For user security, passphrases beat passwords every time. They are easy to remember and can be sufficiently long enough to be secure. To encourage our staff to use passphrases, their initial password is set to one and they are encouraged to generate a new one when they change their password.
You can use this PowerShell script as a starter to generate your passphrases:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
$rand = new-object System.Random $words = import-csv ".\words.csv" $word1 = ($words[$rand.Next(0,$words.Count)]).Word $word2 = ($words[$rand.Next(0,$words.Count)]).Word $Passphrase = $word1 + $word2 while ($Passphrase.length -lt 12){ $word3 = ($words[$rand.Next(0,$words.Count)]).Word $Passphrase = $Passphrase + $word3 } return $Passphrase |
To adjust the length of the passphrase, change the number 12 that is on the while line to a higher or lower number. You will also need the words CSV file as this script reads from it until a passphrase is long enough. You can download that CSV here.
If you want to get fancier, you can also add in numbers or symbols between words by importing additional character lists as CSVs. You could also change the casing of randomly selected words to increase your available character set or import additional word lists into the words.csv file.
This brings us to the title of this post. The words.csv file should generate appropriate passphrases for all ages. The list is built from the most common English words + a few custom word lists. Curse words and questionable words (drugs, slurs, etc.) have been removed. One small warning though – word combinations can lead to … interesting outcomes in your passphrases.
For example, a new teacher received the passphrase penciltramp when her account was automatically created. HR was not too happy about that selection. I now include a disclaimer that passphrases are randomly generated in the new account notifications that they receive. If you do start generating passphrases, learn from me and add that disclaimer in advance.
And when you generate a questionable or humorous passphrase, leave a comment so that we can all get a good laugh, I mean, learn from it.
While on the one hand I love this idea, doesn’t creating and sharing the database of words used immediately eliminate the value of a longer password? Now someone attempting to crack passwords from your company just needs to use this as their dictionary for the attack.
I could be misunderstanding? I love the idea of working in ways to make it easier for users, but I am trying to figure out how this doesn’t significantly reduce the overall security of your organization?
That is a good point, Alex, and certainly something for people to consider when adopting this. A few things made me comfortable with sharing this idea in regards to my organization.
First, this isn’t the whole database of words that we use.
Second, the sample script is not actually how we generate passwords. It is a very trimmed down function. I do encourage anyone to flesh this out a bit – maybe play with the length, change casing, add numbers/special characters, etc.
Third, after getting logged in – our users change their passwords from the generated value.
Fourth, account lockouts.
Finally, MFA.
Nice idea I may well start doing using this, though I don’t tend generate a lot of ‘grown-up’ passwords.
For child accounts (we have individual accounts from age ~6 so need something simple) I like to recommend https://www.dinopass.com/ which gives similar results, but from a kid-friendly database so most passwords come out fairly innocent. Best to check them though – I’ve had to regenerate a few questionable ‘PencilTramps’! It also has an API page (under the ‘About’ page) so you can pull out hundreds of passwords at a time with a little scripting.
Very cool website for students! I’ve used a character limit on that words.csv file to get easier passwords but I think that API link will work better!