Good and Bad Passwords How-To
Administrators Can Use Automated Password
Generators to Create Hard to Crack Passwords That Can Be
The Administrator's Goals
The obvious goal for an administrator is to keep intruders off
his or her system. If this is not possible, then at least make
the intruder work very hard to get on the system.
(Only a minority of illicit system access is via poor
or cracked passwords. Most illicit access is via faulty system
software, typically buffer overflow conditions, that allow a remote
cracker to execute "arbitrary code" on the target system. The
arbitrary code may be sufficient for the attackers purposes. If the
attacker wants interactive access to the system, then the arbitrary
code may be used to retrieve the password hash file so passwords in
it can be cracked. Cracking success may then allow the cracker to
login as root, or as another user who can su to root, and thus
obtain complete access to the system. As this is a discussion of
passwords, password strength, and password cracking, these other
methods are not discussed here, but are addressed in other areas of
In all the
discussion to this point, so that the effort required to crack
the passwords could be estimated, we assumed that passwords were
fully random or
built according to one pattern or clearly defined set of patterns
and that the intruder had the necessary information to build
custom dictionaries matching the password patterns at the site
Potential intruders should never know site password policies, and
especially not password patterns if a pattern based password
generator is used to supply or suggest user passwords; if potential
intruders have such information
someone is leaking what should be confidential information. It's
very much in any site's interest not to let anyone outside know
anything about their password policies. A site that has put strong
password practices in place, may lose some of the advantage of these
polices, if detailed knowledge of these policies is allowed outside
A site that has password
policies, should inform all users of these policies, one of which
should be that users never discuss system password or security
policies with anyone outside the organization. Users should be
informed that violation of such policies may result in disciplinary
action which may range from reduction of system privileges to
termination, as seems appropriate. Obviously this is possible only
with the full backing of upper administration and cannot be imposed
by the IT department.
There is nothing more advantageous to a site than to have a
cracker working with the wrong assumptions regarding password's
lengths or character set, because then the odds against the
cracker become larger than they would have been otherwise.
In other words, while the odds of cracking normal passwords are
good and the odds of cracking strong passwords are very small, if
the cracker is trying for passwords that are too short or contain
insufficient character variety, they will never get any
Truly strong passwords will be of such length, character type
diversity and structural diversity that even if an intruder
has a pretty clear idea how a site creates passwords, the
intruder won't be able to apply sufficient computing resources
to crack the passwords in an acceptable time frame.
It's worth noting that passwords made from all one case letters
should be perfectly acceptable; they just need to be about four
characters longer than passwords containing characters drawn from
the entire keyboard to have similar strength. As long as a
password is not made from dictionary words, patterns
or combinations of such, that might be predicted, there is no more
likelihood that a 14 character, all lower case alphabetic
password will be cracked than a 10 character password with
diverse characters, even if the cracker knows someone or some
site uses 14 character alphabetic passwords.
It makes a big difference whether you subscribe to the prevailing
wisdom that an administrator needs to protect all the accounts on
their systems or to mine, that trying to force ordinary users to
use truly strong passwords is largely a lost cause and waste of
time that could be better spent elsewhere. For those who wish to
make the attempt, some of the tools to try to force users to
create better passwords are discussed on the next page. The
techniques available to ensure that all users have passwords in
conformance with a policy may not be worth the drawbacks.
My goal is to give regular users reasonably decent but moderately
easy passwords while forcing attackers to crack root and
administrator passwords comparable in strength to 9 character
and longer, diverse character set passwords. They can't do it
with brute force and building custom dictionaries isn't much
There are more than 30 trillion possibilities with the original
password.pl default settings. The custom dictionaries would take
300 terabytes or 9.5 CPU years (at 100,000 per second), assuming
that the intruder knows this is how passwords are created at a
site. Included among these are about 135 billion of the 809
billion two word, two non letter passwords previously discussed.
Any generated password containing two words should automatically
be discarded, keeping in mind that a weak password is weak
regardless of how it was obtained. A password containing two
alphabetic strings that are words is much weaker than a password
with two arbitrary alphabetic strings of similar length.
The default behavior of the original password.pl displayed
passwords of significantly varying strength. Of the ten
displayed each time, usually one or more was seven characters with a
digit in the middle and a capital in either or both of two
positions. There would also normally be some ten character
passwordswith three to five character alpha sequences, mixed case
and both a digit and symbol in either order. If the second upper
case letter was present it could be in any position from the
fourth to the eighth character. The new version has more
variability. Seven character passwords can be all lower case
and the non letter may be either a symbol or digit. At the
harder end both non letters may be symbols or digits.
The original password.pl anticipated that ordinary users would pick
from the easier 7 and 8 character passwords and administrators
would select harder 9 and 10 character passwords. After showing
users good passwords, options to make them use them are limited.
The simple checkers that force some degree of complexity will let
some pretty poor passwords through. A checker that requires
three of the four: 1) lower case, 2) upper case, 3) digit, 4)
symbol, will let Attack1 through even though all three crackers
discussed, using standard dictionaries and default rules, should
have this in seconds.
If users use the easiest of the recommended passwords, we let
enterprising crackers have these. If a cracker stays with
standard dictionaries, they hopefully won't get any. Of course
some users will insist on using bad passwords they weren't
shown. If the cracker knows password.pl is in use and builds the
custom 194 million word dictionary to match the default 7
character passwords, they'll get all the users who choose the
very easiest passwords.
There is a big catch that works against the cracker. Without
inside information, they can't know what the passwords look
like even if they know the tool being used. They can't know
if the minimum length has been upped to 8; there are 36 billion
possible 8 character passwords with the default patterns. They
can't know if the mixed case option was set. This generates
true random case letters in all positions and discards any
resulting password that comes out all upper or lower case by
chance. They can't know the source hasn't been altered to
create other variations.
The State Department password generator created passwords that
conformed to a single character pattern, cvcddcvc, in the
notation that we'll be using from now on. The first password.pl
included this and a limited number of user controllable
variations from the base pattern. The new password.pl allows the
user to define almost any imaginable character pattern and to
control variation from the base pattern to almost any degree.
See pattern formation
in the password.pl instructions for the definitions of pattern
characters and the resulting output in the generated passwords.
The 0, 1 and 2 - 9 qualifiers provide three different methods of
generating pattern variations. A pattern variation is basically
two or more fixed sequence patterns that can be generated from
a single control pattern. The user can change the probabilities
that control the relative frequencies of each fixed pattern.
We'll examine two examples to help make this clear. Perhaps the
simplest variation of the State Department pattern is cvcdd0cvc.
The 0 makes the second digit optional. There are two fixed patterns
that can result: cvcdcvc and cvcddcvc. The default probability for
the second digit is .25. This is called "Zero odds" on the password.pl
form. Thus, approximately three fourths off the generated
passwords will match the shorter and one fourth the longer pattern.
The default pattern of the new password.pl is Cc0vcc0n2Cc0vcc0.This defines a mixed case
consonant followed by an optional lowercase consonant followed by a
lower case vowel and consonant and another optional lower case
consonant. In the middle is n2 which means one or two non
alphabetic characters, i.e. digits or symbols which is used here to
include punctuation characters. The part after n2 duplicates the
first part of the pattern. n2 is different than nn0 only in the
probability of two characters being output.
There is an additional restriction that comes into play.
Characters" is defaulted to 2 so that no more than 2 of the
c0 characters will ever be output. Because the odds are only .25
for any one, this won't affect most of the generated passwords
but it does have an important effect. If the first alpha
character sequence is 5 characters, the second can never be
longer than three. If the first alpha character sequence is 4 the
second can never be longer than 4.
Whenever the Maximum zero characters is less than the actual
number of characters followed by a 0 in the controlling pattern,
the maximum puts an upper limit on the diversity of the
generated passwords. It prevents the longer more complex, fixed
character patterns from ever being displayed.
There are 22 possible fixed character patterns that can be generated
from the default controlling pattern:
The shortest possible pattern is 7 characters and the longest 10,
which match the default password length settings. The minimum
could be decreased or the maximum increased without affecting any
of the possible patterns. If the minimum is increased or the
maximum decreased the output password patterns would definitely
be affected. Increasing the minimum to 8 would have the effect
of discarding CvcnCvc as a possible pattern.
Decreasing the maximum to 9 would eliminate three patterns:
CvcnnCvcc, CcvcnnCvcc and CvccnnCvcc. These would be truncated
by one character but the truncated result already exists as a
pattern. It would also truncate three other patterns into new
patterns: CcvcnnCcvc becomes CcvcnnCcv, CvccnnCcvc becomes
CvccnnCcv and CcvccnnCvc becomes CcvccnnCv. Each of the three
new patterns has 21 times less possible combinations than the
The number of possible passwords that a specific controlling
pattern can generate can be calculated by adding the number of
possibilities contained in each of the fixed character patterns
that can be generated from the controlling pattern. The number
of possibilities in a fixed character pattern is the product of
the number of characters that may appear at each position in the
pattern. The default password.pl pattern contains more than 147
trillion possibilities. Truncating the default pattern to 9
characters reduces the possibilities to 11.2 trillion. What
pattern character or characters are truncated has a significant
impact on the number of possibilities removed. Truncating an "A"
which represents 94 characters on the keyboard has a much larger
impact than a "v" which represents only 5 possibilities.
The current password.pl contains three options for adding
variability to the patterns which the resulting passwords match.
The first that's already been described is a zero following a
pattern letter. The default settings provide a way to introduce
relatively subtle and controlled variations into a control pattern.
Raising the maximum zero characters or odds will create a higher
degree of variability.
A 1 following a character will cause password.pl to output one or
more of the preceding character (provided the maximum password
length has not yet been reached). See
One odds password.pl
instructions. A small increase in the value of "One odds" will
substantially increase the number of long sequences even though
most will still be short (1 - 4 characters).
Use of the 1 qualifier will pretty much assures that unless the
maximum length is very long, some passwords will truncate and
truncation creates variation in the output patterns. Used only
at the right end of a password, normally only the characters output
by the pattern character modified by the 1 will be truncated.
Used anywhere else in the password, the output strings created by
the 1 quantifier will occasionally push everything following them
past the maximum length. For example, any pattern that starts
with 'l1' (a lower case letter l followed by the digit one) and a
length range of 7 to 10, will occasionally generate a password
consisting solely of ten letters, regardless of what pattern
control characters follow the 'l1'. Such a password will be
displayed unless the
force mixed case,
force digit or force symbol options cause
such passwords to be discarded
A 2 thorough 9 following a pattern character will generate
variable length string that is much more controllable than those
created by the 1 option. The 2 through 9 set an upper length
limit and the
2 thorough 9 odds
allow the results to be biased toward the long or short
possibilities. The default odds get a pretty even distribution
of strings from the shortest to the longest.
Increasing the 2 through 9 odds (default .5) will cause the
shorter sequences to be over represented and the longer sequences
under represented. Decreasing this number will do the reverse,
over representing the long sequences and under representing the
short sequences. Odds equal 1 will prevent a second character of
a 2 character sequence from ever appearing and eliminate the
longer sequences from the higher control numbers. Odds equal 2
will reduce 2's and 3's to one character sequences and a 9 to a 1
to 4 character sequence. Odds equal .1 will grossly over
represent the longest sequences for all control numbers without
quite eliminating the shortest. Set the minimum password length
to 1 and experiment with d1, d5 and d9 as the complete control
pattern and vary odds to see the effects.
Pronounceability makes passwords much easier to remember. With
password.pl, the 'cvc' pattern produces mostly pronounceable
sequences. A significant percent are real words. With two of
these in a complete pattern, getting two real words in one
password is rare but happens. Many of the 'ccvc' and 'cvcc'
sequences are pronounceable and a few are words. Many of these
are not pronounceable however. Part of using an automated
password generator is learning to pick results that are strong
but still sufficiently pronounceable or having other
characteristics that aid memory. Conforming to a general
structural pattern should be some help.
It is not necessary that passwords be generated randomly or
picked randomly from the displayed results. What matters is that
there is no way to reliably create the exact character sequence,
using the known or foreseeable cracking techniques, without
generating huge custom dictionaries. Further, the cracker needs
to know the pattern or patterns used, if he or she is to build the
right dictionaries. This was the main weakness of the original
password.pl. The basic pattern set was rather limited. Also,
while the cracker couldn't be sure what the resulting passwords
looked like, experience tells us there is a strong tendency to
stay with default settings.
The user now has full control over general nature of the output
passwords and the tools to build word like patterns or fully
random character sequences. GET's were deliberately used for the
CGI form, so that once new settings were found that satisfy a
user's idea of what passwords should look like, they can be book
marked and reused at will. Note the current site lacks an SSL
option so generated passwords could theoretically be intercepted
by a third party; also password.pl could be written to log
generated passwords and the requesting IP address. You need to
assess these possible drawbacks and compare them to password
generators that you can run locally on your system. A
"freeware" generator for which you do not have the source code could
transmit generated passwords (or any local system data to which
you have access) back to an unknown remote site. Certain firewalls
and privacy products could prevent this or alert you if it was
An important departure from the previous password.pl is that multi
character sequences can be generated from a single pattern
control character, specifically 'w', 'W', 'e' and 'E'. These
represent two and three character consonant sequences that
commonly begin and end words, in addition to single consonants.
A collegiate dictionary was examined to find as many of these as
practical. There are roughly one hundred entries in both the
word beginning, 'w', and word ending, 'e', sequences. There are
twice that number in the mixed case counterparts. In the mixed
case versions, upper case letters only appear in the first 'W'
character or the last 'E' character.
Though these multi character sequences significantly increase the
number of passwords generated by a fixed length pattern, the
increase is not close to the number that two additional independent
consonants would generate. The numbers are 100 instead of 21 for
'w' and 'e' where these replace a 'c' and 200 instead of 42 for
'W' and 'E' where these replace a 'C'. Two extra independent
consonants would be 21 * 21 * 21 or 42 * 21 * 21, using
comparable case variations. The impact on the cracker is
probably greater than it might seem, because depending on which
sequence starts any password, following characters may be moved
by one or two characters.
Some of the additional word like patterns are: wve, wvc, cve,
wvv0e or wv2e, cvv0c or cv2c, cvcvc, wveve, wv2ev2e, cv2cv2c,
c2v2c2, c2v2c2v2c2. All of these can create pronounceable
sequences or complete gibberish. Pick ones you can remember.
'Wve' can produce three to seven character sequences; 'wv2ev2e'
can be from 5 to 13 characters. Some sequences like 'evw' and
'EvW' make little sense; they will produce patterns unlike any
others but they are not likely to be useful creating passwords
that are much more memorable than random sequences. If you want
randomness (including digits, symbols, and punctuation as well as
letters) use 'a' for lower case and 'A' for complete randomness,
including mixed case.
As indicated before, there is nothing wrong with putting either
or both one or more digits or symbols at either end of these.
Don't confuse an arbitrary string of letters preceded or
followed by digits and or symbols with dictionary words preceded
or followed by digits and or symbols. The sample control patterns
on the current password.pl, place digits and symbols in every
possible character position from 1 through the last which is
about 15 and include character type sequences from one up to
about ten of the same type. Without knowing exactly what pattern
was used to create a specific password (or all the passwords at a
site), it's of no practical value to a cracker to know that some
patterns put 2 or three character digit sequences after
Though 'WvE' can vary from 3 to 7 characters I would not be
comfortable with WvEsd
and the default length of 7 to 10 because it forces the 'WeV'
sequence to provide 5 characters. Every result will draw from
the either or both multi consonant sequences and be a lot less
random than appearance of the resulting passwords suggests. The
randomness would be more representative of a five character
password than the physical 7 to 9 character results. There will
be dictionary words with an appended symbol and digit among the
I would be quite comfortable with WvEs2d1
as there are now four pieces supplying optional extra length and
each has the potential of providing it's full range of diversity.
Nearly all the passwords from this second pattern are strong but
it will very occasionally create a dictionary word followed by a
single punctuation then digit. After about 15 minutes of trying,
'bully>5' was created. Crack and John the Ripper would probably
miss it but L0phtCrack would get it on NT in less than a minute
if the full character set was used in the "hybrid attack". A poor
password remains a poor password no mater how it's obtained.
Top of Page -
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is