A tool that I wrote last year to generate random passwords, and have since found unbelievably useful. Save it in a shell script and use at will. It takes one optional parameter, which is the password length (it defaults to 12 chars), and produces a typable password without problematic characters (such as quotes) that some badly-configured websites choke on.
#!/bin/bash if [[ -n $1 ]]; then len=$1 else len=12 fi < /dev/urandom tr -dc \ _\!\@\#\$\%\^\&\*\(\)\<\>,.:\;+\-=\[\]\\/\?\|\~A-Za-z0-9 \ | head -c$len echo
The Fifth Wheel of andrewg 
That’s good for generating a random password but you still have the problem of remembering it. I think something that translates from a half-decent but memorable password to a better random one would be more useful. Obviously the translation must use a repeatable (pseudo-)random number generator(s). md5sum etc could be a useful starting point, e.g.
echo “correcthorsebatterystaple” | md5sum
7e2bb7bb87300ff83c657b04b07b8261
OK, you’d probably want to translate that to randomly have some upper case letters and symbols as well, but you get the general idea. Everyone makes their own script. Beats the idiotic idea of using a commercial (esp. online) password manager.
If the remote site makes you change your password frequently, just add a number to your memorable password, e.g.
echo “correcthorsebatterystaple2” | md5sum
8e49d664a5501eb7129ef7c072619775
echo “correcthorsebatterystaple3” | md5sum
3ae6d0fb78915e79fddd4a86590273f1
No, password managers are a great idea. Not online, but a local one with a good, hard but memorable master password. Everything else is randomised. Particularly if you’re doing it in a commercial environment where other people need to be able to recover your passwords.
The problem with password managers is trust. How can you be sure that they are competent and are not a front for crooks looking to harvest all our passwords?
“need to be able to recover your passwords.”
Recover? Or reset?
Yes, but the same criterion of trust applies to all the software on your computer, any of which could be a key logger in disguise. Password managers don’t increase that threat surface significantly. And yes, I mean recover. Ideally, all your passwords would be unique, user-based and memorable but that just doesn’t happen. Without universal deployment of federated ID services the management overhead would be enormous. And password recovery systems are generally dreadful – in many cases they’re orders of magnitude easier to break than passwords themselves (which we know are crap). Apple have been pretty bad at it, for example.
Federated ID across multiple organisations or websites (e.g. “social login”) or federated ID across different websites within the same organisation? Former is far worse security wise than password managers, so OK, use managers, but at least insist that everyone uses a different one with a different master password for each site they log on to 🙂
“And yes, I mean recover”
Yes, password recovery systems (i.e. verfying that this is the correct person and we should help them get back into their account) are often vulnerable, but to clarify, do you mean that the sysadmins should be able to tell me what my old password was? I was just about to email a webstore to chide them for being able to do so for me.
No, I mean that if I get run over by a bus, someone else knows the root passwords.