Dear Editor,
A long tome ago, I looked at diceware as Michael Z. Williamson mentioned (love that XKCD cartoon), and I don’t find it quite as robust as I would like for password generating (I have one diceware-ish password I use for convenience, but used a couple of foreign words and specific capitals as well). Creating a series of simple words that forces the attackers to use a brute force attack on it anyway, made me want to go out and find out a better way to find brute-force-resistant passwords.
I found one (essentially, only one) really good password generator at the Foutmilab web site.
What makes it a really good password generator (relative to most others) are the following features:
First, It just doesn’t randomly generate passwords (though, it can), it gives you the ability to input an alpha-numeric seed, so that using the seed “cat” will always generate the same groupings of passwords/keys.
The benefit to this is that if you share a specific seed key with someone else (um … in person that you can easily remember and associate with them) like CrazyTimeInVegas, then you have created a an easy way for each of you to generate one-time-use pads.
It allows you to choose how long of key, and other characteristics about the passwords generated.
So, you encrypt a file, send it to them through e-mail, and in your subject line you write, “62,394 more reasons Nancy Pelosi is awesome” …. which codes to your receiver to use 62 digit key and choose the 394th key generated. (or, come up with an agreed upon way to alter it even more … i.e., drop the 6 in the header but know that you’ll always use a 60 digit length key). Or better, snail mail them a memory card with the information you want to send, with the NSA storing all e-mail, you can be sure that as they get faster and faster (and get into quantum computing encryption breakers, that all forms of encryption will be broken at some point).
Combine that with sending your information in triple-cascading 1 mb Truecrypt drive, or other encryption routine, and you’ll be one step up. At least until quantum processing starts annihilating all forms of simple encryption.
2nd Benefit: It stores on your local computer and can run in any browser (you aren’t using a web site to run it through the Internet, you can be offline whenever it runs). One can also add a couple of default numbers (don’t do the seed), so you don’t need to type a couple of the less useful features (like the number of digits between separators and which separator to use … answer: none). It’s a simple javascript and the code is open source so you don’t have to worry about backdoors/it sending out extra data, etc. The code is wide open for everyone to see.
3rd: It’s free. Go to the web site, save the page to your computer, and never run it off the web site again. (The author of the site suggests doing this.) Keep a copy of the script in your e-mail drafts as a backup and forward to your friends who need it.
It fills a nice gap, there are still important things to consider like physical security of your device (i.e., if they install monitoring software on your machine, or a keyboard tracker, or a webcam that can view your keyboard, it doesn’t matter how good your encryption is), and finding an easy-for-you-impossible-for-them way of keeping track of your password generating keys. – C.S. in the Midwest