For many years now I have been running a tight ship with regards to passwords, but I’ve always been uneasy about a single point; where do my passwords come from?
Human beings are no good at deliberately introducing entropy; we’re just terrible at thinking randomly, which is why we need to rely on machines to do this for us. A cleverly constructed piece of software will create legitimate chaos, which is exactly what we need in a secure password.
My password system is pretty robust. I have unique passwords for every single application or service; these passwords are cryptographically secured on my private computer, and backed up in various private places.
Generating these passwords has always been a sticking point; historically I’ve used several password generation websites but this has always left me feeling uneasy. What if these websites are malicious? What if I am being tracked via some random cookie and the password generator site knows that I’m making a password just when I’m registering for a particular other service? What if these generator sites are simply not very good at making truly random passwords and I don’t notice? What if they simply go away one day, leaving me without a source of passwords?
The only thing I could think of to resolve these concerns was to make my own password generator. Ok, so that’s not strictly true since there are plenty of OpenSource generators I could have inspected and adopted, but where is the fun in that?
Cue a rainy Saturday and some free time, and now I have my own cryptographically secure strong password generator, implemented in Golang.
pwgen is currently functional and secure, but depending on how popular it gets I plan to evolve it to do more things.
We’ll see. For now, my sticking point is removed. :-)
$ pwgen -length 20 -charset alpha FPxvdWzfhPAmsCnKSGAd
Or in its most simple form, defaulting to 16 alphanumeric characters, you can just:
$ pwgen Nl80Biu8IusKKJgS