mailing list archives
Re: Choosing unique passwords - how paranoid is too paranoid?
From: "Kurt Buff" <kurt.buff () gmail com>
Date: Wed, 25 Jun 2008 18:08:28 -0700
On Tue, Jun 24, 2008 at 8:27 PM, Johann MacDonagh <johann () macdonaghs com> wrote:
I've recently began a full on password change process where I'm increasing
the security of passwords I use for various systems I use (computer systems,
websites, etc...). In the past I've only used a few different passwords and
hoped for the best. I'd like to start working on a new system that allows me
to create easy to remember passwords for each unique system. I don't want to
create completely random ones and rely on a password manager, because I use
these systems at home, at work, and on my iPhone. They need to be something
I can easily type.
So my first scheme involved coming up with a rather long base password,
choosing a 4 character acronym for each system, mixing it up in a certain
way, and inputting those jumbled characters in predefined locations. This
solved one issue:
1. If someone where to compromise one password, it's unlikely they would be
able to deduce the same pattern for other systems.
Then, I got paranoid. What if they had two passwords? The differences could
be found, and analyzing the 24 different permutations (4!) of the
differences could quickly find a pattern.
So, I modified it a little. I took the name of each system, padded and mixed
in yet *another* master password (this time much shorter), and ran it
through this (on OS X):
echo -n mypaddedstring | openssl dgst -md5 -binary | openssl enc -base64
and took the first few characters. I put that in a certain location of my
master password. The reason to use a hash function is pretty obvious, and
base64 allows me to add in additional bits to brute force with the same
number of keys.
This has worked out better. I've started using mnemonics to remember each
system's unique part. Muscle memory!
Now, I'm up against a wall. I can't possibly remember a different password
for *each* system. So I came up with the (final) idea of classifying systems
as high or low, depending on the problems a compromise would create. For
example, my registration on some random forum is low, whereas my PGP
passphrase is high.
I know this is looking like there will never be a question, but there is.
What does everyone think of this system? Would you classify sites that hold
somewhat private information (such as Amazon.com without any saved payment
methods) as high or low? Is there another way?
Let me close by saying that the day I can use a smarcard for 3 factor
authentication (PIN, physical access to card, and biometrics) to access ALL
systems (hey, web developers, you can ask for x.509 certs you know!) is the
day that I stop worrying about all this. Or should I be worried about that
Way too complex
Get a USB key or PDA, and put your favorite password manager on it. I
like PasswordSafe, but Keepass is derived from it and many like it,
though I haven't tried it. I'm sure there are commercial alternatives
as well, but these are OSS - and available on sourceforge.
I like my passwords to be pass sentences. 20+ characters, with all of
the punctuation and other non-alpha characters they deserve. Much
easier to remember and to type. Think up a sentence, commit it to your
password management application, have it ready. One site, one pass
sentence. Very easy.
Even if the site/server/application doesn't take passwords that long,
having it in your password management database is better than trying
to remember it, and your password management software will generate
passwords if your brain is non-functional for whatever reason.
Back up your password management database, too.