Passwords

Password policies

What's new - NIST Password Guidelines September 2024:

Additionally, the complexity requirements have changed from requiring complexity to just focus on length. This is because of common practices like capitalising the first letter or adding a “1” or “!” to the end.

Password policy recommendations for Microsoft 365 passwords:

Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect. Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords.

Generate passwords

With basic shell utils

• 10 Ways to Generate a Random Password from the Linux Command Line

Easy, but beware this will raise a SIGPIPE error which can break a shell script using set -euo pipefail:

< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c6

Safe way without running into a SIGPIPE error:

dd if=/dev/urandom bs=1 count=1000 2>/dev/null | tr -dc '[:alnum:]' | head -c32

Password Strength Estimation

• dropbox/zxcvbn: Original project, abandonned
• dwolfhub/zxcvbn-python, Active python port of zxcvbn

Install:

sudo apt install python3-zxcvbn

shell

❯ pwgen -1 24 | zxcvbn
{
  "password": "eiquausu0paerumaewahx4Oo", # gitleaks:allow
  "guesses": "1000000000000000000000001",
  "guesses_log10": 23.999999999999996,
  "sequence": [
    {
      "pattern": "bruteforce",
      "token": "eiquausu0paerumaewahx4Oo", # gitleaks:allow
      "i": 0,
      "j": 23,
      "guesses": 1000000000000000000000000,
      "guesses_log10": 23.999999999999996
    }
  ],
  "calc_time": "0:00:00.002316",
  "crack_times_seconds": {
    "online_throttling_100_per_hour": "36000000000000001998401480.33",
    "online_no_throttling_10_per_second": "100000000000000000000000.1",
    "offline_slow_hashing_1e4_per_second": "100000000000000000000.0001",
    "offline_fast_hashing_1e10_per_second": "100000000000000.0000000001"
  },
  "crack_times_display": {
    "online_throttling_100_per_hour": "centuries",
    "online_no_throttling_10_per_second": "centuries",
    "offline_slow_hashing_1e4_per_second": "centuries",
    "offline_fast_hashing_1e10_per_second": "centuries"
  },
  "score": 4,
  "feedback": {
    "warning": "",
    "suggestions": []
  }
}

Python

import zxcvbn
>>> zxcvbn.zxcvbn('1234')
  {'password': '1234', ...