4. Password GenerationOverview of Passenger passwords Good passwords should be secure and easy to remember. Passwords can be concatenated from portions of Usernames, User IDs, Groups and first and last names just like username concatenation Passwords by algorithm using internal word list For generation by algorithm, Passenger generates words and numbers or two-word passwords. The words are easy to remember and when combined with numbers or other words, they are difficult to guess. By default the word list Passenger uses is internally-encrypted inside of Passenger and unavailable. They are generated by using an algorithm based on two components: (username or short name) + (master password (known only to the administrator)) = password. A fair analogy is lockers at a school. Whether combination or key, the students all have separate locker keys or combinations but the principal may have a single key to open all locks. Passenger similarly uses the master password in combination with the username to create a unique password and thus they can be regenerated by the administrator easily. Users can't use Passenger to create the matching passwords without the master password. Additionally having the username and password cannot get someone the master password. Passwords by algorithm using custom word list As of version 3.2.1, it is possible to supply your own word list. Look in Passenger's Preferences folder for a file named "Passenger Word List". When words are found in the file, Passenger will use your words to create passwords by algorithm. The usage will appear statistically random for both words and numbers but is always reproducible given the same word list, master password, and username or short name. Security of passwords by algorithm Probably nothing is impossible to crack but certain measures have been taken to ensure some level of security against discovering a master password. A long list of the usernames or short names and the resultant passwords would be necessary to try to figure out the master password that was used to create them. Although in five years of use I have no proof that such a technique would work. Also, to deter this possibility, the default word list is encrypted in Passenger Probably an even higher level of security can be obtained using your own word list. In this case you should protect both your word list and your master password as if they are two keys. A different algorithm is used for custom word lists than for internal word lists to help protect the original algorithm. If security is extremely critical, consider not using an algorithm maybe except only for initial passwords. Formulas for passwords Press the Password Formulation button on the main Passenger window and the Password Formulation dialog appears.  Here you have the ability to assemble the formulation yourself from the tags referenced in the top of the window shown below.  Like the Username and Short Name formulas, multiple components and constants can be used. Try selecting one of the preset password formulations to see some of the ways these tags are used. The sample will help determine if your tags are working as you intend. The "Passwords based on" menu allows you to determine whether the username or the short name is used in the algorithm. Short names are only used for Mac OS X and Delimited Text exports. Other exports will always use usernames. There are thousands of words that Passenger draws from to create passwords. All the words should be fairly safe but because there are so many combinations possible there is a chance that two-word passwords might give an unanticipated meaning or message. It might be a good idea to glance over the passwords before issuing them, and in particular, the one for your boss. Any resemblance between your users and their passwords is coincidental--remember, you choose the master password that creates their passwords. For added security, the list of words that Passenger uses for passwords is encrypted within the Passenger application. You can't see them or change them. |