Sysadmins who use password managers: what’s your actual password generation strategy these days?

[-]

ExceptionEX@reddit

I personally use phrased based passwords, I don't go overboard with the length as there are many systems that for various reasons place limits on it, and the number of times I've been in a situation where I have to end up manually entering the password out of the vault will make you regret something more than 40 characters.

I use bitwarden, and one of the reasons I do is I like they natively support in their generator phrase based.

[-]

Kreiger81@reddit

Question: Is this for our own passwords for important systems, or is this general advice for users?

I dont know if I want to give my users "Help-The-Guy-And-Expect-The-Fact1" as a password. We've been using the fairly standard NounNounNumberSpecialCharacter. ( Gnomefox34% ) and its been easy enough to remember for them and they dont bitch.

[-]

ExceptionEX@reddit

You should run that pattern through some strength testers it's is pretty weak by today's standards

[-]

Kreiger81@reddit

Which brings me to repeat my question: Your passphrases, are these for users or for admin accounts and other tools?

If its Bob Smith's first day on the job as a Data Clerk and you're giving him his credentials, you're giving him "Spend-The-Hand-And-Create-The-Guy1" as his password?

[-]

ExceptionEX@reddit

We use password vaults and we use passwordless with MFA for most system logins. So I'm most situations passwords are for backup purposes.

But yes we require long passwords, and people adapt to the security needs, we aren't going to use weak passwords because a user has a hard time with it.

[-]

WaywardSachem@reddit

This is the answer right here. Bitwarden 3 or 4 word passphrase, with hyphen separators and a number in there. Hits all 4 character categories, easy to remember (or manually type if you're not in a position to copy/paste), nearly impossible to brute force.

[-]

smb3something@reddit

I used to, but then saw the brute force / dicitonary attack really brings down the entropy for such things and went against it. My PW manager unlock is like that though.

[-]

OCAU07@reddit

I fail to see how a 4 phrase word, with hyphens and a number could fall prey to a dictionary attack easily.

4 x 5 character words, plus hyphens and a number brings the total to 24 characters. As an attacker, there is no way to guess how many characters are being used so the possibilities are endless unless the site caps it.

[-]

smb3something@reddit

Because you can set a brute force program to generate random passwords as words, instead of trying each character randomly.

[-]

ExceptionEX@reddit

unless you can show some demonstrable documentation on this, I'm just going to chalk it up to opinion without fact.

[-]

smb3something@reddit

Have a read - https://blog.syss.com/posts/passphrases/

[-]

ExceptionEX@reddit

huge flaw early in the article is assuming world selection is done using 5-dice, that is something used in academic assignments and not in most phrase based password generators.

Additionally, the cracking methods listed here are largely impractically for 90% of passwords out there, you aren't going to run that many iterations that fast, on anything but a compromised password file, you won't compromise any active system with it.

Basically this article is constructing a very narrow limited word set (7700 words, as opposed to a standard dictionary of 300,000+ words) that reduces randomness of phrase set, a very academic method of word selection, and a cracking method that is only remotely feasible in a very limited subset of possible compromises.

Additionally as acknowledge by the author of the article.

For perspective, the vocabulary of an average-educated native English speaker ranges from 20,000 to 35,000 words, while comprehensive unabridged English dictionaries contain 200,000 to 300,000 words. This means that a seven-word passphrase drawn from a sufficiently rich and well-structured wordlist could offer the same cryptographic strength as a highly random and complex password.

Although random strings remain the most compact way to achieve high entropy, passphrases offer a compelling alternative — as long as they are generated with true randomness from a well-designed, sufficiently large wordlist.

So yes, done poorly in perfect conditions in a vary narrow subset of use cases, but none of those are the reality of a situation.

[-]

smb3something@reddit

Yeah that's 7 words and im seeing people here are thinking 4-5 are good. I'm all for a 20-30 random character password in a manager. I gave up trying to remember them long ago. I agree for most use cases even the lower worded phrases are secure enough as most platforms have rate limits / lockouts.

[-]

ExceptionEX@reddit

in reality 4 words separated by special characters is centuries to crack on realistic hardware, There are apply sites where you can test this

Dog.horse.moon.rabbit is =\~ 130 bits

[-]

bageloid@reddit

A 5 word paraphrase from a list of 7777 words with no separators all lowercase hashed with bcrypt would take a single rtx 5090 2.957 million years to crack, assuming you knew ahead of time it was a pass phrase using that wordlist.

Google is estimated to have 1.3 million GPUs, assuming they are all 5090s(which they most certainly aren’t), it would take the second most valuable company in the world over two years to crack it.

Put in one number after one word in a random position and you are safe from even that scenario.

[-]

smb3something@reddit

bcrypt yes, NTHash or SHA1 with \~60 bits of entropy you'd get from 5 words off that list you're looking more like 2 months with a GPU cluster and optimised tools.

[-]

bageloid@reddit

SHA-1 hasn’t been considered secure against well funded adversaries for 20 years and NIST deprecated for like 15, so I’m not sure what the point of that comparison is. If whatever site/application you use has shit security then the strength of your password is of little consequence.

Your specific scenario is a site with woefully outdated security and a hacker that knows has enough intel to know that you use exactly four words from the diceware list with no other embellishments.

[-]

OCAU07@reddit

But you are also assuming you have known information about the password to crack.

If the password structure is unknown, you have to burn compute on trying a password dictionary, random characters as well as a passphrase building up to........ An unknown number of words/characters

[-]

Zatetics@reddit

No, that's not how that works.

[-]

ExceptionEX@reddit

Where did you see that, because it shouldn't make a difference because if you are using multiple words, and at least one number interlaced, plus the special character separator there is no way it does anything.

[-]

smb3something@reddit

It's just less random (though usually considered good enough if you make it long enough).

[-]

ExceptionEX@reddit

it isn't less random because you can't partially confirm passwords, so the random sequence has to be all characters in the exact position, the dictionary has no use here because you don't know the length of words, you don't know the position of special characters.

[-]

autogyrophilia@reddit

Funniest systems are the ones that just truncate the password without telling you.

"Trust me, I know users, nobody is using a password longer than 6 characters without being forced to".

[-]

conlmaggot@reddit

Dinopass.com

[-]

Kreiger81@reddit

I used to use Dinopass but it started getting weird with its strong passwords. I use ninjapass now or whatever it is for users.

[-]

biddyboyma@reddit

I default to 32 chars alphanumeric, just enough entropy to be overkill but short enough that I'm not fighting some ancient form that silently chops it at 20.

[-]

paperdragon99@reddit

Diceware passphrases for anything I might need to type manually, full 64 char random for everything else, mixing the two has saved me a lot of pain.

[-]

AdSalt6805@reddit

Started maxing everything out years ago, switched to 25 chars alphanumeric after the third time a vendor portal accepted my password then quietly broke on login.

[-]

Deep-Lie-7428@reddit

Honestly past 20 random chars it's all theater, the attack vector is always phishing or a database leak, not someone brute forcing your Netflix password.

[-]

Top-Perspective-4069@reddit

correcthorsebatterystaple.net

[-]

Moscc@reddit

Ain’t NOBODY got time to manually type out a 128 character password manually if your manager of choice is not installed/logged in.

20-30 characters with a mix of alphabetical, numeric, and special. Painful to type manually but not impossible. Unique for every service and a master password of similar complexity committed to memory and stored cold in a secure place just incase ;)

[-]

mike9874@reddit

We have two options in the password manager:

Long = 100 random alphanumeric characters with symbols.
Short = two words with some random bits to bring it up to 20ish characters

They both have their uses and are good

[-]

BloodFeastMan@reddit

That is significantly longer than the keystream that it'll be hashed to.

[-]

stackjr@reddit

Really? In Bitwarden, we can set the exact amount of characters we want, up to 128, as well as turn on/off special characters, numbers, and capital letters. We can also switch between passwords and passphrases.

[-]

SupraCollider@reddit

Wait till you hear about passkeys

[-]

Moscc@reddit

Use them when I can but not exclusively. Always as an alternate method

[-]

SupraCollider@reddit

Just my opinion, but I would suggest making them a primary method. You can have and store multiple fido2 keys that are phishing and brute force secure. A 20-30 character password doesn’t hit it for me. the last password I remembered was about 54 characters. Even then fido2 has a whole other dimension to it that a password can never match.

[-]

Moscc@reddit

You are quite possibly right but also on the topic of time, migrating my life to that solution right now sounds exhausting lol. Perhaps one day but today is not that day.

[-]

SupraCollider@reddit

It does indeed take a well-thought plan and a weekend to execute

[-]

JwCS8pjrh3QBWfL@reddit

Eh, it's more of an "as you go" kind of thing. I add them when I see it available. There are also databases like Passkeys.directory that have lists of sites that support it. The one thing I miss from 1password was automatic tagging of your entries where the site had passkeys available but you did not have one set up. Made it real easy to just go down the list and set them up.

[-]

SupraCollider@reddit

Well, I specifically am referring to switching your robust password manager failsafe plan to a passkey model if you don’t already have that. The core identity and front door stuff for accessing other systems and platforms, on a personal level. Gotta make plans for your primary and backup keys and test them and then remove passwords if you can. Takes some though to baseline if you already have a plan in place based on something else

[-]

itskdog@reddit

You can have and store multiple fido2 keys

Not if you're at a school in the UK using CPOMS - only one of each 2FA method (FIDO2 or TOTP) can be set up per account.

[-]

SupraCollider@reddit

Is that some kind of school password manager? Using a fido2 passkey is not quite the same as using them for MfA. It isn’t a secondary prompt, it is the primary and only.

[-]

itskdog@reddit

CPOMS is a safeguarding platform. To log an incident you only need email + password (but still let's you see children's names to select the name from the database), but to manage the system you need MFA.

They recently moved to Auth0 for their account system, requiring everyone who needs it to register MFA again, but now you can only have one of each type of MFA.

Their FIDO2 implementation is labelled "Security Key", but it requires a PIN on a YubiKey, just like a passkey.

[-]

bjc1960@reddit

Bitlocker keys are bad enough

[-]

shikkonin@reddit

Something like 20 random characters lower/upper/digits/symbols but excluding ambiguous characters (homoglyphs).

And then there are the stupid fucks who write software that doesn't let you do that...

[-]

trev2234@reddit

I do wonder how the password is being handled if it can’t deal with a special character. I know passing strings around with special characters can cause problems, but who is passing a password around as a simple string?!

[-]

Hebrewhammer8d8@reddit

Some government websites or affiliated programs don't allow special characters for passwords.

[-]

shikkonin@reddit

Client-side checking tells you that you're not allowed to use the string you want.

[-]

chuckmilam@reddit

Ansible/python/LDAP module authors, apparently.

[-]

OctoNezd@reddit

One of banks I used limits password to 12 characters and doesnt allow you to use special characters... (at least that was a case year ago, dropped that idiotic bank)

[-]

itskdog@reddit

Recently had to make an account for a shopping website, they had an upper bound of 16 characters (which makes me concerned about how they store the password if they need an upper bound)

[-]

anonymousITCoward@reddit

I just use the same 16 character, mixed case, with numbers and special character, password for everything... that way i don't need a password manager...

/s if you need it

TBH i press the random button in bitwarden a lot

[-]

ancientstephanie@reddit

I keep 1password on "smart" 99% of the time, meaning that it will try to automatically detect the site's password rules and try to create a suitably complex password that fits within them, preferring 20-30 character passwords that incorporate all the letters, numbers, and symbols on the keyboard.

When I need a password that can be reliably read off my screen and entered into another device without a password manager, I'll select the "memorable password" option, to generate "xkcd-style" passphrases with added numbers and symbols. Same thing if it's one of the passwords I actually have to remember, like my password manager passphrase or screen lock.

[-]

xxdcmast@reddit

Two methods I use.

Totally password manager generated never expected to have to be typed. 32 character random gibberish. Upper lower number special.
Manually generated, vaulted, but may need to be typed manually. Correct horse battery staple style. Including upper lower number special.

[-]

fdeyso@reddit

1st is lastpass generator.

2nd xkpasswd.net

[-]

xxdcmast@reddit

There are a bunch of sites that do correct horse style generation. But yea basically.

[-]

PowerShellGenius@reddit

Random highly complex for web based things where "needing to enter manually" is not a real concern.

Randomly generated 5 word passphrase + a number or two, for things where some possible circumstance (e.g. disaster recovery on a hypervisor host or DSRM password on a DC) may require manual entry.

[-]

chaosphere_mk@reddit

I do 24 chars and randomly generate it in the password manager.

No reason to overthink it. As long as they are randomly generated and youre using MFA, you shouldn't have to think about it too much.

[-]

Anxious-Community-65@reddit

Saw this the other dayy!

[-]

peldor@reddit

I avoid alphabet soup passwords. Complete random gibberish is a huge PITA whenever you’re in a position that you cannot copy/paste the password.

I lean towards long pass phrases instead. Just as secure but a lot easier when you have manually type it in

[-]

rankinrez@reddit

I tend not to go beyond 30-40 characters.

Beware that many sites have an upper limit on length though, that’s tripped me up a few times.

I generally use all the symbols, sites seem to insist on it (even the ones with a maximum length limit of 5 characters lol). But if not for the sites insisting I’d probably just use letters and numbers, and up the length a little.

[-]

OctoNezd@reddit

Oh yeah, synology iscsi screwed me once over lol, it doesnt warn you when you paste a password thats too long, my dumb ass couldnt figure out why iscsiadm said login failed

[-]

poro_8015@reddit

32 char random, no symbols for legacy stuff

[-]

bobwinters@reddit

Dinopass, set to simple

[-]

SevaraB@reddit

Most of my passwords go into web forms that already limit you far below the password gen’s max, so I’ve settled on 4-word passphrases with a digit and a separator char that’s unlikely to be stripped out.

But it’s depressing how many places even that has been too much and I still had to drop it down to 12/16 random alphanumerics instead.

I do also accept a little trade off and use 1password’s browser extension at work and Bitwarden’s extension at home.

[-]

xXNorthXx@reddit

64, lol …..how many crap software packages are limited to sub 20 and no specials?

As for the ones that support longer depends on the admin but all meeting internal standards until crap software walks in.

[-]

Floh4ever@reddit

This is my exclusion List:
IlO0|,.;:'`´\^"
Just stuff I can't differentiate easily enough or is painful to type. Apart from that. Everything goes.

[-]

KripaaK@reddit

For sysadmin use, I would not blindly max out complexity everywhere. A strong 24 to 32 character random password is usually more than enough, and it avoids breakage with legacy apps or weird password rules.

My usual approach would be: use the longest random password the system reliably accepts, include special characters where supported, and avoid patterns humans can guess. For shared/admin accounts, use an enterprise vault like Password Vault so passwords can be generated, stored, rotated, accessed with approval, and audited without exposing them unnecessarily.

[-]

longmountain@reddit

I pick out a few random words, misspell one of them in an easy to type way and add some numbers and symbols. 20+ characters.

[-]

FixDouble1405@reddit

I don’t blindly max password settings.

My default:

24–32 random characters
upper/lowercase + numbers
special characters only if supported well

For most accounts, that’s already extremely strong. Longer passwords often create more compatibility issues than security benefits.

For critical accounts, I may go longer — but I still test login, rotation, and recovery.

The real strategy:

Use unique random passwords.
Prefer length over “clever” complexity.
Use MFA/passkeys when possible.
Make sure the password actually works.

A reliable 30-character password is better than a 128-character one that breaks tooling.

[-]

Alexandre_Man@reddit

18 characters. Just letters and digits.

[-]

nuttertools@reddit

At the time policy is created I check current NIST guidelines and select the maximal complexity, there are maximums you should not exceed. Every compliance standard references these guidelines or even directly incorporates them as external requirements.

[-]

Morkai@reddit

Passphrases, three words, capitaletter for each, separated by a special character, and a number on the end.

[-]

InfiltraitorX@reddit

Correct Horse Battery Staple

I will sometimes do movie quotes but they can end up being short.. then i will mix it up and mash two quotes together

[-]

Morkai@reddit

Yeah my personal passwords are phrases made of short song lyrics.

[-]

ExceptionEX@reddit

secretly this threat is about gathering our patterns to brute force our passwords 😉

[-]

ChangeWindowZombie@reddit

I currently aim for passphrases that are 25 characters or longer where possible, increasing the character count over time. I want it long enough that it can't be cracked by a farm of GPUs quickly and short enough that it isn't a chore to type manually.

[-]

Bob_Spud@reddit

Roughly 24+ chars, a good mixture of the printable ASCII char set. To make my life easy a password is divided into the three chunk. A big chunk that is the same for all passwords + a chunk that is associated with app/system type + plus chunk that is unique to the app/device. Password manager is a piece of paper under my desk mat. At work similar but DR copies kept in a secure places that can be easily accessed 24x7

[-]

Strassi007@reddit

We generate random passwords inside our password manager. Usually full complexity with 20-40 chars. This depends on the system. Some weird switches sometime limit it to 18-24 characters.

[-]

gixo89@reddit

No because from time to time you need to write that shit down…!

My policy is:

min 20 char
at least 1 uppercase letter
at least 1 lowercase letter
at least 1 number

[-]

ExceptionEX@reddit

like with your hands on paper, or a cave wall?

[-]

hihcadore@reddit

I used to write them down as a backup and stick them in a “PowerShell in action” book. Pretty safe there, no one ever took up my offer to use it to get better at PowerShell.

[-]

gixo89@reddit

Just air gapped networks, no need to be so exotic!

[-]

ExceptionEX@reddit

I was just poking fun, Actually we joke about it at work all the time, that the only password vault that isn't hackable is the notepad locked in the desk of the old lady in accounting.

[-]

FartInTheLocker@reddit

I used to do 20 char totally random like “jU7-) 81ajHB” etc.

Moved away from this as when doing a mass restore the last thing you want to do is type those passwords 100s of times. Mainly using long pass phrases, just as secure, way easier to type

[-]

MedicatedDeveloper@reddit

pwgen -y -s 24

[-]

moonwork@reddit

It depends on the attack vector, the payoff for hacking it, how often I'm likely to have to type it, and such.

Mostly I random generate 20-30 characters, but if I have to type it often it's a passphrase. But most importantly, regardless of what I do, I store it in my manager.

[-]

27Purple@reddit

Passphrases that meet general complexity requirements (upper-/lowercase, numbers, special characters) because most devs seem to still live in the 90s. Easy to remember if needed but hard to crack (length > complexity).

[-]

WayneH_nz@reddit

Dinopass for the win....

Get the password manager to pick a password, then do that again. So twice as long and all good so far.

[-]

ExceptionEX@reddit

Or just turn up your complexity of generated password

[-]

unJust-Newspapers@reddit

64 random alphanumeric characters, no symbols

Because sometimes we need to copy/paste (or even enter manually) into console sessions where the keyboard mappings are completely fucked, and special characters can be literally impossible to enter or paste

[-]

psynrg@reddit

Take a bow &£#@" and most annoying of all \

[-]

smb3something@reddit

I work multtinattional and the backslash is my bane between different keyboard layouts.

[-]

AnythingEastern3964@reddit

34 characters average, random every single time, if it’s my personal account password or work-related and associated with sensitive / client data, I’ll ensure it uses all variations of characters supported by the system (some systems don’t support a few of the special characters still) - and if it’s just for a OTS sent to an internal colleague or something, I’ll make it a little more palatable by excluding special characters.

I haven’t written, come up with, or created an account using an “old-school” password for many, many years at this stage. By that I mean “the first letter from a long sentence that you can remember easily” or “a variation of your name and birthday” - that kind of crap.

The master password to my password manager has sufficient enough entropy and to this date has never appeared on any dark web or other password leak (that I’ve been made aware of) and is only used for that one account. I don’t use it anywhere else. Combined with using MFA everywhere that supports it - touch wood, I have yet to have a problems.

I have actually have some really old accounts that are no longer used but were added to my password manager ‘just in case’, that way before my time as an IT professional and extremely insecure allegedly “compromised” as reported by some of the automated scans. Oddly enough, I’ve never seen any negative come from those either 🤷‍♂️ I’m talking about hotmail accounts and the such that I made when I was 13-15 😅

[-]

SVD_NL@reddit

I always limit the length to about 20-30. Long passwords sometimes aren't accepted, and what's especially painful is when there's a hidden limit to the web field, so the end is cut off, which means there's a mismatch between what you entered and what's saved.

[-]

lelkekhoe@reddit

I change my master password every quarter and I've been doing the "color of my shirt today/last thing i ate/day of the month+random special character" and let Bitwarden handle the rest. LOL

[-]

vogelke@reddit

I use a script based on an entropy recommendation I found on Stack Overflow.

The script assumes you have GNU base64 installed. Examples:

me% mkpass
hO+ez6tsnvmApOoTJaP380

me% mkpass 12
J4E6xDhJRcHt

I stick it in a really simple password safe based on age, written by Filippo Valsorda.

[-]

KaptainSaki@reddit

8 characters and only numbers and letters since some ancient cobol systems cant handle anything else

[-]

Godr0b@reddit

Random passwords are awful, legible passphrases should be the standard and I'll die on this hill.

We have a PW manager with autofill and everything else, but there's still far too many occasions where it doesnt work, or I'm unable to copy-paste and have to type by hand, with potentially mismatched keymaps.

3+ decently long words with capitals and symbols in reasonable places

[-]

Godr0b@reddit

Also mfa, obviously

[-]

NellovsVape@reddit

mid lenght and complexity and when I can I enable MFA. I keep a mid complexity so that if I have to type it out it's a bit easier, without sacrificing security.