otp

Readers of thrillers may remember that one time pads are used for coded messages intended to be used only once. The sender uses the top password or encryption, then discards it, and the receiver discards their copy after receiving a message. otp [4] has no direct connection to actual one time pads, except that the name adds drama to security. Contrary to what the name seems to imply, there is no limit to how often you can use the passwords produced by otp. Nor should this little script from the Debian repositories be confused with the similarly named Red Hat tool.

What otp does offer is a number of simple controls for generating passwords. Its options consist of a format, followed by the number of characters in the generated password. The default is all uppercase passwords, but more options are easily added to modify results. For example, -c14 produces a password consisting only of letters that is 14 characters long. Similarly, users can opt for a password consisting of numbers (dCHARS) or letter groups that are easy to pronounce (eCHARS). For ease of use, -sCHARS can also be used to specify the spacing of hyphens throughout the password. If no options are specified, the default is passwords of eight characters with a hyphen every four characters.

Also, otp includes an option to specify the number of keys generated (-nNUMBER). In addition, it can also create an output file that can be used to verify incoming passwords (Figure 4).

Figure 4: Despite the name, otp-generated passwords can be used more than once.

Diceware

Diceware [5] gets its name from a method of generating results by rolling dice. The numbers on the dice are assembled as a number that is used to look up a word in a dictionary or word list that corresponds to that number. A number of words – five by default – are run together to produce the password. By default, each word begins with a capital letter unless the --no-caps option is used. The number of words that comprise the password can be set with --num 'NUMBER', and special characters added with --specials 'NUMBER'. A delimiter between words can be set with -d'CHARACTER'. The Diceware application is unique in that its option --dice-side NUMBER can be used so that results are not necessarily based on six-sided dice. As well, --randomsource SOURCE can be set, so that the randomness is generated by your operating system (Figure 5).

Figure 5: Diceware includes an option to add delimiters between words.

Diceware's original dictionaries have inspired a number of refinements (see xkcdpass). Diceware itself includes en (English), en_eff (based on Electronic Frontier Foundation modifications), en_orig (the original Diceware dictionary), and en_securedrop (English designed for security), which is the default. Each dictionary lists one word per line, prefaced with a sequential number, making the creation of a custom list an easy task.

xkcdpass

xkcdpass [6] is a Python script inspired by a comic strip from the geekily popular xkcd comic (Figure 6). Instead of the usual mixture of characters, the strip advocates strings of words, maintaining that these strings are just as secure as a traditional password, and much easier to remember. xkcdpass is designed to generate these strings [7].

Figure 6: The comic strip that inspired xkcdpass.

xkcdpass works by default with a word list called eff-long [8], which was released by the Electronic Frontier Foundation under a Creative Commons Attribution license for the specific purpose of generating passwords. eff-long, in turn, was originally a modification of Alan Beale's 12Dicts package for Aspell [9], which itself was based on the standard word list for Diceware. 12Dicts consists of common English words of varying lengths originally derived from 12 different dictionaries, with outdated works, jargon, and scientific terms excluded. eff-long consists of 7,776 words, listed one per line, with the first line numbered 1111 and the rest continuing in sequence. Generally, eff-long is all that anyone needs, but other dictionaries are also installed: eff-special, which contains 1,296 memorable words that are easier to remember but provide less security, and eff-short, in which each word begins with a unique three-letter prefix that could be used one day for autocompletion. Dictionaries for Finnish, French, Italian, German, Norwegian, Portuguese, and Spanish are also available. Those who want greater security can also produce longer, more specialized lists if desired. All word lists are stored in /usr/lib/python3/dist-packages/xkcdpass/static/.

The number of words in a password is five by default. However, --numwords=NUMBER can be used to change the default, and --min=NUMBER or --max=NUMBER can be specified to control the length of each word. Still another way to customize the resulting password is to specify a regular expression with --var-char=REGEX. For ease of memory, --acrostic=WORD can be set, so that the first letter of each word spells out another word. For example, if the word supplied is "chaos," xkcdpass might supply the password Church Hermann Auvergne Orthodox Sculptor (Figure 7).

Figure 7: Based on a popular comic, xkcdpass can use acrostics to make passwords easier to remember.

Those who are security-conscious can include --verbose to read the level of security supplied by a specific password. Yet another convenience is --interactive, which continues to generate passwords until you accept one.