The following text is an excerpt from the user manual [PDF, 601 KB]:
The usage of a password is still the simplest way to control the access to a specific resource. Although many other authentication factors have been developed (examples include identification cards, fingerprint or retinal patterns, voice recognition and other biometric identifiers), password authentication systems are easier to implement for most applications, are relatively hard to break (note the term “relatively”!) and can thus provide accurate security, if used carefully. However, it is essential for the security that the password is strictly kept secret, and that it is chosen in a way that makes it hard for an attacker to guess it or to find it by try-and-error (also called “brute force”). Both conditions are closely connected, but in a rather fatal way: Passwords which are easy to memorize for humans are for the most part disastrous in terms of security! Among these bad examples we find personal data (names of family members, pets, meaningful places, etc.), names and characters from favourite books, films or video games, simple words or character sequences (such as the famous “qwerty”), and so on. These passwords are for sure easy to memorize—but can often be guessed without much effort. How can we solve this dilemma?
There are many ways to choose good (that is, secure) passwords—but the best way is to let a random generator choose a password. If these passwords are long enough, it will take years, if not centuries, to find them by brute force attacks. Computer programs like PWGen can assist you in generating random passwords, as humans are not very good at making up random numbers themselves. Unfortunately, random character sequences like
zio5FcV7Jare fairly hard to memorize (although this is possible and probably not as difficult as you might imagine), so you may want to try passphrases composed of words from a word list instead: Five words from a word list with 8000 words or more are sufficient in most cases to create a high-quality passphrase; the security can easily be increased by adding some random characters.
There’s an interesting article on CNET regarding passwords commonly chosen by humans.
The need for secure passwords has grown since the advent of the Internet and its many websites where the access to a certain resource (message board, user account, and so on) is controlled by a user name/password pair. Fortunately, since the invention of so-called password safes, you don’t have to remember all these passwords any more—you just store them in the password safe which is protected by a “master password” (that must be remembered, of course). As this master password is used to protect highly sensitive data, it should conform to the highest security level possible. The security level, which grows with increasing password length, is only limited by the user’s ability to memorize random characters or words. With some effort, most people are certainly able to memorize a 90-bit password.
PWGen is capable of generating cryptographically secure random passwords and passphrases conforming to highest security levels. It can be used to generate master passwords, account passwords and generally all sorts of random sequences. It also offers the opportunity to create many passwords at once. Just give it a try!