Scott Hanselman

I'm not sure the "leet" rules are that much harder to break than a regular dictionary word, particularly since there are well-understood rules for "leet"-ing stuff (e=3, i=1, etc).

I wish more users would adopt passphrases:

http://www.codinghorror.com/blog/archives/000360.html

Perhaps you can code an example of powershell building a much more secure *AND* easier to remember passphrase from that same dictionary?

Jeff, I was getting ready to make the same comment regarding lee7 algorithms.

A great suggestion that Jeff Gibson made in the Security Now! podcast is to invent your own personal password algorithm that can be applied to a variety of sources. Something like "1" + [the first three letters of the site in reverse order] + "24! + [capitalized last letter of the site]. You won't have to remember every different password, just the algorithm, and its invulnerable to dictionary attacks.

I adopted this type of strategy about 6 months ago, and my passwords are not only much stronger, but I don't need to store them.

Seeing the original script, three things jumped out at me.

1) If the stars aligned and a character was being replaced with its 1337 equivilent, it was replaced throughout the entire password. While probably easier to remember, it's a level of predictability that I'm not comfortable with in a password generator.

2) A number of words in the dictionary are shorter than 8 characters. Many systems require 8 characters minimum.

3) Even though I'm a 1337 633|< myself, it sometimes takes me a second to realize what the 1337 word is supposed to be.

So I took the liberty of addressing these issues.

$leet = @{e=3;o=0;l=1;a=4;i='!';t=7}
$paddingchars = "abcdefghijklmnopqrstuvwxyz01234567890".ToCharArray()
$rand = new-object System.Random
$words = import-csv dict.csv
$word = ($words[$rand.Next(0,$words.Count)]).Word
if ($args[0]) { $word = $args[0] }
$outputchars = $word.ToCharArray()
$outputchars | foreach-object { $i=0 }{ $skip = $rand.Next(0,3); if ( $skip -ne 0 -AND $leet.ContainsKey([string]$_) ) { $outputchars[$i] = [char][string]$leet[[string]$_]}; $i+=1 }
while ($outputchars.Length -lt 8) { $outputchars += $paddingchars[$rand.Next(0,$paddingchars.Length)]}
$OFS = ""
$originalword = $word
$word = [string]$outputchars
"Generated password: $word (based on '$originalword')"

(gee, I hope that displays okay as a dasBlog comment)

A couple of other things I would have done if I didn't actually have to get some work done today:

- random capitalization
- passing of minimum length as a parameter (rather than hard-coded as 8)

Of course, I'm a day late and a dollar short, since Jeff correctly pointed out that passphrases are a better solution.

I should have realized line 8 was too long. Either concantenate lines 8 and 9 or add a line continuation character to 8 and it should be fine.

A little off topic, but every looked at RoboForm (a la Pass2Go) ??? Excellent password manager that generates random passwords for you, and the bets thing, remembers and enteres them for you.

Awesome tool, maybe you'll add it to your Must Have tools list. Check it out. No, I don't work for them, just a happy user. It's free for up to 10 passwords too!

BOb

Passphrases may be where it's at, but I'm not sure I want anyone to foible my finesse.