New Terms provide potentially significant
financial penalties for those who have copied,
and License. See below for additional information.
This page will always describe any additions and
meaningful changes to GeodSoft.com. Visit this page first, and bookmark
it, and not the "home" page, which almost never changes. What's New is the
only page that should ever be retrieved on a periodic basis and that should
be at most once a week. The most recent changes are always at the top.
June 10, 2012:
The Automated Password Generators
page has been greatly expanded and updated. It includes 5 new sections: PWGen;
Password Universe Size Versus Strength; Top 10,000 Passwords; More Programmed
Dictionary Thoughts; and Which Accounts Can Cause Significant Damage. The
State Department Passwords and First password.pl were extensively revised.
U.S. Government Automated Password Generator received minor revisions.
May 30, 2012: Source for a Web based Password Generator:
For the first time ever, we are making available the sourc code for a web based password
generator with a liberal, BSD style, open source license. This is the older and simpler
generator, but still moderately flexible as is. This is the same one that has
been availabe since we went public with the GeodSoft web site.
It's not identical. I have removed all traces of GeodSoft website style, format and navigation aids.
It should be ready to drop into any web site and be customized to visually blend right it. It has a
copyright notice and a statement that this version may be modied in accordance with the license
in the source code. These 3 lines must remain visible and a block of comments including the very
short license must be kept in the source but otherwise you can do anything you want
The most important difference between the BSD style license I included and the GNU GPL that
applies to Linux and most open source software projects, is you never have to share your
code modifications or working product with anyone else. With the GNU GPL you always need to
give back to the open source community, any enhancements you've made. With BSD style licenses
what you make is yours. With a password generator, it lets you keep your intrincic password
policies derived from the generator a trade or family secret. You may share if you wish,
but there is no requirement that you do so.
It has seveal small functional enhancements. It has two additional, predefined combinations of
user controllable options, not in the older one which still runs on GeodSoft.com. The default
settings, the state depapartment style, better, and easy are identical to the settings at
GeodSoft.com. Still better, and 2 new combintations, strong and stronger, plus hard, each get
progressively a little stronger to at least partially deal with the increase in computer speeds
over 12 years and the advances in cracking passwords that have ocurred, especially in the past
5 or so years.
In addition there is one documented logic upgrade to show how easy it is to start makeing changes
beyond what can be done with configuration variables. This changes the 2 value switch,
$addConsonants, into a three value variable that instead of just turning an option on or off,
switches between adding no letters, or only consanants,
or adding letters from the full alphabet. This adds
a little diversity, and at the same time often makes it easier to pronounce. There are not
many times that you get a password related change that makes a stronger password AND makes it
easier to remember. I never thought of this when I was using this as my only online password
generator because I was still heavily influenced by the State Department style passwords, and
did not see the need for this strenght at that thime, over a decade ago.
There is currently a control constant that only allows 2 of possible 4 letters to be added
to the password. It is documented how to change this to 1, 3 or 4, or to turn it into a user
controlled web variable. The code needed to make a web variable and where it needs to go are
I suggest paying particular attention to the strong, stronger, and hard variations as these
are the passwords that have the length and character diversity to still be strong in today's
more hostile cracking world. See below about the new password cracking caculations and the
comments that I make on that page on recent developments in cracking tools. At least one of
cracking tools now has a programmed dictionary generator that feeds the cracker, passwords
made by another popular password generator. This one does not createat passwords that look
like those from my generator. With some study I think my current password.pl could mimick
these. Once the crackers can mimick one password generator,
others will follow. The crackers will need to know who they are targeting
and what password standards and tools they use. Of course if they can get the
password hash file, they can likely get the rest of this. A generator that creates passwords
over a huge universe of possible passwords is very much advantageous, as is the ability
to easily and significantly change password styles with simple configuration changes.
I don't believe any other password generator is as versatile as my pattern based generator.
Also look at the current pattern based password generator to get ideas for different password
structures. As I discusss on my
Cracking "Good" Passwords With Custom Programmed Dictionaries page, the
most commonly suggested places to locate symbols almost invariably miss three perfectly
good optons. Once passords get into the 11 - 14 character range there is nothing wrong
with putting numeric strings of 3 to 5 characters, at the end, middle, or even
beginning of passwords. The digit strings might start with one or two symbols or punctuation.
Long numeric strings in short to medium length passwords are a bad idea. There is less
character diversity among digits than any other character type than vowels,
and if you include upper and lower case vowels, digits and vowels tie. If a cracker suspects
long numeric strings in short passwords this can easily be put to use. The digit's small character
set greatly reduce the total number of possible passwords to look at. With longer passwords
3 - 5 digits do not significantly weaken a password.
Perhaps the best characteristic of hashes is that they tell a cracker nothing about a password
until he has the entire password. Even if somehow he knows the passwords at the site or on the
targeted machine have only one digit and one sympbol or punctuation mark, until he finds the
first password he probably does not know where these two characters may come.
He may then focus his efforts
on passwords of similar structure after finding the first. If this is not productuctive, he is
back to brute force methods. He either has bad information, or the passwords at the site have
varying structures. When working with two alpha strings and non letters, three locations are
normally recommended. By far the most common is the middle separating the letters. Also one at
the front and middle or middle and back are suggested. There seems to be a need to keep the
words or alpha strings separate.
There is not. Running the alpha strings together may make them easier or harder to pronounce
and remember and that will vary widely with the specific password and
who is looking at them. Accept that two logically
independent alpha strings, when created by generator logic can be just as useful together as
apart, and you have three new ways to distribute non letters. All front, all end, or front
and end. The number of possible structures just doubled.
Personally I tend to prefer two relatively short pronounceable pieces, or a longer psuedo
word, with or without a second short pronounceable piece. Of course there should be mixed case
included. I also want at least one and maybe several digits plus at least one punctuation
and or symbol. I don't care if two alpha strings run together. What have I told you about
my passwords. Nothing useable. I like pronounceable non dictionary alpha strings, of
varying length, arranged to take advantage of all posssible non letter locations.
One of the reasons I've always used gets rather than posts on my web password generators is
that you can find any combination of web selectable options, then bookmark that selection,
so the next time you retrieve that page, you get your custom pattern. For most of GeodSoft.com's
existence, there has not been an SSL option on the password generator. I, however, have always
had a personal copy that I could run in complete security on my development site, normaly
on my desktop. As long as I've had GeodSoft.com, I don't believe I have ever used a
password that came from one of the displayed sample patterns. Each year or so I change
to and entirely different password structure.
Some of this is not documented in the comments or elsewhere (unless you want to pick
through my entire Good and Bad passords section which is about 80 printed pages),
so you may want to bookmark this
particular section. To make this simple, this section has been given the internal page
anchor name of "webpassgen". Just click on this link
http://geodsoft.com/whatsnew.htm#webpassgen, then bookmark this page and you will always
come right back to this section, no matter how many entries are added above. If this page
becomes whatwas4.htm, then you will need to update your bookmark, but hopefully by then you will
be past needing to reference any documentation on GeodSoft.com.
Any one who has ever copyied, distributed, or published material
from GeodSoft.com or is thinking about doing so needs to read the
GeodSoft Publication License very carefully, multiple times.
For the VERY MANY off you who have stolen GeodSoft content over the years
or have borrowed with some mimimal casual reference where it came from, my
suggestion is that you run and hide as fast as you can. By that I mean take my
content off your site as fast as you can. I've been following copright law since
1971. Unless you are an intellectuall property lawyer, you probably don't know as
much about copyright law as I do. I've worked with many lawyers; none have known
as much about coyright law as I do. I've also followed contract law as it pertains
shrinkwrap license around GeodSoft.com. If you used the site, you agreed to
agree fully to the GeodSoft Publication License. By looking at a web page,
can the site authors hold you to something unreasonable; probably not. By
copying and putting on your website copyrighted material, can you be held
to a contract you never read. Absolutely.
My publication license has always had a slightly tricky set of clauses. First
it could be updated at any time. Second if you did not abide by the letter of
the license at the time you used my content, you agreed to whatever the most
recent license says. Guess what the new license says. You agree to pay me one
dollar per day per word ($2 if you have ads on your site), from the time you
violated my license until we sign a binding contract that you will never again
use my content. I'm hoping to get rich.
You also have agreed to pay all my legal, court and any other related expenes.
Actually I think I have everyone from late 2001. Pretty much the same reasoning
applies but only to pages that I allowed to be copied, but that is just about
everythihng but the CGI scripts (which cannot be copied). Unfortuantely (for me)
there is a small ambiguity in the pre 2007 license. Because of one word it's possible
to read it as meaning something other that the current license but I don't know
what, and in the context of the full sentence, despite the unecessary word, I see
no other plausible reading. Lawyers and judges can be awfully picky. Still, I
hope to get even richer.
Why bother to take my stuff down now? Duh? Once a page is down, after a few weeks
to months it will disappear from the search engines. When that happens how am I
supposed to find you? Like I said hide. I'll be much more interested in anyone
who thinks they can keep getting away with this with impunity. I've had pirated
pages taken down, and a few years later they are back up. Not appreciated.
Now I want blood. Green blood. Money. I never made anything off this site. Now I
think I can.
For those of you who are honest and have a desire to use any GeodSoft.com
content on your site, my license is complex but far from impossible. The main
thing is you have save a copy of the Termos of Use page and digitally sign
it as well as put the right copyright notice on any material from my site.
You have to understand the difference between mirroing a page as it looks
on GeodSoft.com, and using it's unique contents in a different style.
You also should read the
"Password Generator has gotten a few tweeks." You especially need to read
this section if it's not entirely clear what I mean when I talk about digital
find, install, and use GnuPG (it's available for Windows, Macs, and all Unix
variants) you can never legally copy a GeodSoft page for use on another site.
Actually that's not true. You can put the right copyright notice on and
exist at the time you first use my content, yor are agreeing to be bound by
whatever Terns of Use and GeodSoft Publication License changes I may make in
the future. As I've just shown, I could again, at some time in the future
add a very unpleasant surprise. There is nothing that says it must be limited
to people who have cheated me. I hope I'm a decent enough person I never do
anything like that, but is that a risk you wish to take?
Actually a better command than the suggested gpg --clearsign is
"gpg -b" or "gpg --detach-sign" which mean the same thing on most systems.
The --clearsign will work since an HTML document is text, but since the
--clearsign wraps the HTML in its own headers, the page will no longer display
as an HTML page and it will only be possible to read it as HTML source. The
-b or --detach-sign option creates a completely separate signature file without touching
the original "signed" file. It verifies just as easily but still works as an HTML document.
I knew less about digital signatures in 2007. Neither file can be modified in
any way. Save both to a CD or DVD, and veirfy on the optical media after
it's made. AND WINDOWS USERS don't worry, there is a nice little GUI application
with the Windows version so you never need to see a command line.
What are the other changes? Too many and not important enough to talk about.
send me any emails asing if you can use this or that from my site. Read the Terms.
If after 3 tries there is something you don't understand, then write me and
be sure your questions are very specific and let mey know you are very fmiliar
May 28, 2012:
Updated copyright notice on all pages:
I finally got around to udating all pages with
finishing I found a "lost" page I'd written, but never quite finished or posted. As this
will go in the Opinion secthion that has few subdirectories, it means the navigation
aids will need to be updated on every page of the site. I groaned. I realized, even
though I have a script that can standardize all ".htm" pages on the site in a single
operation, it is still tedious to upload all the pages directory by directory. I
thought about it and decided that I could write a script that would update all ".htm"
pages and upload them as a single operation, in about the same amount of time as
another site wide update. I have not written this yet, but will before I upload
the recently found, "lost" page. In the future this should help avoid
on the individual pages.
May 25, 2012: New Password Cracking Times Calculator:
This new calculator allows you to enter, cracks
or encryptons per second, one or more character set sizes, and lower and upper lengths
of passwords to be calculated. The most useful part is being able to set the cracks
per second. You can say I'm crazy and have way overestimated what a fast desktop
can do, and this talk about hacker controlled networks is all fantasy and no one
can really access more than 10 computers. You can then see what kind of password
you need based on your assumptions.
If you are only interested in strong passwords
you might eliminate all the lengths but 95, and if you know you will never use a
space in a password, might change the 95 to 94. On the other hand, you may like
pronounceable all lower case passwords and want to see what it will take to get
the level of protection you think you need with such passwords. In this you would
enter 26 as the only character set size. You may think no
password less than 8 or 9 charcters is even worth considering and up the lower
limit so you don't see a bunch of irrelevnt data.
You might be very cautions and want no one, even NSA, to be able to crack your
passwords. You can do some research into the power of the fastest computers available
as well as distributed networks. I think it is a pretty good bet that whatever
computer is fastest, NSA has several, or the equivallent of several. The USA spends
more on defense than the next 20 some countries combined. NSA occupies a special
place in our defense and security system. Unlike the CIA they are not prevented
from operating domestically. Unlike the FBI they are super high tech and very much
into everything related to computers, networks, and electronic technology. It's
quite reasonable to assume they have more computing power than any other agency,
institution, or organazition in the world, and they are not about to tell anyone
what that capacity is, and that probably includes the Congress and the President.
Is it 4 orders of magnitude over my number? That is probabably way low. How about
6 or 8 or 10?
What are the best estimates as to how much computing power can be
assebled by a single institution? If there is such an estimate, NSA is probably
close. You can crank up the cracks per second until you reach something like the
total estimated world wide computing power, at which point you finally have a
number that is almost certainly way too high. I made a wild guestimate of
world wide computing resources and came up with a number that is almost
exactly 10 orders of magnitude over my single desktop number.
If this number is at all close to reality, then we can probably cap NSA somewhere around
8 orders of magnitude, which would give them about 1% of all the world's
computing power. Somewhere between 7 and 8?
I used the calculator with an 8 order of magnitude cracking speed increase
and a 94 charachter set and came up with 5.67 centuries for a 13 character
password and 53.3 millennia for a 14 character password. So I think 13 or
14 characters from the full 94 visible
and typeable ASCII characters should be safe for the next few years. I'd
be pretty comfortable with 12 at 6 years. Besides avoiding anything that
might resemble a dictionary or programable dictionary (the crackers would
need a fair idea of what structure you might be using) attacks, I'd avoid
passwords that started with an "!" (exclamation mark) or "e" (lower case e),
which are respectively the first visible character in the ASCII collating
sequence and by far the most used character in the English language.
(t, a, and o are the next three, assuming my analysis of 6 classic English
novels is relevant; certainly examining contemporary non fiction would dramatically
affect symbol and some punctuation frequency, but I'd bet the comma still wins
by a large margin. It would probably change uppercase frequency, especially the over
representation of "I" due to dialog. Important changes to lower case?).
The point of the calculator is you can enter any number(s) which seems plausible
to you to see what kind of passwords you need. Of course if you use a very high
cracks per second number
you will need a lot of long. It has recently been brought to my attention that
long passwords, 15 characters and up, do not need to be complicated. I've been
convinced. Accordingly I've been working on my password evaluator. Hopefully
more on that soon. Then I hope to focus on the password generator. I've already
made some big changes there that I've not yet posted. Back to long passwords.
Unless you have some extraordinary
memory power, you cannot remember all your passwords, including the infrequently used
ones. I don't even know how many active passwords I have, but I'd estimate
well over 50 and maybe 100. So how do you securely record all your passwords?
I started to try to answer that and realized I was heading into an area
where there would be passionate supporters of very different approaches.
I will say this, any password stored on a network connected computer is
at best, approximately
as vulnerable as as the system's password file which may be quite
vulnerable or pretty secure. Nearly everyone says never write a password
on a piece of paper. I've said it elsewhere and will repeat it here, that is BS.
No network hacker will ever get near that piece of paper. Now I fully agree
that post-its or similar storage near your computer is very dangerous,
especially in an office. On the other hand, an unlabled piece of paper in
a filing cabinet, in a book on a bookshelf, in a local safe, or in your
purse or wallet is a different matter. I think the last two are among
the safest places in an office, a high quality physical safe is relatively
safe anywhere (depending on who has access) and the others are pretty good in a home.
Someone has to get into your house and have time to search it. If they
are in your house illegally they are probably grabing your computer
and other electronic goodies as well as any jewlery or silver or
other physical valuables laying arournd. Passwords may not be
your biggest concern when you get home and learn what's happened.
As long as you think it through, you are probably the best judge whether
you can protect your passwords better on your PC (certainly more convenient
with a variety of products) or in a physical location. Do you work in a
cubicle or an office you can lock securely? If so does a cleaning crew
have access at night? At home, do you have a large family with lots of
friends who are constantly in and out, almost as if they lived there,
or do you live quietly alone with few guests? If you honestly think
about it, only you are likely to understand what kind of physical threats
you face and how this might compare with the risks of a network
May 24, 2012: Recalculated the Cracking Times Table
on the Password Cracking Basics page: It's been 5 years since I last recalculated
password cracking times. Computers have come a long way in 5 years. I don't believe you
can buy a new computer with a single core processor anymore. When I started writing about
passwords, multi-processor systems were limited to high end servers. Now I have a laptop
with a fast Intel i7 processor that would be comparable to a supercomputer from I'm
not sure when. It does'nt even get warm normally because I rarely push
it to more than 5 - 10% of it's processing capability for more than a few seconds
at a time.
When I last recalculated in 2007, I relied on information that was already dated.
I increased my cracks per second on which all calculations depend by only 10 times
for 7 years. That's well under the increase predicted by Moore's law. This time I
used only Moore's law, processor speeds double every 18 months. The figure I came
up with was a 256 times increase since 2000. I rounded this to 250. The new table
uses a cracking rate 25 times higher than the one I published in 2007.
On the cracking front much more has changed since 2007 than processor speed. In
2007 I surveyed the cracking tools and saw nothting that appeared significantly
different than 2001. Some tools were network ready but I think that was already
true in 2001. This means a cracker can distribute the cracking calculations to
every computer over which they have control. This means if they are using unused
computers at night in a library, college computer lab, or business (which are often
left on 24 hours a day) they can run them at full speed. If they are hacked
computers which may be in use, they will want to use only part of the processor
capablity so as not to alert a potential user on the machine. There are few
problems that are better suited to distributed computing than cracking passwords.
The times I provided are for a single fast desktop. There is no way I can estimate
how many computers any potential cracker may have availale. If the cracker is good
and serious 100 is quite likely and a 1000 or more not unlikely. If you want to be
safe think about reducing my listed cracking times by 1000 times or more. Of course
there is a big difference for the password used on an infrequently used, throwaway
email account and on a bank or other financial institution.
I don't think the introduction of multi core computers has in any way invalidated
Moore's law but there has been an effect. Homes and businesses have upgraded to mid
range computers that are now genenerally faster than they really need. There has
been a huge increase in computing power in environments that have traditionally
had very weak network security. I believe Microsoft has done a generally pretty
good job on improving the security of its software, so home and small business
computers are better protected that they were several years ago. On the other
hand the attackers tools, techniques, and processing power has also increased.
There is little reason to think the average home or small business computer cannot
be cracked by any knowlegeable and determined cracker.
On the cracking tool's side, of course they take full advantage of multi core machines now
as well as networking. Perhaps the most important development on the cracking tool
side is the introduction of programmed dictionaries which I first described in
2001. In 2007 I was surprised not to find any cracking tools using them. I figured
user's password sophistication had not increased and the crackers saw no reason
to spend time on these. Now at least one cracking tool is using a programmed dictionary
to create passwords like those created by a popular pasword generator (not mine).
Now that the cracking side has seen the benefit of programmed dictionaries, any
password structure that can be described, can now be fed to a cracking tool.
What have traditionally been very good, but not random passwords, are now coming
into the sights of crackers.
Probably the biggest development on the cracking side is that it has changed from the
province of dedicated hobbyists seeking recognition of peers to a mainstream
crimanal activity. Virtuallly all financial transactions that were once done by
physical interacton or phone, are now networked. It's ineveitable organized
crime would follow where the money is, and is often easier to get than in the physical
world and certainly with less risk. Criminals can operate out of Eastern Europe,
Asia, Africa, or South Americal, or anywhere where they might find lax computer
laws and no extradition treaties with North America or Western European.
They can hack networks of home and business computers to obtain massive computing
resources, and attack any web site in the world that looks like a good target.
There is a good chance if they are successful, their identities will not be
learned and they will not be persued by legal authorities in the jurisdictions
where the crimes were committed.
When creating passwords for various sites remember no one is really looking for
your password (unless you are someone very special) but they are looking for all
the passwords, or as many as they can get in a reasonable time. Someone who has
gotten far enough to get the password file for a large financial institution
is going to spend a lot of time on that file. I mean months with lots of
compututing resources, such as a 1000 or more networked computers. If you want
to keep people out of your account, masquerading as you, you need a really
strong password. I'm talking about at least 12 characters from the entire 95 character
keyboard set or 17 character lowercase letters. I've been convinced that that
15 character and longer passwords should be seriously considered, because they
are so much stronger than 12 character passwords, the rules for forming them
can be much more relaxed, that they can be made easier to remember and type.
With access to steal the password
file, the intruders could probably do much without any passwords, but whatever
vulnerablity let them in may not remain open. Getting valid passords gives them
continued access. From your perspective, it looks a lot different if $10,000
dollars disappears from your account, and your bank has no record of the
transaction, versus them having a record of "you" logging in, answereing a
security question (because "you" logged in from an IP that is not your
normal login IP), and transferring $10,000 to someone else. Until it is proven
to be their security breech that was the cause of the problem, you're
likely to find you are on the hook for the $10,000, because the bank's terms of
use will almost surely say that you are responsible for anything that is
done with your account and password.
February 28, 2012:
I recently recieved a request to include the Computer Time Synchronization section
When I wrote that section no computer that I knew of came with network time synchronization
softare installed and active. Getting Windows and a mixture of Unix and Open source
computers to synchronize time was not trivial. Today nearly all computers sold have
time synchronization software installed and most have it on by default. Today there
is little need for such a section. Products have come and gone. The options availble
to ntpd on my primary Linux desktop are unrecognizable from those I described. As a
result I have quickly reviewed the pages in that section and placed a warning or note at
the top of each page indicating that I belived the page had or might have obsolete information
or still be up-to-date.
I have also rearranged the home page How-To sections based on what I think are most
likely to be still relevant and up-to-date. Very dated sections like Time Synchronization
February 28, 2012:
I've removed the obsolete short section I posted in early Jan. 2010 on
figure skating and Kim Yu Na.
- What Was New: Early 2007
- What Was New: Jan. 2001 - Nov. 2003
- What Was New: July - Dec. 2000
- What Was New: April - June 2000
Top of Page -
Copyright © 2000 - 2012 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or terms.pl) from the time of the distribution.
Distribution of substantively modified versions of GeodSoft content is
prohibited without the explicit written permission of George Shaffer.
Distribution of the work or derivatives of the work, in whole
or in part, for commercial purposes is prohibited unless prior
written permission is obtained from George Shaffer. Distribution in
accordance with these terms, for unrestricted and
uncompensated public access, non profit, or
internal company use is allowed.