HACKER Q&A
📣 Pooge

What's the best way to generate strong passwords?


I've just read a recent article by BleepingComputer[1] and the article says that "Password Length Does Not Guarantee Password Safety". I think we all know the XKCD about the very same issue[2].

So now I'm wondering: what even is the strongest way?

Currently, I'm using KeePassXC to generate all my passwords - and I always try to have as many characters as possible with special and uppercase characters, but my laptop and password database decryption keys are generated using EFF's Dice[3].

[1]: https://www.bleepingcomputer.com/news/security/the-top-5-things-the-2022-weak-password-report-means-for-it-security/

[2]: https://xkcd.com/936/

[3]: https://www.eff.org/dice

  👤 efortis Accepted Answer ✓
The article mentions rainbow tables which imply unsalted-stored password hashes. I think that's a pretty rare development practice these days.

That only partially answers your question because the server-side algorithm for the key deriver function and its computing cost config parameters, in addition to the quality of the random data sources, the PRNG (e.g. fortuna), and the salt length, also play a role in the strength.

See: https://owasp.deteact.com/cheat/cheatsheets/Password_Storage...

At any rate, I agree that a long and easy-to-remember phrase is fine, but that's impractical (due to being invalid for most logins) so you can also generate passwords like this (99 = pick your length):

    cat /dev/urandom | LC_CTYPE=C tr -cd [:graph:] | head -c 99