mailing list archives
Choosing unique passwords - how paranoid is too paranoid?
From: Johann MacDonagh <johann () macdonaghs com>
Date: Tue, 24 Jun 2008 23:27:37 -0400
I've recently began a full on password change process where I'm
increasing the security of passwords I use for various systems I use
(computer systems, websites, etc...). In the past I've only used a few
different passwords and hoped for the best. I'd like to start working
on a new system that allows me to create easy to remember passwords
for each unique system. I don't want to create completely random ones
and rely on a password manager, because I use these systems at home,
at work, and on my iPhone. They need to be something I can easily type.
So my first scheme involved coming up with a rather long base
password, choosing a 4 character acronym for each system, mixing it up
in a certain way, and inputting those jumbled characters in predefined
locations. This solved one issue:
1. If someone where to compromise one password, it's unlikely they
would be able to deduce the same pattern for other systems.
Then, I got paranoid. What if they had two passwords? The differences
could be found, and analyzing the 24 different permutations (4!) of
the differences could quickly find a pattern.
So, I modified it a little. I took the name of each system, padded and
mixed in yet *another* master password (this time much shorter), and
ran it through this (on OS X):
echo -n mypaddedstring | openssl dgst -md5 -binary | openssl enc -base64
and took the first few characters. I put that in a certain location of
my master password. The reason to use a hash function is pretty
obvious, and base64 allows me to add in additional bits to brute force
with the same number of keys.
This has worked out better. I've started using mnemonics to remember
each system's unique part. Muscle memory!
Now, I'm up against a wall. I can't possibly remember a different
password for *each* system. So I came up with the (final) idea of
classifying systems as high or low, depending on the problems a
compromise would create. For example, my registration on some random
forum is low, whereas my PGP passphrase is high.
I know this is looking like there will never be a question, but there
is. What does everyone think of this system? Would you classify sites
that hold somewhat private information (such as Amazon.com without any
saved payment methods) as high or low? Is there another way?
Let me close by saying that the day I can use a smarcard for 3 factor
authentication (PIN, physical access to card, and biometrics) to
access ALL systems (hey, web developers, you can ask for x.509 certs
you know!) is the day that I stop worrying about all this. Or should I
be worried about that too? :)
- Choosing unique passwords - how paranoid is too paranoid? Johann MacDonagh (Jun 25)