Today I launched a new service called Random.pw (taking advantage of the new .pw domains). It’s a random password generator, with lots of customization options to help you find a memorable but secure password, and it even has a password strength checker.
I would love to see something like this integrated into the Drupal registration and “change password” forms. It would solve lots of security problems, just by having folks use strong passwords.
The kicker is, it doesn’t take much to make a strong password. Computationally, it’s very difficult to hack a password that’s long (say, 12 characters), contains letters and numbers (and at least one uppercase letter), and contains a special character or two. Reading How I became a password cracker was alarming at how easy it is to hack a common password. But it was assuring that a healthy diversity of characters is much, much more difficult to hack.
However, remembering a purely random password is very difficult, so much so that you might find yourself saving it somewhere so you can copy and paste it. That begs the question… how secure is it, if it’s stored somewhere?
I attempted to solve this by integrating with Wordnik, a third-party API I’m using to get random nouns and adjectives on the fly. These are further obfuscated by randomly capitalizing the first letter, and by replacing one letter per word with a special character equivalent (e.g., “a” becomes “@”). These are easier to remember, and when stuffed with a few numbers, are computationally very secure.
The built-in, client-side password strength checker is powered by the good folks at How Secure Is My Password, and provides a nice interface with helpful explanations to nudge you toward creating stronger passwords.
So, head on over to Random.pw and spin yourself up a new password. It’s all client-side, so you don’t have to worry about your password being sent over the wire. There are plenty of options (and even a theme song) to help you find the right password.