Re: Security

[snip]

> Are there any free WPA-PSK generators available?

I found this https://www.winguides.com/security/password.php. Any
opinions on whether this generator can be trusted?

On Wed, 12 Oct 2005 11:22:22 -0500, Nospam <nospam@nospam.com> wrote:

>[snip]
>
>> Are there any free WPA-PSK generators available?
>
>I found this https://www.winguides.com/security/password.php. Any
>opinions on whether this generator can be trusted?

Well, they're in Australia so I don't think they'll be sniffing your
wireless traffic from that far away. There's always the danger that
they're capturing the generated keys and posting them to hacker web
sites or perhaps building dictionary lookup lists. It's also possible
that the generated keys are not truely random and have some type of
hidden pattern that makes them easy to detect and decode. You
evaluate the risks based on your potential exposure.

Incidentally, Winguides is PcTools.com. I've used various PC Tools
products for many years and highly recommend both the products and the
company.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <434D383E.1060305@nospam.com> on Wed, 12 Oct 2005 11:22:22 -0500, Nospam
<nospam@nospam.com> wrote:

>[snip]
>
>> Are there any free WPA-PSK generators available?
>
>I found this https://www.winguides.com/security/password.php. Any
>opinions on whether this generator can be trusted?


The password generator I use and recommend is Password Safe*
<http://passwordsafe.sourceforge.net/>
Originally created by noted cryptographer Bruce Schneier of Counterpane Labs,
it's open source and free, and has been subjected to extensive peer review.


* NOT!!! <http://www.passwordsafe.com/>

--
Best regards, HELP FOR CINGULAR GSM & SONY ERICSSON PHONES:
John Navas <http://navasgrp.home.att.net/#Cingular>

Q: How can I generate good strong passwords?

A: Password Safe* <http://passwordsafe.sourceforge.net/>
Originally created by noted cryptographer Bruce Schneier of Counterpane Labs,
it's open source and free, and has been subjected to extensive peer review.


* NOT <http://www.passwordsafe.com/>

--
Best regards, HELP FOR CINGULAR GSM & SONY ERICSSON PHONES:
John Navas <http://navasgrp.home.att.net/#Cingular>

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <6tgqk1d2mus3gg7qe56vcllerbf0l7o3k2@4ax.com> on Wed, 12 Oct 2005 10:20:14
-0700, Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:

>On Wed, 12 Oct 2005 11:22:22 -0500, Nospam <nospam@nospam.com> wrote:
>
>>[snip]
>>
>>> Are there any free WPA-PSK generators available?
>>
>>I found this https://www.winguides.com/security/password.php. Any
>>opinions on whether this generator can be trusted?
>
>Well, they're in Australia so I don't think they'll be sniffing your
>wireless traffic from that far away. There's always the danger that
>they're capturing the generated keys and posting them to hacker web
>sites or perhaps building dictionary lookup lists. It's also possible
>that the generated keys are not truely random and have some type of
>hidden pattern that makes them easy to detect and decode. You
>evaluate the risks based on your potential exposure.
>
>Incidentally, Winguides is PcTools.com. I've used various PC Tools
>products for many years and highly recommend both the products and the
>company.

Firefox reports that the issuer of the certificate for that site cannot be
verified, a matter of concern, especially when the objective is security.

--
Best regards, HELP FOR CINGULAR GSM & SONY ERICSSON PHONES:
John Navas <http://navasgrp.home.att.net/#Cingular>

On 10/12/2005 1:50 PM, John Navas wrote:
> [POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
>
> In <6tgqk1d2mus3gg7qe56vcllerbf0l7o3k2@4ax.com> on Wed, 12 Oct 2005 10:20:14
> -0700, Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>
>> On Wed, 12 Oct 2005 11:22:22 -0500, Nospam <nospam@nospam.com> wrote:
>>
>>> [snip]
>>>
>>>> Are there any free WPA-PSK generators available?
>>> I found this https://www.winguides.com/security/password.php. Any
>>> opinions on whether this generator can be trusted?
>> Well, they're in Australia so I don't think they'll be sniffing your
>> wireless traffic from that far away. There's always the danger that
>> they're capturing the generated keys and posting them to hacker web
>> sites or perhaps building dictionary lookup lists. It's also possible
>> that the generated keys are not truely random and have some type of
>> hidden pattern that makes them easy to detect and decode. You
>> evaluate the risks based on your potential exposure.
>>
>> Incidentally, Winguides is PcTools.com. I've used various PC Tools
>> products for many years and highly recommend both the products and the
>> company.
>
> Firefox reports that the issuer of the certificate for that site cannot be
> verified, a matter of concern, especially when the objective is security.
>

That's one of the reasons I asked about trust (I use Firefox too).

Nospam <nospam@nospam.com> wrote:
> > Are there any free WPA-PSK generators available?
> I found this https://www.winguides.com/security/password.php. Any
> opinions on whether this generator can be trusted?

An online secret generator is an oxymoron.

Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister

John Navas <spamfilter0@navasgroup.com> wrote:
>Q: How can I generate good strong passwords?

>A: Password Safe* <http://passwordsafe.sourceforge.net/>

Why is this a typical "security question non-answer"? The answer is a
great way (I suppose) to store your passwords, but has nothing
whatsoever to do with generating them in the first place.

Personally I roll a set of hex dice. 8*)

On Wed, 12 Oct 2005 21:39:21 -0400, William P. N. Smith <> wrote:

>John Navas <spamfilter0@navasgroup.com> wrote:
>>Q: How can I generate good strong passwords?
>
>>A: Password Safe* <http://passwordsafe.sourceforge.net/>
>
>Why is this a typical "security question non-answer"? The answer is a
>great way (I suppose) to store your passwords, but has nothing
>whatsoever to do with generating them in the first place.
>
>Personally I roll a set of hex dice. 8*)

I think you'll find it IS relevent. Passwordsafe can generate
passwords for you.

Say you are registering for a website. You create a new entry in
Paswordsafe and click the 'Generate' button. Hey presto a new password
(also you can generate passwords again and again before you select the
best one)

Their are options to configure how the password is generated too.

Set Password default length
Use Lowercase
Use Uppercase
Use Digits
Use Symbols
Use only easy-to-read chars (ie 0 and O)

I use passwordsafe and its great. I know I have secure passwords plus
I dont have to resort to passwords that could be cracked easily.

Harry

On Thu, 13 Oct 2005 09:36:49 +0100, Harry
<Harry@WiseWebs.co.nospam.uk> wrote:

>On Wed, 12 Oct 2005 21:39:21 -0400, William P. N. Smith <> wrote:
>
>>John Navas <spamfilter0@navasgroup.com> wrote:
>>>Q: How can I generate good strong passwords?
>>
>>>A: Password Safe* <http://passwordsafe.sourceforge.net/>
>>
>>Why is this a typical "security question non-answer"? The answer is a
>>great way (I suppose) to store your passwords, but has nothing
>>whatsoever to do with generating them in the first place.
>>
>>Personally I roll a set of hex dice. 8*)
>
>I think you'll find it IS relevent. Passwordsafe can generate
>passwords for you.
>
>Say you are registering for a website. You create a new entry in
>Paswordsafe and click the 'Generate' button. Hey presto a new password
>(also you can generate passwords again and again before you select the
>best one)
>
>Their are options to configure how the password is generated too.
>
>Set Password default length
>Use Lowercase
>Use Uppercase
>Use Digits
>Use Symbols
>Use only easy-to-read chars (ie 0 and O)
>
>I use passwordsafe and its great. I know I have secure passwords plus
>I dont have to resort to passwords that could be cracked easily.

And the next time you want to access a website from an internet cafe
you will do what?

mike

On Thu, 13 Oct 2005 09:26:58 GMT, mbpatpas@pacbell.net.invalid (Mike
Preston) wrote:

>On Thu, 13 Oct 2005 09:36:49 +0100, Harry
><Harry@WiseWebs.co.nospam.uk> wrote:
>
>>On Wed, 12 Oct 2005 21:39:21 -0400, William P. N. Smith <> wrote:
>>
>>>John Navas <spamfilter0@navasgroup.com> wrote:
>>>>Q: How can I generate good strong passwords?
>>>
>>>>A: Password Safe* <http://passwordsafe.sourceforge.net/>
>>>
>>>Why is this a typical "security question non-answer"? The answer is a
>>>great way (I suppose) to store your passwords, but has nothing
>>>whatsoever to do with generating them in the first place.
>>>
>>>Personally I roll a set of hex dice. 8*)
>>
>>I think you'll find it IS relevent. Passwordsafe can generate
>>passwords for you.
>>
>>Say you are registering for a website. You create a new entry in
>>Paswordsafe and click the 'Generate' button. Hey presto a new password
>>(also you can generate passwords again and again before you select the
>>best one)
>>
>>Their are options to configure how the password is generated too.
>>
>>Set Password default length
>>Use Lowercase
>>Use Uppercase
>>Use Digits
>>Use Symbols
>>Use only easy-to-read chars (ie 0 and O)
>>
>>I use passwordsafe and its great. I know I have secure passwords plus
>>I dont have to resort to passwords that could be cracked easily.
>
>And the next time you want to access a website from an internet cafe
>you will do what?
Use your USB drive. Better to have a secure password than see all your
accounts get hacked and stolen!
>
>mike

In article <oWb3f.134436$qY1.11603@bgtnsc04-news.ops.worldnet.att.net>, John Navas <spamfilter0@navasgroup.com> writes:
>[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
>
>In <434D383E.1060305@nospam.com> on Wed, 12 Oct 2005 11:22:22 -0500, Nospam
><nospam@nospam.com> wrote:
>
>>[snip]
>>
>>> Are there any free WPA-PSK generators available?
>>
>>I found this https://www.winguides.com/security/password.php. Any
>>opinions on whether this generator can be trusted?
>
>
>The password generator I use and recommend is Password Safe*
><http://passwordsafe.sourceforge.net/>
>Originally created by noted cryptographer Bruce Schneier of Counterpane Labs,
>it's open source and free, and has been subjected to extensive peer review.
>
>
Since you are looking at making the WPA-PSK more difficult to crack you are
probably already aware of this.

The WiFi alliance recommends a pass phrase of more than 20 characters.

See http://www.tinypeap.com/docs/WPA_Pas...k_Overview.pdf

(the tinypeap site also has a link to download the WPA Cracker program so
once you've setup your network you could test out how secure it is).




David Webb
Security team leader
CCSS
Middlesex University




>* NOT!!! <http://www.passwordsafe.com/>
>
>--
>Best regards, HELP FOR CINGULAR GSM & SONY ERICSSON PHONES:
>John Navas <http://navasgrp.home.att.net/#Cingular>

In article <4ierk15n4t1ei0m9uu41dn41p5j4fu962b@4ax.com>, William P. N. Smith <> writes:
>John Navas <spamfilter0@navasgroup.com> wrote:
>>Q: How can I generate good strong passwords?
>
>>A: Password Safe* <http://passwordsafe.sourceforge.net/>
>
>Why is this a typical "security question non-answer"? The answer is a
>great way (I suppose) to store your passwords, but has nothing
>whatsoever to do with generating them in the first place.
>
>Personally I roll a set of hex dice. 8*)


For a WPA-PSK passphrase ?

David Webb
Security team leader
CCSS
Middlesex University

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <dilf4o$p6h$2@news.mdx.ac.uk> on Thu, 13 Oct 2005 11:07:04 +0000 (UTC),
david20@alpha2.mdx.ac.uk wrote:

>In article <oWb3f.134436$qY1.11603@bgtnsc04-news.ops.worldnet.att.net>, John Navas <spamfilter0@navasgroup.com> writes:

>>The password generator I use and recommend is Password Safe*
>><http://passwordsafe.sourceforge.net/>
>>Originally created by noted cryptographer Bruce Schneier of Counterpane Labs,
>>it's open source and free, and has been subjected to extensive peer review.
>>
>Since you are looking at making the WPA-PSK more difficult to crack you are
>probably already aware of this.
>
>The WiFi alliance recommends a pass phrase of more than 20 characters.

This has been covered in some detail in this thread previously. (It's a good
idea to read the entire context before jumping in.)

--
Best regards, HELP FOR CINGULAR GSM & SONY ERICSSON PHONES:
John Navas <http://navasgrp.home.att.net/#Cingular>

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <434e284c.4114496@news.INDIVIDUAL.NET> on Thu, 13 Oct 2005 09:26:58 GMT,
mbpatpas@pacbell.net.invalid (Mike Preston) wrote:

>On Thu, 13 Oct 2005 09:36:49 +0100, Harry
><Harry@WiseWebs.co.nospam.uk> wrote:
>
>>On Wed, 12 Oct 2005 21:39:21 -0400, William P. N. Smith <> wrote:
>>
>>>John Navas <spamfilter0@navasgroup.com> wrote:
>>>>Q: How can I generate good strong passwords?
>>>
>>>>A: Password Safe* <http://passwordsafe.sourceforge.net/>
>>>
>>>Why is this a typical "security question non-answer"? The answer is a
>>>great way (I suppose) to store your passwords, but has nothing
>>>whatsoever to do with generating them in the first place.
>>>
>>>Personally I roll a set of hex dice. 8*)
>>
>>I think you'll find it IS relevent. Passwordsafe can generate
>>passwords for you.
>>
>>Say you are registering for a website. You create a new entry in
>>Paswordsafe and click the 'Generate' button. Hey presto a new password
>>(also you can generate passwords again and again before you select the
>>best one)
>>
>>Their are options to configure how the password is generated too.
>>
>>Set Password default length
>>Use Lowercase
>>Use Uppercase
>>Use Digits
>>Use Symbols
>>Use only easy-to-read chars (ie 0 and O)
>>
>>I use passwordsafe and its great. I know I have secure passwords plus
>>I dont have to resort to passwords that could be cracked easily.
>
>And the next time you want to access a website from an internet cafe
>you will do what?

*Never ever* use passwords on a public computer!

--
Best regards, HELP FOR CINGULAR GSM & SONY ERICSSON PHONES:
John Navas <http://navasgrp.home.att.net/#Cingular>

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <dilg27$p6h$3@news.mdx.ac.uk> on Thu, 13 Oct 2005 11:22:47 +0000 (UTC),
david20@alpha2.mdx.ac.uk wrote:

>In article <4ierk15n4t1ei0m9uu41dn41p5j4fu962b@4ax.com>, William P. N. Smith <> writes:
>>John Navas <spamfilter0@navasgroup.com> wrote:
>>>Q: How can I generate good strong passwords?
>>
>>>A: Password Safe* <http://passwordsafe.sourceforge.net/>
>>
>>Why is this a typical "security question non-answer"? The answer is a
>>great way (I suppose) to store your passwords, but has nothing
>>whatsoever to do with generating them in the first place.
>>
>>Personally I roll a set of hex dice. 8*)
>
>For a WPA-PSK passphrase ?

Why not (assuming you could get them)? The only downside is that you would
have to enter even more hex digits than letters -- for a secure WPA key, at
least 24, ideally 32.

--
Best regards, HELP FOR CINGULAR GSM & SONY ERICSSON PHONES:
John Navas <http://navasgrp.home.att.net/#Cingular>

In article <nCs3f.136984$qY1.87617@bgtnsc04-news.ops.worldnet.att.net>, John Navas <spamfilter0@navasgroup.com> writes:
>[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
>
>In <dilg27$p6h$3@news.mdx.ac.uk> on Thu, 13 Oct 2005 11:22:47 +0000 (UTC),
>david20@alpha2.mdx.ac.uk wrote:
>
>>In article <4ierk15n4t1ei0m9uu41dn41p5j4fu962b@4ax.com>, William P. N. Smith <> writes:
>>>John Navas <spamfilter0@navasgroup.com> wrote:
>>>>Q: How can I generate good strong passwords?
>>>
>>>>A: Password Safe* <http://passwordsafe.sourceforge.net/>
>>>
>>>Why is this a typical "security question non-answer"? The answer is a
>>>great way (I suppose) to store your passwords, but has nothing
>>>whatsoever to do with generating them in the first place.
>>>
>>>Personally I roll a set of hex dice. 8*)
>>
>>For a WPA-PSK passphrase ?
>
>Why not (assuming you could get them)? The only downside is that you would
>have to enter even more hex digits than letters -- for a secure WPA key, at
>least 24, ideally 32.
>

Precisely.


David Webb
Security team leader
CCSS
Middlesex University


>--
>Best regards, HELP FOR CINGULAR GSM & SONY ERICSSON PHONES:
>John Navas <http://navasgrp.home.att.net/#Cingular>

In article <Ghs3f.136934$qY1.99937@bgtnsc04-news.ops.worldnet.att.net>, John Navas <spamfilter0@navasgroup.com> writes:
>[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
>
>In <dilf4o$p6h$2@news.mdx.ac.uk> on Thu, 13 Oct 2005 11:07:04 +0000 (UTC),
>david20@alpha2.mdx.ac.uk wrote:
>
>>In article <oWb3f.134436$qY1.11603@bgtnsc04-news.ops.worldnet.att.net>, John Navas <spamfilter0@navasgroup.com> writes:
>
>>>The password generator I use and recommend is Password Safe*
>>><http://passwordsafe.sourceforge.net/>
>>>Originally created by noted cryptographer Bruce Schneier of Counterpane Labs,
>>>it's open source and free, and has been subjected to extensive peer review.
>>>
>>Since you are looking at making the WPA-PSK more difficult to crack you are
>>probably already aware of this.
>>
>>The WiFi alliance recommends a pass phrase of more than 20 characters.
>
>This has been covered in some detail in this thread previously. (It's a good
>idea to read the entire context before jumping in.)
>

I'll accept your word for it but I don't see any mention of it in previous
posts in this thread on comp.security.misc either through my newsreader or
through google groups.



David Webb
Security team leader
CCSS
Middlesex University


>--
>Best regards, HELP FOR CINGULAR GSM & SONY ERICSSON PHONES:
>John Navas <http://navasgrp.home.att.net/#Cingular>

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <dilnr8$s2d$1@news.mdx.ac.uk> on Thu, 13 Oct 2005 13:35:36 +0000 (UTC),
david20@alpha2.mdx.ac.uk wrote:

>In article <Ghs3f.136934$qY1.99937@bgtnsc04-news.ops.worldnet.att.net>, John Navas <spamfilter0@navasgroup.com> writes:
>>
>>In <dilf4o$p6h$2@news.mdx.ac.uk> on Thu, 13 Oct 2005 11:07:04 +0000 (UTC),
>>david20@alpha2.mdx.ac.uk wrote:

>>>The WiFi alliance recommends a pass phrase of more than 20 characters.
>>
>>This has been covered in some detail in this thread previously. (It's a good
>>idea to read the entire context before jumping in.)
>
>I'll accept your word for it but I don't see any mention of it in previous
>posts in this thread on comp.security.misc either through my newsreader or
>through google groups.

I didn't realize that only part of this thread was cross-posted to
comp.security.misc -- sorry.

--
Best regards, HELP FOR CINGULAR GSM & SONY ERICSSON PHONES:
John Navas <http://navasgrp.home.att.net/#Cingular>

John Navas <spamfilter0@navasgroup.com> wrote:
>david20@alpha2.mdx.ac.uk wrote:
>>William P. N. Smith <> writes:

My apologies, BTW, for not realizing that this password store also
generates passwords. I'm still a bit reluctant to let a program (even
an open-source one) generate passwords for me, and in the end it still
comes down to the security of the password to the vault.

>>>Personally I roll a set of hex dice. 8*)

>>For a WPA-PSK passphrase ?

>Why not (assuming you could get them)?

http://www.gamestation.net/prodinfo.asp?number=QPI0001

> The only downside is that you would
>have to enter even more hex digits than letters -- for a secure WPA key, at
>least 24, ideally 32.

The WinDoze widget wants 8-63 ascii or 64 hex, FWIW. Anyone actually
done this?

In article <YTu3f.424085$5N3.409151@bgtnsc05-news.ops.worldnet.att.net>, John Navas <spamfilter0@navasgroup.com> writes:
>[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
>
>In <dilnr8$s2d$1@news.mdx.ac.uk> on Thu, 13 Oct 2005 13:35:36 +0000 (UTC),
>david20@alpha2.mdx.ac.uk wrote:
>
>>In article <Ghs3f.136934$qY1.99937@bgtnsc04-news.ops.worldnet.att.net>, John Navas <spamfilter0@navasgroup.com> writes:
>>>
>>>In <dilf4o$p6h$2@news.mdx.ac.uk> on Thu, 13 Oct 2005 11:07:04 +0000 (UTC),
>>>david20@alpha2.mdx.ac.uk wrote:
>
>>>>The WiFi alliance recommends a pass phrase of more than 20 characters.
>>>
>>>This has been covered in some detail in this thread previously. (It's a good
>>>idea to read the entire context before jumping in.)
>>
>>I'll accept your word for it but I don't see any mention of it in previous
>>posts in this thread on comp.security.misc either through my newsreader or
>>through google groups.
>
>I didn't realize that only part of this thread was cross-posted to
>comp.security.misc -- sorry.
>

OK.

David Webb
Security team leader
CCSS
Middlesex University


>--
>Best regards, HELP FOR CINGULAR GSM & SONY ERICSSON PHONES:
>John Navas <http://navasgrp.home.att.net/#Cingular>

"John Navas" <spamfilter0@navasgroup.com> wrote in message
news:nCs3f.136984$qY1.87617@bgtnsc04-news.ops.worldnet.att.net...
>
> In <dilg27$p6h$3@news.mdx.ac.uk> on Thu, 13 Oct 2005 11:22:47 +0000 (UTC),
> david20@alpha2.mdx.ac.uk wrote:
>
>>In article <4ierk15n4t1ei0m9uu41dn41p5j4fu962b@4ax.com>, William P. N.
>>Smith <> writes:
>>>John Navas <spamfilter0@navasgroup.com> wrote:
>>>>Q: How can I generate good strong passwords?
>>>
>>>>A: Password Safe* <http://passwordsafe.sourceforge.net/>
>>>
>>>Why is this a typical "security question non-answer"? The answer is a
>>>great way (I suppose) to store your passwords, but has nothing
>>>whatsoever to do with generating them in the first place.
>>>
>>>Personally I roll a set of hex dice. 8*)
>>
>>For a WPA-PSK passphrase ?
>
> Why not (assuming you could get them)? The only downside is that you
> would
> have to enter even more hex digits than letters -- for a secure WPA key,
> at
> least 24, ideally 32.

Assuming that the attack against the key is a "try random values until you
get it" attack.

If it's a "try common words in the English language" attack, many
letter-based passphrases will be broken before a relatively short hex-based
passphrase will.

[Assuming you aren't unlikely enough to get "FEEDDEADBEEFC0FFEE" as your
random hex string]

I'm waiting for the time that someone comes out with a passphrase cracker
that demonstrates the lack of entropy in the English language.

Alun.
~~~~

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <bsWdnS0fF7QOGdPenZ2dnUVZ_sydnZ2d@comcast.com> on Thu, 13 Oct 2005 09:00:39
-0700, "Alun Jones" <alun@texis.invalid> wrote:

>"John Navas" <spamfilter0@navasgroup.com> wrote in message
>news:nCs3f.136984$qY1.87617@bgtnsc04-news.ops.worldnet.att.net...

>> Why not (assuming you could get them)? The only downside is that you
>> would
>> have to enter even more hex digits than letters -- for a secure WPA key,
>> at
>> least 24, ideally 32.
>
>Assuming that the attack against the key is a "try random values until you
>get it" attack.
>
>If it's a "try common words in the English language" attack, many
>letter-based passphrases will be broken before a relatively short hex-based
>passphrase will.

Only if the letter-based passphrases are short -- see
<http://groups.google.com/group/alt.internet.wireless/msg/2fd501974faf9ae4?hl=en>
for thorough background. The recommendation for letter-based passphrases is
that they be over 20 characters.

--
Best regards, HELP FOR CINGULAR GSM & SONY ERICSSON PHONES:
John Navas <http://navasgrp.home.att.net/#Cingular>

John Navas <spamfilter0@navasgroup.com> wrote:
>-0700, "Alun Jones" <alun@texis.invalid> wrote:
>>If it's a "try common words in the English language" attack, many
>>letter-based passphrases will be broken before a relatively short hex-based
>>passphrase will.

>Only if the letter-based passphrases are short -- see
><http://groups.google.com/group/alt.internet.wireless/msg/2fd501974faf9ae4?hl=en>
>for thorough background. The recommendation for letter-based passphrases is
>that they be over 20 characters.

But then we come full circle. Passphrases not in the dictionary take
a really long time to break, even if they are only 8 characters long.
Made-up words, deleborateily miespeeelehd werdes, acronyms, and
<word><symbol><word> conglomerations are pretty secure, though not as
secure as random letter combinations, which in turn are not as secure
as truly random hex keys.

In alt.internet.wireless William P. N. Smith <> wrote:
> My apologies, BTW, for not realizing that this password store also
> generates passwords.

Easy enough to miss the "generation" portion, it isn't an obvious
"feature", just part of the product.

>>>>Personally I roll a set of hex dice. 8*)

I have also been using a javascript that I saved to my PC.
http://www.warewolflabs.com/portfoli...g/wlanskg.html
There is no access to the web.

> I'm still a bit reluctant to let a program (even an open-source one)
> generate passwords for me,

I put in a couple of alpha characters at random here and there
to make up my own key that was not generated by the web form.

> and in the end it still comes down to the security of the password to the
> vault.

I have been using a encrypted zip of plaintext hints on a flash drive.
Sometimes I forget what the hint was supposed to mean, though, so that's
kind of annoying. ;-)

I'd like to convert to the safe. I haven't explored how to import an ASCII
list, but I see there's a unix command line tool to the same database, so I
suppose I'll get there, even if it's copy-paste.

--
---
Clarence A Dold - Hidden Valley (Lake County) CA USA 38.8,-122.5

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <dim553$ne0$1@blue.rahul.net> on Thu, 13 Oct 2005 17:22:43 +0000 (UTC),
dold@XReXXFAQXX.usenet.us.com wrote:

>I have also been using a javascript that I saved to my PC.
>http://www.warewolflabs.com/portfoli...g/wlanskg.html
>There is no access to the web.

Based only on simple iteration of the Javascript random number generator,
so digit sequencing is predictable, and no better than the real randomness of
the generator in any event.

>I have been using a encrypted zip of plaintext hints on a flash drive.
>...

Standard ZIP encryption can often be cracked with a known plaintext attack.
<http://www.elcomsoft.com/help/archpr/index.html?page=known_plaintext_attack_(zip).html>
This can even work when the start of the encrypted ZIP file is simply guessed;
e.g., "Password ...". As a result, I don't recommend it.

>I'd like to convert to the safe. ...

Password Safe* <http://passwordsafe.sourceforge.net/> (open source freeware
originally created by noted cryptographer Bruce Schneier of Counterpane Labs)
can import a plain text file with user-specified field separators.

* NOT <http://www.passwordsafe.com/>

--
Best regards, HELP FOR CINGULAR GSM & SONY ERICSSON PHONES:
John Navas <http://navasgrp.home.att.net/#Cingular>

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <o55tk1pr1hs7slalpjqvu2lc8k5kpvnsao@4ax.com> on Thu, 13 Oct 2005 13:21:29
-0400, William P. N. Smith <> wrote:

>John Navas <spamfilter0@navasgroup.com> wrote:
>>-0700, "Alun Jones" <alun@texis.invalid> wrote:
>>>If it's a "try common words in the English language" attack, many
>>>letter-based passphrases will be broken before a relatively short hex-based
>>>passphrase will.
>
>>Only if the letter-based passphrases are short -- see
>><http://groups.google.com/group/alt.internet.wireless/msg/2fd501974faf9ae4?hl=en>
>>for thorough background. The recommendation for letter-based passphrases is
>>that they be over 20 characters.
>
>But then we come full circle. Passphrases not in the dictionary take
>a really long time to break, even if they are only 8 characters long.
>Made-up words, deleborateily miespeeelehd werdes, acronyms, and
><word><symbol><word> conglomerations are pretty secure,

Another false sense of security: There's no way to know in advance and thus
avoid what is or is not in the dictionary, so what you propose is thus just a
guess. Worse, since the attack can be mounted offline, a brute force attack
might well succeed. There's no good reason to take any unnecessary risk,
since a good passphrase is so easy to generate.

>though not as
>secure as random letter combinations, which in turn are not as secure
>as truly random hex keys.

The drawback to those approaches are that the resulting keys are hard to
remember and to use, which tends to encourage the kind of sloppiness that can
compromise any system, no matter how robust. Better to use something secure
that is still relatively easy to remember. Hence the recommendation to use
word-based passphrases of more than 20 characters; e.g., "floor hiking dirt
ocean", which is much easier to memorize than a "random" string yet still very
robust.

--
Best regards, HELP FOR CINGULAR GSM & SONY ERICSSON PHONES:
John Navas <http://navasgrp.home.att.net/#Cingular>

on 10/13/2005 6:05 AM david20@alpha2.mdx.ac.uk said the following:
> In article <nCs3f.136984$qY1.87617@bgtnsc04-news.ops.worldnet.att.net>, John Navas <spamfilter0@navasgroup.com> writes:
>
>>[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
>>
>>In <dilg27$p6h$3@news.mdx.ac.uk> on Thu, 13 Oct 2005 11:22:47 +0000 (UTC),
>>david20@alpha2.mdx.ac.uk wrote:
>>
>>
>>>In article <4ierk15n4t1ei0m9uu41dn41p5j4fu962b@4ax.com>, William P. N. Smith <> writes:
>>>
>>>>John Navas <spamfilter0@navasgroup.com> wrote:
>>>>
>>>>>Q: How can I generate good strong passwords?
>>>>
>>>>>A: Password Safe* <http://passwordsafe.sourceforge.net/>
>>>>
>>>>Why is this a typical "security question non-answer"? The answer is a
>>>>great way (I suppose) to store your passwords, but has nothing
>>>>whatsoever to do with generating them in the first place.
>>>>
>>>>Personally I roll a set of hex dice. 8*)
>>>
>>>For a WPA-PSK passphrase ?
>>
>>Why not (assuming you could get them)? The only downside is that you would
>>have to enter even more hex digits than letters -- for a secure WPA key, at
>>least 24, ideally 32.
>>
>
>
> Precisely.
>
>

Hmmm, I missed the beginning of the thread, but why not make a hard key
to remember? After all, your laptop or whatever will remember it for
you. You need to change it periodically, but it's not like it's every
time you log in. Or am I missing something about the attack modality?

JH

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <11ktgd5i5kb8pcb@corp.supernews.com> on Thu, 13 Oct 2005 13:22:58 -0700,
John Hyde <EJhyd@netscape.net> wrote:

>Hmmm, I missed the beginning of the thread, but why not make a hard key
>to remember? After all, your laptop or whatever will remember it for
>you. You need to change it periodically, but it's not like it's every
>time you log in. Or am I missing something about the attack modality?

The primary issue is that it's harder to enter all the keys when they are hard
to remember, which also discourages changing them periodically. So why not
just use easy to remember and enter passphrases?

<RANT> The problem with storing passwords on computers is that such
passwords, unless given robust protection, are only as secure as the computers
themselves, and Windows itself isn't terribly secure. Thus Windows shouldn't
always be storing network passwords automatically -- it should at least be a
user option. </RANT>

(In one case I know of, a "guest" at a party helped himself to confidential
information on a computer in a bedroom.)

--
Best regards, HELP FOR CINGULAR GSM & SONY ERICSSON PHONES:
John Navas <http://navasgrp.home.att.net/#Cingular>

In article <11ktgd5i5kb8pcb@corp.supernews.com>, John Hyde <EJhyd@netscape.net> wrote:
>on 10/13/2005 6:05 AM david20@alpha2.mdx.ac.uk said the following:
>> In article <nCs3f.136984$qY1.87617@bgtnsc04-news.ops.worldnet.att.net>, John
> Navas <spamfilter0@navasgroup.com> writes:
>>
>>>[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
>>>
>>>In <dilg27$p6h$3@news.mdx.ac.uk> on Thu, 13 Oct 2005 11:22:47 +0000 (UTC),
>>>david20@alpha2.mdx.ac.uk wrote:
>>>
>>>
>>>>In article <4ierk15n4t1ei0m9uu41dn41p5j4fu962b@4ax.com>, William P. N. Smith
> <> writes:
>>>>
>>>>>John Navas <spamfilter0@navasgroup.com> wrote:
>>>>>
>>>>>>Q: How can I generate good strong passwords?
>>>>>
>>>>>>A: Password Safe* <http://passwordsafe.sourceforge.net/>
>>>>>
>>>>>Why is this a typical "security question non-answer"? The answer is a
>>>>>great way (I suppose) to store your passwords, but has nothing
>>>>>whatsoever to do with generating them in the first place.
>>>>>
>>>>>Personally I roll a set of hex dice. 8*)
>>>>
>>>>For a WPA-PSK passphrase ?
>>>
>>>Why not (assuming you could get them)? The only downside is that you would
>>>have to enter even more hex digits than letters -- for a secure WPA key, at
>>>least 24, ideally 32.
>>>
>>
>>
>> Precisely.
>>
>>
>
>Hmmm, I missed the beginning of the thread, but why not make a hard key
>to remember? After all, your laptop or whatever will remember it for
>you. You need to change it periodically, but it's not like it's every
>time you log in. Or am I missing something about the attack modality?
>
>JH

One could always generate a GUID and use that. Very very difficult to
reproduce and I would suspect fairly resistant to a brute force attack.
Assuming Windows and IE 6 or greater.
Save this as GUID.vbs in a folder in your path.

GUID = createGUID
Msgbox GUID
Function createGuid()
Set TypeLib = CreateObject("Scriptlet.TypeLib")
tg = TypeLib.Guid
createGuid = left(tg, len(tg)-2)
Set TypeLib = Nothing
End Function

Naturally in place of the messagebox one could if so disposed create a
FileSystemObject and write it to a text file. Regardless I think
PasswordSafe is as good away to go as any I've seen.
Give the above a try though, it might be waht you are looking for, but
store this somewhere the number generatesd here is not reproducable.

fundamentalism, fundamentally wrong.