
Wolfram Alpha's Secure Password Service - shawndumas
http://www.wolframalpha.com/input/?i=secure+password
======
stevelosh
Their estimate of 100,000 passwords a second is a VAST underestimate of the
capabilities of modern hardware and software.

For example: <http://www.win.tue.nl/cccc/sha-1-challenge.html> \-- the winner
is cracking SHA1'ed passwords at _seven thousand_ times the speed WA uses in
their estimates.

~~~
JoachimSchipper
To be fair to Alpha, SHA1 is a really shitty password hash. (Use bcrypt,
scrypt if you're feeling adventurous, or salted SHA1 with a configurable
number of iterations if you really can't do better.)

~~~
stevelosh
Absolutely, but tons of places still use it (and md5 _shudder_ ), and you
rarely know what hashing algorithm a place is using when you sign up. So when
picking a "secure password" you should probably assume the worst.

~~~
pietro
You rarely even know if they store it in plan text.

------
beaumartinez
"Secure"? Isn't "strong" a better adjective? If I tell you my password, it's
no longer secure, despite still being strong.

------
MatthewPhillips
Passwords need to die. Passphrases if you truly insist, but preferably Id like
all sites to create new sessions by sending me an email with a temporary
token.

~~~
beaumartinez
Nice concept. How would you log in to your email, though? Surely you'd need a
strong password? ;)

~~~
pestaa
Ask for an SMS token. But don't ask me how you would turn your phone on. :)

------
JoachimSchipper
For if you really want a "secure" password sent over HTTP, I presume...

~~~
julian37
Sent over HTTP and generated on a remote machine, which could theoretically
log it along with your IP. </paranoid>

Alternate ways of generating strong passwords on your local box that I'm aware
of:

* Mac OS X users can launch Keychain Access, click the + button, then the Key button on the very right. This gives you a dialog window which will generate strong passwords in various configurations, such as memorable ones.

* The pwgen utility is available on several Linux distributions and on Macports. It too can generate memorable passwords. Check out the -s and -y command line options and note that you can give the desired password length on the command line.

Any other recommendations?

~~~
mrud
* apg <http://www.adel.nursat.kz/apg/download.shtml> generates per default pronounceable/memorable passwords. From the debian package description:

APG (Automated Password Generator) is the tool set for random password
generation. It generates some random words of required type and prints them to
standard output. Advantages:

    
    
      * Built-in ANSI X9.17 RNG (Random Number Generator)(CAST/SHA1)
      * Built-in password quality checking system (now it has support for Bloom
        filter for faster access)
      * Two Password Generation Algorithms:
         1. Pronounceable Password Generation Algorithm (according to NIST
            FIPS 181)
         2. Random Character Password Generation Algorithm with 35
            configurable modes of operation
      * Configurable password length parameters
      * Configurable amount of generated passwords
      * Ability to initialize RNG with user string
      * Support for /dev/random
      * Ability to crypt() generated passwords and print them as additional output.
      * Special parameters to use APG in script

------
ique
I would be more interested in generating pass-phrases like the "4 common word
password" of XKCD.

~~~
jesseendahl
<http://passphra.se> does exactly that =) Although it's sadly not https.

~~~
preshing
True, but there are two reasons for that! One is because I'm too cheap to pay
the premium my web host demands for https. The other is because most of the
entropy is calculated in your browser via Javascript (even borrowing a JS
implementation of SHA-1). It's extremely unlikely that either I (the server),
or a third party sniffing packets, could guess the passphrase you generated
using passphra.se.

------
lensflare
I've been using PasswordMaker for a long time. It creates new passwords for
each site based on a master password and the url of the site. It has many
other options as well. The advantage of PasswordMaker is that if you know the
master password you can recreate the password for any site. If you lose your
password with Wolfram you'll have to do some kind of reset/recovery.
<http://passwordmaker.org/>

------
pguzmang
mmmm ... You have a strong password but how you will remember it with a sticky
note?

Some persons says that a pass phrase is safer password and it is indeed math
true. However, currently most of the systems have catpchas or block out and
brute force or dictionary attacks are no longer used.

One of the more effective methods is for example: you made a user in a weak
page like a blog or something and then a someone break into a obtain a email
account and the password for the blog.

Maybe if the hacker is smart enough he could try the email account with same
password found and they got you. So, different passwords is the safest method
you can lastpass, 1password, keepass to remember your password. They also
allow to use multi-step security using OTP devices like yubi key or RDA token

------
beaumartinez
"Siri, generate me a strong password."

~~~
jkeel
GLaDOSiri: "I've created a strong password, but you'll just write it on a
sticky note left on your computer anyway."

~~~
pavel_lishin
"You monster."

------
rshm
[http://www.wolframalpha.com/input/?i=sha+simplepassword+site...](http://www.wolframalpha.com/input/?i=sha+simplepassword+sitename.com)

------
AlexCP
I normaly use <https://www.grc.com/passwords.htm> when I need a random
password

------
jimmar
Does anybody know how the entropy is calculated?

~~~
tedunangst
ln(number of possible passwords)

