Marc Wäckerlin
Für eine libertäre Gesellschaft

Secure Passwords and Numerical PINs

Mai 7, 2024

Views: 91

On Linux, the tool pwgen generates passwords, e.g. pwgen 20 1 generates 1 password of 20 random characters.

The most important options are:

  • -y to include symbols (non alphanumeric)
  • -c to include capitals
  • -n to include numbers
  • -s to generate a completely random password (so that it is hard to memorize)
  • -B to avoid ambigous characters, such as 1, I, l or 0, O (the contrary of -s, use i.e. if you have to pass it on paper to another password and cannot send it electronically)

So typical use case are:

  • Generate a highly secure password: pwgen -ys 40 1, e.g. /MKtJJctOnPzQ:/q%Ax?Gu38!S%+"eof[xK%]5CW
  • Generate a password to write on paper, e.g. to physically pass to somene else: pwgen -B 40 1, e.g. thohshoh7teigae9ooyear7fuP3zeehahf7bo4Ai
  • Generate a password to unlock your mobile (not too long, memorizable): pwgen -cny 10 1, e.g. eiC{oh4quu

Fully Numeric Password (PIN)

There are options such as -A, -O to explicitly avoid capitals or numbers. But if you have to generate a PIN, that consists only of numbers, there is no simple option in pwgen. Fortunately, by default there are no symbols and there is option -A to avoid capitals. To get rid of the lower case characters, you have to specify them all on option -r, so to generate a fully numeric PIN, e.g. of length 8 numbers, simply use:

  • pwgen -sAr 'abcdefghijklmnopqrstuvwxyz' 8 1 to get e.g. 44602010

Be aware: Since pure numeric passwords are much less complex, they are weak by design and must be much longer than mixed character passwords to provide the same level of security. But sometimes, they cannot be avoided, e.g. typically on credit cards or on physical vaults you can only choose numbers.

More Considerations on Secure Passwords

Since there are dictionary attacs against hashed password databases, a secure password in 2024 should be at least 10 characters, if it is fully random and consists of a combination of lower case and capital characters, including numbers and symbols. The more you restrict the character set (e.g. by avoiding symbols), the longer the password needs to be for the same level of security. I myself got a ransom mail, where they revealed one of my passwords which was 8 characters long, but it was build with lower case letters and numbers only. So this combination is definitively no more secure. If you combine lower case with capitals, numbers and symbols, then 10 characters might be good enough for now. The rule of thumb is: Use as many character types (numbers, lower case, capitals, symbols) as possible and choose the password as long as possible. Regularly check your password lengths. Currently, I recommend to use 40 fully random characters as standard.

Another important rule is: Use a different password for every service. If at any time, the password leaks, you only need to exchange this single password. Because it is impossible to remember any number of highly secure psswords, evaluate a good and secure password manager (digital vault) for your passwords and store your passwords encrypted with a memorizable password in this vault. The bests and most secure vaults are not in the cloud, but only on your local machine.

It is more secure, to chose long, complex and complicated passwords, and manage them well, than frequently changing them. But immediately change your password, whenever you used it in the wrong place, e.g. you accidentally typed it in a chat, or in a browser search bar, instead of in the password field. It is not even necessary, that you send the password, typing it in the wrong place is always a reason to change it. Be aware, that nowadays even local text editors may send data to online services, so even pasting a password accidentaly in a text editor (such as VSCode), or an office tool (such as MS Word) is a reason for immediately changing the password. And even if you keep your passwords secure, change them from time to time. That does not have to bee every month, but it should be at least once a year. In doubt always immediately change a password.

comments title