to remember - if the default word list contains too difficult words, try another one and when you have a suitable balance, you can store the settings in an '''alias''', '''function''' or '''one-line shellscript'''. '''Default settings, 91 bits of entropy''' {{{ $ xkcdpass arousal brook dibble adieux rustproof Deanna $ xkcdpass -V The supplied word list is located at /usr/lib/python3/dist-packages/xkcdpass/static/default.txt. Your word list contains 38271 words, or 2^15.22 words. A 6 word password from this list will have roughly 91 (15.22 * 6) bits of entropy, assuming truly random word selection. becloud pregame hogback catlike lobber rowel }}} '''Using one custom setting including a custom word list with common words to create 5-word passphrase, 45 bits of entropy''' Please notice that the '''-a final''' feature will '''reduce the entropy substantially''' by specifying the first letter of the words. Calculating reduction of entropy, when the random selection is reduced (using '''bc'''), in this example * 182 words begin with '''f''' * 138 words begin with '''i''' * 068 words begin with '''n''' * 243 words begin with '''a''' * 125 words begin with '''l''' * 680 words have 5 letters (assuming you use the word list also to select the acronym 'final') {{{ $ bc -l bc 1.06.95 Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc. This is free software with ABSOLUTELY NO WARRANTY. For details type `warranty'. l (182*138*68*243*125*680)/.69314718055994530941 45.00376966263277443730 # reduced to 45 bits l (3723*3723*3723*3723*3723)/.69314718055994530941 59.31124950425756409847 l (3723)*5/.69314718055994530941 # more efficient formula 59.31124950425756409842 # approximately 59 bits }}} '''With 5 words, the entropy is reduced from 59 bits to 45 bits, when specifying the acronym !!!''' {{{ $ xkcdpass -c 4 -V -n 5 -a final --min 4 --max 10 -w word-list.txt The supplied word list is located at /media/multimed-2/test/test0/pwdstrength/word-list.txt. Your word list contains 3723 words, or 2^11.86 words. A 5 word password from this list will have roughly 59 (11.86 * 5) bits of entropy, assuming truly random word selection, but reduced in this case (not calculated here). female integrity negative awareness latter fierce impress notion assess loss filter install novel apology largely funding instructor northern attraction look }}} '''Using another custom setting including a custom word list to create 4-word passphrase with dots, 47 bits of entropy''' {{{ $ xkcdpass -c 4 -V -n 4 --min 4 --max 10 -w word-list.txt -d . The supplied word list is located at /media/multimed-2/test/test0/pwdstrength/word-list.txt. Your word list contains 3723 words, or 2^11.86 words. A 4 word password from this list will have roughly 47 (11.86 * 4) bits of entropy, assuming truly random word selection. sand.heaven.agenda.proclaim estimated.commercial.sweep.project send.diplomatic.insurance.coffee marketing.inherent.fact.operate }}} So specifying '''-a final''' reduces the entropy of a 5 word passphrase to 45 bits, which is below that of a 4 word passphrase (47 bits). This is a high cost for the acronym. Many other options are available. You should consult the xkcdpass manual page, and the xkcdpass website for further information. (See the Resources section of this guide) === Useful command-lines with xkcdpass === Decide what works best for the security level you need in your particular case, * lower number of words that are strange and complicated * higher number of words that are common and easy It may be vary between persons (and groups of people, if you are considering how to set a policy or custom tool for an organization). '''Using the default word file: lower number of words that are strange and complicated''' Normal security level at home, entropy = 45 bits: {{{ $ xkcdpass -n 3 demeanour basely extrude }}} Next security level, entropy = 60 bits: {{{ $ xkcdpass -n 4 metal cottager advocacy soursop }}} High security level, entropy = 76 bits: {{{ $ xkcdpass -n 5 hostile impounder Caledonia ramie Goddard }}} Very high security level, entropy = 91 bits: Please notice that this is the default setting. But the security level is very high only if the user * can '''accept''' the first password/passphrase offered, * can '''remember''' it without a post-it sticker on the monitor/laptop (or other 'shortcut'), * can '''spell''' it without a post-it sticker on the monitor/laptop (or other 'shortcut'). {{{ $ xkcdpass ambrosia Cossack vivify Barbudan royal Campinas }}} ---- '''Using a custom word file: higher number of words that are common and easy''' Normal security level at home, entropy = 47 bits: {{{ $ xkcdpass -n 4 --min 4 --max 10 -d . -w word-list.txt sharp.hockey.steal.backyard }}} Next security level, entropy = 59 bits: {{{ $ xkcdpass -n 5 --min 4 --max 10 -d . -w word-list.txt initially.assistant.barely.framework.regional }}} Next security level, entropy = 71 bits: {{{ $ xkcdpass -n 6 --min 4 --max 10 -d . -w word-list.txt snake.food.dress.perception.club.waste }}} High security level, entropy = 83 bits: {{{ $ xkcdpass -n 7 --min 4 --max 10 -d . -w word-list.txt stand.mentor.know.cream.automatic.treatment.effect }}} == Generating Strong Passwords Manually == Some people find that they remember their password better when they come up with one on their own. This section provides an example of how to manually generate a strong password. Keep in mind that because the examples here are viewable by anyone, these exact results should be avoided. The first step is to choose a phrase which you can easily remember, but is at least 8 words long. This can be a favourite quote, a line from your favourite song, something you heard randomly while walking around, or even an obscure reference to a movie you like. For this example, we'll choose "`To be or not to be, that is the question`". Now, convert your phrase to a single word. Exactly how you do so is not important, as long as you remember how you did it! We'll take the first letter of each word, which gives us "`tbontbtitq`". Now, we have one character class, the lower case letter. To get upper case letters, simply randomly capitalize letters. We'll capitalize each third letter, and end up with "`tbOntBtiTq`". Now, we'll get some numbers. That '`O`' looks a lot like the number zero, so let's replace '`O`' with '`0`': "`tb0ntBtiTq`". There's a lot of '`T`' characters in there, so let's also replace one of them with the number '`7`': "`tb0n7BtiTq`". Finally, we'll go after a symbol or two. With a little imagination, you can see how the symbol '`^`' and the letter '`l`' beside each other somewhat resemble the general shape of the letter '`N`', so replace the '`n`' with those: "`tb0^l7BtiTq`". Just to make it a little better, we'll add one last symbol. You'll notice that the exclaimation point (`!`) resembles a lower case '`i`' upside down. Replace the '`i`' with '`!`' to get the final password: "`tb0^l7Bt!Tq`". Just keep in mind that certain characters (like: ^,`,',~,ß,...) might be hard to locate or enter on a foreign keyboard (e.g. when travelling or using a different keyboard layout - think US 104-key layout vs. Canadian French layout). = Write Your Passwords Down = While it's clearly a bad idea to store passwords in a publicly-visible place, it's a very good idea to keep your passwords written somewhere private. It can take weeks or months to remember a strong password, and you can suddenly forget one letter of even the oldest password. One way to have both complex passwords and memorable passwords is to generate a core password that is used as a part of all you passwords and then write down the additional parts for each site. {{{ example: remembered passwords: * core password: UbuntuR0cks written down passwords: * bank A: #29G%7 * bank B: $FF09@ * forum 1: &*LJK2 * forum 2: FGB&*13 Then the two elements would be combined: * bank A: !UbuntuR0cks#29G%7 * bank B: !UbuntuR0cks$FF09@ * forum 1: !UbuntuR0cks&*LJK2 * forum 2: UbuntuR0cksFGB&*13 }}} = Don't use online password generators = The command-line tools described above are very secure. Using an online password generator means that you're relying on * the algoritm implemented by the online service -- is the proprietor of the online service an experienced security researcher using a well-studied algorithm? Making secure algorithms is notoriously hard and even experienced researchers are not surprised when their algorithms get broken. * any key material used by the online service never being compromised -- what if the site is hacked after it generates your password; could an attacker examine the algorithm and key and use it to regenerate your password later? If you don't know, then don't trust it! * the integrity of the online service -- do you really trust the proprietor of the online service? What if they were arrested/coerced; would you still trust them not to sell out your password? The above password generators rely on the cryptographic primitives supplied by the linux kernel. Those primitives are battle-hardened, heavily researched and designed not to leak your password off your machine. You'd be much better off trusting those rather than an external website. = Resources = Additional password information, command information, and formal password policy guidelines are available via the following resources: [[http://packages.ubuntu.com/pwgen|pwgen]] is an alternative to apg that will create reasonable secure passwords that are easier to remember. == Local System Resources == ||{{{man apg}}}|| System manual page for the {{{apg}}} command|| ||{{{man xkcdpass}}}|| System manual page for the {{{xkcdpass}}} command|| ||{{{man passwd}}}|| System manual page for the {{{passwd}}} command|| == WWW Resources == [[http://www.sans.org/resources/policies/Password_Policy.pdf|SANS Password Policy Guideline (PDF Document)]] [[http://world.std.com/~reinhold/diceware.html|The Diceware Passphrase Home Page]] [[https://itsfoss.com/password-generators-linux/|5 Useful Password Generators For Linux - for example 'xkcdpass']] [[https://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase/6116#6116|XKCD #936: Short complex password, or long dictionary passphrase - Short story]] [[https://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase/6096#6096|XKCD #936: Short complex password, or long dictionary passphrase - The math]] [[https://pypi.python.org/pypi/xkcdpass|xkcdpass website]] ---- [[http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci916934,00.html?track=sap805|Bad Password Policies - requires 'sign in']] [[http://www.adel.nursat.kz/apg/|APG website - not found]] [[http://www.sans.org/rr/whitepapers/authentication/1636.php|Simple Formula For Strong Passwords (PDF Document) - not found]] [[http://www.smat.us/sanity/pwdilemma.html#anchor12895273|Strong Password Policies - not found]] ---- CategorySecurity