reasonably secure passwords on tap


  • Mon 20 July 2015
  • misc

Tired of setting "changeme" as a temporary password and hoping that people... change it? Having difficulty coming up with a good password to hand to someone, one that isn't "leetspeaky", and is demonstrably secure?

A shout-out is due to jamiep for this approach, which sadly won't keep well-meaning-but crummy security policies happy but is probably fine for your own purposes when you have root and can set a password to anything you want.

Know what a UUID is? If not, I bet you clicked the link so now you do. OK, so what's wrong with using a Version 4 UUID (122 bits of entropy, roughly equivalent to 23 characters of random printable ASCII characters) as a password or shared secret? There's a tool for generating them - Ubuntian-flavored folks can apt-get install uuid while Mac users who enjoy Homebrew can brew install ossp-uuid. Smart people who use SmartOS don't have to do anything - the cli tool comes with the base OS install.

Oh look, I just made some passwords (don't use these!): merlot:~ rs$ uuid -v 4 e7b50956-7f0d-4c51-a280-5e7b712d698d merlot:~ rs$ uuid -v 4 accd7d02-06fa-4532-85b9-2bd059766491 merlot:~ rs$

Thing to watch out for include aged Unix systems (that still use DES-based salted hashes as an HMAC) and other systems that truncate password significance. Also be sure the password will actually fit in the memory structures allocated for it (hopefully a non-issue here in the future, but a uuid is 37 bytes long). As always, test before you use in production (or hand to your boss, or whatever).