This is part 1 of a multi-part article. Part 2 is scheduled for publication on 02-02-2008. Links to additional parts will be created as they are published.

Everybody knows that you shouldn't use a single password for EVERYTHING, yet most people do. Why? Well, because remembering a single complex password is often hard so remembering multiple complex passwords are even harder. However, as more and more technologies go "online" such as banking, lending institutions, payment methods, email, etc the use of unique complex passwords becomes CRITICAL because computers are now able to crack passwords much quicker. When you use a single password for all accounts, if any account gets compromised, they are all compromised!

To look at the last statement a little more in-depth, most anything that requires a password these days requires some way to identify you. Practically everybody knows that single way online is via an email address. If a person was able to compromise a database of accounts, they will likely have your password and your email address. Finding accounts for other web sites is just a matter of using a search engine and searching for your email address. However, what is the sense of wasting time looking for accounts when you likely own the email account too (since it probably uses the same password). Now all a person has to do is login to your email account and search for emails that may contain account information (cause we all know we never delete those types of emails). And, if a web site doesn't have an account with your email address, creating one is just as simple since we "OWN" the email account now and can intercept the confirmation emails that often accompany new accounts.

This article looks at several utilities, programs, and commands to make password management on Linux easy. If you don't like these methods, you can also follow some guidelines that are here or here.

CREATING RELATIVELY COMPLEX PASSWORDS

There are utilities in linux that can help you create relatively complex passwords. Why did I say, relatively-complex-passwords? Well, as technology moves forward, a secure password today may not be tomorrow. There is no perfect solution to creating secure passwords or password management, just ways to help us create unique passwords that may or may not be secure or complex by tomorrows methods of cracking passwords.

The makepasswd program accepts an option --char=XX where XX is the number of characters for the password. So, as an example, the makepasswd --char=10 will generate a 10 character password similar to:

1. dB9vMmBYSe
2. IpKLrWzntU
3. fDxwXAjz97

Although the above passwords are relatively complex, they do not contain special characters. This makes them very weak when using technologies such as rainbow tables to crack passwords. I recently did an article on brute forcing passwords using john the ripper and even the passwords above can be cracked relatively easily using that method.

Another method for creating relatively good passwords is the program pwgen available from sourceforge. pwgen has several options that can be passed to it, however, you can also just issue the command pwgen and get results similar to:

[code]
$ pwgen
ThoChaV6 BeeZei2i gohQu5wa Ahji7yau Hae9moov Iejie9ie Jah8Eng9 ohFu7Moo
paeF0Bou Gie8kaop ohth8PoS kei2BiZo iejoh1Zu Itei2pei Ohsoph4e po0aiVa5
dou9fa0V Ti7yah5w thiQu7fe eisiey5L Xoh3Ahyu gees1Thi Quai3ohj HeeluT1e
Eemo5kee shi9Zeex Chee8rae lafaiJ1A xaThiG9a ou9ieRei oCo7dai5 Chighii3
Bequ4Bor eashooH7 Jueh7fia aes9Coht shu4PooK quoh0uDa Ael0nooR AiJah7ae
QuaiHe0e eefap3Ee eithoo4W Yeej2aed gimu9Wib tae0ohSh Uequaer4 thaeFa8u
eish0Ee9 aijaGhe7 aa5fie9U Phohn8pu hu8OuY0x aeshohH7 ungohR0r ooCee1Oa
Eishash5 eiko9Eiy Miyee9Fu PeiphaF3 oofeZei1 NauQu7ae Uha7ahph iemo3ohW
Ohphoh5a Koop0ua2 Ex1neopu ishoh8Sh ooDaey4G hoh7Ahng nazaeNg4 eeYie2ai
uVoh5lai Phoog9uj aifeo6Mu phaeB6at fieXuth6 Eesa0cha Voh9uowo zae9aeNg
ieb3Ohdu Ahv5nien eeghooB4 Rahz1mei iziuD3yi eichohK2 yir7eiQu Pae0kahw
thaeL7ai uu1Shooj pai1LaoG oof6EeF9 Givae5si Ik4wieri bee1Yai1 phoh3ahP
daeVo6zi fae9Eng3 cie7Nooj oKoo6Ciu bai4yahH ahs9yu4M thaesh0E xi3aiBa4
ahgahw4C jiep0Ub2 iLi1iez0 Ieco3ek1 uThaeye4 as1Aeb0i jeeyoo4X Oong4ooD
ooghe9Ou chaPae1s puas2uTh ohSh6aab yahr5eiM Eep8oowu MahF5aeb ho9Fia7N
seuW1coh Quang0ta ohvei1Ne zohf8Oz7 quo0Ohpi eeWuum1R Uosh1imi rae1Aes6
iepaij1O je9Elait eeph2aiN Heimaev8 ooZahy9x feish6Yu Xohch0ho UK0shie2
ILei9Zo1 Sach3teD Air0kama aJer6iel Chee3Pho Eigah6wa em7ooPh6 aKaex1xu
ahshu0Ah UCh3cho3 kee2EiLe aefei1Ie goh1eiZe eeC6shew ieNgeim2 Aeweem0I
vee7Aebe Aethae0O iShahsi9 Ahph3ma0 Pei6mi9a ag6aa9Oo aeP2phae Abuekah5
[/code]

For longer passwords in pwgen, you can use the -s for secure and XX option where XX is a number for the length:

[code]
$ pwgen -s 10
n4dcqIzTZz 7lkU6PMuwl rIssPZCT1f S3OVa5XyBv Krwqw1IW9v wTOGWI5Iem JZzpuFF24P
CZXgU9gxFP vE4y0m9sve MiweA4VJpa gwQSKh0OzK fSNzIi6RDu 098dIuOP3B BTB6YkwnS0
KRas4G1Bex 9iG96fZ1ZD ysJ8m9ko1h J36kZjcIGg jWPgg1jadN PwXfPACl1k 8Qi2us5yVX
tKRNWQ86Ue qJUJjfH8Xw I6tENLAHdR xWhukOxvd9 iTo0p0rbfv f3odY0cnMD msZCZDJC9c
RSEOUWY6SX mdUokYT8Sn JULrwbcv0C r30QMJ5u1G wTi3ZvBclV NUns9AXgb7 ZzkALTTmq8
AOEERu1B0h RywOs2a89w iJTEn5d9RG 17eA203YRR bFn4yeE8K7 7WVAptojGu tCYf3aphhY
ABrlZYL8T2 NwF811L17V onhw6t8a0J I99MHe2Jgk NCVI2eV6Lz MvKX9ofckq XwMcD9CW44
cPxuhhIg7H 7pV8DX5RCE TO81OTUkPb JHhMT8WClg DMifbF4QaC v1qvNjmofb TcQHCrUW1t
Bbv2K3IzF6 jYc6u3dOds 9H3sG7MHYC yNQ97m372W ExD63vw579 x1IdwutJIa CWIaz6eAFI
bERKaYrMO8 2qiAa0WF4d 0CcWDjmzlA BmFYLmg7fO AQkOoWItv0 Tdw3IoS78f v5qUURh4xs
o15yTGluG9 ltIQK0CuXw giIDLF1sG2 5eyJfFhGhh RLyf0Otxem 16QHkAwVvf c1fVsOleUu
7iB7EwB196 S6vSrDSMlE G7y9pFgX0d Ue9nYbwxxe puolOhKL5n Ordzbb92XV HAgS4gyOPL
jK2O80kyQn NYjkcN86nf SwbuaqK3ZO HTza7pfKq5 dpfzhwyx7J rCu8nezEam fWm02SJs0J
8pIqM5zj5R IeNJ7uzWpc RJJd5398RE Pt4gEANj0h blTWit3M4J edYR6NhN95 HaKo6GCCja
Pu3GM3nJZf xkp3WdUhHS H3WhrSRrrB FnQDia3zqk 1VNhcknvME 4GIAfer65O k14QjLVfuZ
9C7w6BN8H1 i21J26XpaC 7MxiaCnaZn t69Qvzagee SF5DlIwTlX IMqej0rjb4 3rvTU3wb1v
rPZ53PVJlK uqYHL97MJN Axx0Schycw RMG9nn3k3W 4GlzXiMMev bU90GqGpqQ thx5FM1Vp0
l6jTLxZOG5 jDXLHd7pxK 4l0Xu0JbRC n77aIo0tCC vTj1xcgmAw FLO2I2Qm49 V4BrhFP7Ld
nxV55INIhp QM7kGo8XfW a4RhASru2b U14OtJDGsq tvCANufn7S Kw9q1Z6wjB krWu6WwBHL
nTPu4bduXW f9VwhXpgPU HAutLn2KqZ 2D9E90oAEb 2g0Y0XZgfx sFv2tLJCsw nuQQSF4VGL
[/code]

In the previous two examples of pwgen, there were no special characters. To generate passwords that contain special characters, use the -y option to pwgen. For example, a secure password 15 characters in length with at least one special character would be this command:

[code]
$ pwgen -s -y 15
=>]JIgw^7I1.p:E j-.vDr1Gcl&GCi; c[5MTHZcY2oIfyl ^@2?M=wa'R_DX>9 ^(i!2(TQF"}Itom
T_Jsjc:GIB6bL6_ BhI#T7HMzp<3To' (CXT+T%x?bMN8:k 1g&}~qsJF79h>04 >d,."gO[&0

See the man page for additional options to pwgen.

There are also ways you can create random passwords in linux by simply using a few standard commands. Here are two examples:

This first one does not include uppercase letters or special characters, therefore, it is intended only as an example and should not be used:

[code]
dd if=/dev/random count=10 bs=1 | hexdump  | cut -d   -f 2-| head -n 1 | tr -d " "
[/code]

It creates passwords similar to this:

1. f2945d2c092637e4ed17
2. d0c9536a3b9853fc29ef
3. dfb1e5b1ae809b0b433a

[code]
head -c 200 /dev/urandom | tr -cd '[:graph:]' | head -c 8
[/code]

Which generates passwords similar to:

1. EFu4V?`)
2. fydO,K(S
3. <@VRt/E'

I already know what you are thinking....how will I ever remember passwords like these examples? Well, that is easy too using a few programs for managing passwords in Linux.

REMEMBERING RELATIVELY COMPLEX PASSWORDS

There are many terminal and gui programs to help us manage passwords in Linux after they are created. A short list includes keepassx, mypasswordsafe, revelation, kedpm, gringotts, ccrypt, pwsafe. cpm (console password manager), and even gnupg.

On a gentoo or sabayon linux system, installation is done via a simple emerge (which will also add the makepasswd and pwgen utilities for creating passwords). Other distributions may have these programs available in their native package formats, such as deb, rpm, etc. You should use your distributions methods of installing these programs. You can also compile from source code. Because I am doing a review, I am installing multiple password managers and utilities for creating passwords. Once I determine which ones I like best, I can then uninstall those I am not using. In a multiple user environment however, remember that what you like may not be what others like, so having multiple managers and utilities handy may increase the security of your systems (nobody will use software they hate...so give your users a choice).

[code]
emerge -vD keepassx mypasswordsafe revelation kedpm gringotts ccrypt makepasswd pwsafe pwgen makepasswd
[/code]

There is also zsafe for Linux and Zaurus that is compatible with a few Windows password managers - see my previous article. (link opens to my personal home page in a new window -- however, I have been unable to get zsafe to compile on a 64 bit system and it has not been developed in some time)

There are also a few not in gentoo portage that may or may not be covered in later articles, such as password gorilla, and password safe (java based from which several of the linux versions are based. NOTE: most linux programs that are based on password safe are based on the pre-2.0 database and not compatible with the 3.x versions of the database). This is only important if you are choosing a password management program that is cross-platform compatible (windows, linux, mac)

Those programs that are based on password safe that are not compatible with the 3.x version include:

pwsafe

mypasswordsafe

In part 2 of this article we will begin doing in-depth review of keepassx (gui based)

In part 3 of this article we will take a look at gpass (gui based)

In part 4, we take a look at pwsafe (console based)

In part 5 we take a look at cpm (console password manager for ncurses)

Additional articles and reviews are currently being written.