Make it easier for your users to choose good passwords.
It doesn't matter whether you're an administrator responsible for enforcing a password policy or an end user trying to comply with said policy. You're struggling against human nature when you ask users to choose—and remember—hard-to-guess passwords.
Passwords that aren't random are easy to guess, and passwords that are too random tend to manifest themselves on sticky notes under users' keyboards or in their top drawers.
Wouldn't it be great if you could somehow offer users random but memorable password choices? There's a standard designed for just this purpose: APG, the Automated Password Generator.
3.10.1 Installing and Using apg
If you're running FreeBSD, you can install apg from the ports collection:
# cd /usr/ports/security/apg
# make install clean
Once the port is installed, any user can run apg to generate a list of random, but pronounceable and memorable, passwords:
% apg -q -m 10 -x 10 -M NC -n 10 plerOcGot5 (pler-Oc-Got-FIVE) fobEbpigh6 (fob-Eb-pigh-SIX) Ekjigyerj7 (Ek-jig-yerj-SEVEN) CaujIvOwk8 (Cauj-Iv-Owk-EIGHT) yenViapag0 (yen-Viap-ag-ZERO) Fiwioshev3 (Fi-wi-osh-ev-THREE) Twomitvac4 (Twom-it-vac-FOUR) varbidCyd2 (varb-id-Cyd-TWO) KlepezHap0 (Klep-ez-Hap-ZERO) Naccudhav8 (Nac-cud-hav-EIGHT)
Notice that each password comes with a pronunciation guide, since it's easier to remember something you can pronounce.
Also, note that syntax. We're definitely going to have to do something about all of those switches! But first, let's take a look at Section 3.2 and make sure we understand them.
Table 3-2. apg switches
Option Explanation -q Suppresses warnings (think quiet), which will be useful when we write a script -m 10 Sets the minimum password length to 10 characters
-x 10 Sets the maximum password length to 10 characters -M NC Requires numerals and capitals
-n 10 Generates 10 password choices
While this utility is very handy, we can definitely hack in our own improvements. For starters, users aren't going to use a utility that requires a line's worth of switches. Second, we don't want to install this utility on every system in our network. Instead, let's work out a CGI script. That way users can access the script from their web browsers.
3.10.2 Improving apg
First, let's sort out all of the switches we'll use in the script. We need something to add a punctuation character in the middle, or we won't meet Air Force password regulations. The simplest fix is to run apg twice with smaller password requirements, concatenating the results. The first run, without punctuation characters, looks like this:
% apg -q -m 4 -x 4 -M NC -E Ol -n 10 Dij6 (Dij-SIX)
Voj6 (Voj-SIX) Pam0 (Pam-ZERO) Dev9 (Dev-NINE) Non6 (Non-SIX) Eyd7 (Eyd-SEVEN) Vig9 (Vig-NINE) Not8 (Not-EIGHT) Nog2 (Nog-TWO) Von9 (Von-NINE)
Here I've reduced the minimum and maximum password length to four characters. I've also added the option -E Ol to exclude capital "oh" and small "ell" from passwords, because they're easily confused with the digits zero and one.
The second run includes the -S option, which makes the password generator use special characters:
% apg -q -m 4 -x 4 -M S -E Ol -n 10 orc) (orc-RIGHT_PARENTHESIS)
tof| (tof-VERTICAL_BAR) fed^ (fed-CIRCUMFLEX) gos@ (gos-AT_SIGN) sig& (sig-AMPERSAND)
eif) (eif-RIGHT_PARENTHESIS) eds{ (eds-LEFT_BRACE)
lek> (lek-GREATER_THAN) tij: (tij-COLON)
rot] (rot-RIGHT_BRACKET)
Now for a CGI script to paste the results together. I've numbered each line of the script for explanation purposes. Don't include line numbers when you create your own script.
This script is written in the Korn shell, but can be modified for any shell. To run as is, install the Korn shell from /usr/ports/shells/ksh93.
1 #!/bin/ksh
2 # run apg twice, concatenate results.
3 # exclude most special characters requiring shift key, 4 # capital "oh" (looks like zero),
5 # lowercase "ell" (looks like digit "one")
6 PATH=/bin:/usr/bin:/usr/local/bin; export PATH 7 umask 077
8 a=/tmp/apg.$RANDOM 9 b=/tmp/apg.$RANDOM
10 cat << EOF
11 Content-type: text/html
12 <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN">
13 <html>
14 <head>
15 <title>Help generating a new password</title>
16 </head>
17 <body>
18 <h3>Help generating a new password</h3>
19 <blockquote>
20 These passwords should be reasonably safe.
21 Feel free to use one, or reload the page 22 for a new batch.</p>
23 <blockquote> <pre> <font size="+1">
24 EOF
25 apg -q -m 4 -x 4 -M NC -E '!@#$%^&*( )\\' -n 10 > $a 26 apg -q -m 4 -x 4 -M S -E '!@#$%^&*( )\\' -n 10 > $b
27 # tr command is for bug workaround; apg is not supposed to 28 # include characters specified after -E option.
29 paste $a $b | 30 tr 'l' 'L' | 31 awk '
32 BEGIN {
33 printf "Password\tRough guess at pronunciation\n<hr />"
34 } 35 {
36 printf "%s%s\t%s %s\n", $1, $3, $2, $4 37 }'
38 cat << EOF 39 </font>
40 </pre>
41 </blockquote>
42 </blockquote>
43 <hr />
44 </body>
45 </html>
46 EOF
47 rm $a $b 48 exit 0
3.10.3 Script Walkthrough
Line 6 sets the PATH to a known safe value. This lessens the possibility that an attacker can cause this program to execute a hazardous binary. Make sure apg is in this path.
Line 7 sets the umask so that only this user can read the temporary files to be generated later.
Lines 8 and 9 work because Korn shell scripts generate random numbers automatically. If /bin/ksh is not on your system, use mktemp to generate temporary files safely.
Lines 10-24 print the page header. I usually make a sample page and then run it through /usr/ports/www/tidy to get a decent DOCTYPE header and indentation.
Lines 25 and 26 issue apg commands to generate two separate files containing four- character passwords.
Lines 31-37 use an awk script to print the password plus its pronunciation. The BEGIN section prints only once, before any lines are read. The printf section expects lines with four fields: two pairs of password and pronunciation strings from the temporary files. The first and third fields are printed together to form the password, and the second and fourth fields are printed together to form the pronunciation guess.
Lines 38-46 finish the page.
Lines 47 and 48 clean up the temporary files.
3.10.4 See Also
• man apg
• man mktemp
• The APG web site (http://www.adel.nursat.kz/apg/)
• FIPS 181, the APG Standard (http://www.itl.nist.gov/fipspubs/fip181.htm)