Are GUIDs good passwords? [closed]

Answer 1

If you want a secure password that you wish to leave to a password manager on a UNIX-like system, you're much better just pulling one from /dev/random and encoding it into something readable. for 128 bits of entropy you can use something simple like

head -c 16 /dev/random | openssl enc -a -e

which gives a password like 5eqIviKu4pFTqSPnYosVKg==

not unreasonably long, secure, random, suicide to try to remember.

Edit: added benefits of this method over UUID include extra security in the PRNG (/dev/random) and shorter passwords, similar shortfalls

Answer 2

I recently wrote code to convert the first 64 bits of a checksum into a sequence of four English words. This makes a good checksum (much easier to remember than a hex mess), but I'm not sure I'd trust it as a password. If you're protecting something secure, you should use a strong password that you memorize and don't write down. If not, then any old password will do.

Answer 3

Cons:

1. You will write them down somewhere.
2. You will probably email them, or write them down again if you need to tell anyone else.
3. They may be too long for certain systems.
4. They're practically impossible to memorize, so you might change them more frequently then desired.

So unless they're system passwords which change rarely, I doubt they are good passwords.

Answer 4

One major con is that you don't necessarily have "128 bits of entropy" as stated in the original question.

Many GUID Algorithms have information embedded in them in predictable patterns, for example the MAC address of the computer, the date/time, or an incrementing sequence. Cryptanalysis of the WinAPI GUID has shown given the initial state one can predict up to next 250,000 GUIDs returned by the function UuidCreate

For example, I have about a 50% chance of guessing the first digit in the first position of the third group of digits since it will be either 1 (for V1 guids) or 4 (for V4 guids)

Source: http://en.wikipedia.org/wiki/Globally_Unique_Identifier

Answer 5

Technically they would be good passwords In real life, they would be horrible passwords

You would end up having to write down the passwords, use a password manager, or some other form to actually use the password... in a way moving the failure point from the password to another aspect.

Consider using passphrases. Sentences with substitutions for certain letters or other characters, and for numbers, typing them with the SHIFT, converting easy to remember numbers in to well defined character sequences.

For example bcs19850101bcs would be bcs!(*%)!)!bcs

Answer 6

If you really want a secure password, consider a passphrase instead. A long passphrase is easily remembered, and very difficult to brute force.