Announcement

**Snowhog** · Jan 18, 2011, 06:28 PM

Re: How to choose passwords

People are the weakest component of any password.

The problem with strong/very strong password 'schemas' is that they are difficult, if not impossible for many people to remember. Thus, they get recorded - written down - and therefore become subject to compromize, and so, the systems they purport to protect, become 'less protected/secure.' I know, as I do this at work, because I can't remember all the passwords to all the systems I have accounts on. Each system has it's own requirements, so each ones password has unique requirements.

**Ole Juul** · Jan 18, 2011, 06:36 PM

Re: How to choose passwords

I find your criteria a bit demanding, but nevertheless follow a related strategy. I've got a lot of passwords and some of them are quite long. However, I seem to remember them because they are a kind of personal alphanumeric poetry which has evolved over the years. My memory is otherwise very bad so I do keep a book with stuff like that, but it would not be available to anybody else as it stays at home.

It is important to write this stuff down because sometimes a year or two can go by between needing it. I've also learnt the lesson of writing down what name I use as well as the e-mail address. Although I try to use my real name, some sites don't allow that, for example by not allowing a space. If you're like me the e-mail address could be anything, but I have started narrowing it down to types. Sometimes a separate account it suitable. A recent funny one is "facebook@mydomain". lol

Has anybody ever experienced their login being compromised anywhere? Nobody ever mentions it. It hasn't happened to me. I think it is not an issue. That said, I do take root passwords on servers quite seriously. The reason is that there would actually be a payoff to getting that. The root password to my home computer is sufficiently secure, but still someone accessing my personal stuff wouldn't really matter to me.

**pwabrahams** · Jan 18, 2011, 06:40 PM

Remembering passwords

Originally posted by Snowhog

The problem with strong/very strong password 'schemas' is that they are difficult, if not impossible for many people to remember.

That' my criterion 3. There are ways to make single secure passwords memorable -- but making 30 of them memorable is a far more difficult problem.

I guess you also are flummoxed by this problem, which is why you, like me, write your passwords down.

**pwabrahams** · Jan 18, 2011, 06:45 PM

Writiing them down

It's interesting that both of the folks who've responded to my post so far have adopted the same strategy that I do: writing the passwords down. It's the best I can do, but I'm not satisfied with it.

If my criteria are too demanding, how would you relax them?

As to logins being stolen: isn't that what happens when banking sites get compromised?

**vinnywright** · Jan 18, 2011, 06:55 PM

Re: Remembering passwords

Originally posted by pwabrahams

Originally posted by Snowhog

The problem with strong/very strong password 'schemas' is that they are difficult, if not impossible for many people to remember.

That' my criterion 3. There are ways to make single secure passwords memorable -- but making 30 of them memorable is a far more difficult problem.

I guess you also are flummoxed by this problem, which is why you, like me, write your passwords down.

or you could keep them in a password protected .rar archive .................ya a nuther password

as far as brute force attack the length of the password and using upper and lower case along with some special caricatures #$%^& is the key .........IF say using something like john the riper once you get to 13 caricatures it takes a vary strong box years to go through all the posable combos .........or at leas it did .

VINNY

**doctordruidphd** · Jan 18, 2011, 08:18 PM

Re: How to choose passwords

A compromise might be a password program like keepassx or fpm2, which stores passwords together with their relevant links in a password (and keyfile) protected database. That way, you really only have to remember one password -- and hope you don't lose that keyfile.

My feeling about passwords is that any password protection scheme can be cracked. The question is, how important is it to the cracker to do so? If it is someone fishing for website passwords, for example, who has no specific knowledge of individual users, my guess is they are not going to spend a lot of time and effort on any particular account. Probably won't go much beyond a basic lexical attack. On the other hand, if it's the NSA trying to crack an encrypted file on your hard disk, unless you have been very careful about using gpg properly (including not having your secret key on the disk), it's only a blink of an eye for a Cray to crack any password protection, no matter how long or convoluted it may be.

**pwabrahams** · Jan 18, 2011, 09:40 PM

Password vaults and password security

Originally posted by doctordruidphd

A compromise might be a password program like keepassx or fpm2, which stores passwords together with their relevant links in a password (and keyfile) protected database.

Isn't that what kwallet does?

My feeling about passwords is that any password protection scheme can be cracked.

With a quantum computer, perhaps -- but a long enough password with no internal structure and no foreknowledge on the part of the attacker is going to be uncrackable. Each character you add, even just assuming upper/lowercase alphabetics and digits, multiplies the cracking difficulty by 62. And 62**n can exceed the number of atoms in the universe if n is large enough.

The problem I have with password vaults is how to make them practicable when you're using multiple computers, and in particular computers you have no control over.

**toad** · Jan 19, 2011, 01:36 AM

Re: How to choose passwords

kwallet is nice, the firefox addition lastpass is another and there are countless others. I use lastpass for most websites, forums, what-have-you.

As for passwords that I don't trust a third party with I just pick lyrics or a book title or a music score or series of prime numbers, exchange letters and digits and vice versa, clonk the occasional exceptional character in there and find there is no need to write down the password.

While I only use seven of those I dare say that with training and frequent use thirty or more shouldn't be a problem. However, what is the point of Alcatraz security for something like this (or any other) forum?

**toad** · Jan 24, 2011, 04:38 AM

Re: How to choose passwords

Originally posted by aldabright

thanks for your tips, it's helpful. whenver I choose a password, I choose the same one all along, for better memorization.

sasaz is right. I recently got an email from mozilla saying their data had been hacked and that all passwords had been reset. Plus they could not guarantee who might have had access to it all...

In the olden days I used to have one password for them all, but this incident just goes to show that _any_ organisation can be compromised and once the bad guys have your password you might as well kiss good-bye to your online identity (or worse, current accounts!).

**Ole Juul** · Jan 24, 2011, 04:39 AM

Re: How to choose passwords

Nice poetry sasaz.

I like to have a number or two in there. So instead of using birth dates or addresses and stuff like that, I use parts numbers. If you're an old fart like me you'll properly have a few tube numbers and transistors that keep going through your head - whether you want it or not. (Hmm, perhaps that what's getting in the way of remembering new stuff - ... anyway.)

Numbers like 2N170 and 2N107 transistors make great inserts. Since they are pnp and npn you can play with that too. I don't use those by the way - I'm much older than that.

PS: I see you just answered aldabright's post. He's just pulling your leg - that's link spam. lol

**toad** · Jan 24, 2011, 05:15 AM

Re: How to choose passwords

yep, and he pulled it right and proper

**Detonate** · Jan 24, 2011, 07:56 AM

Re: How to choose passwords

I let the extension Lastpass remember my passwords. I also keep a list of my passwords in an encrypted file. So I only have to remember two passwords. The one for Lastpass and the one for the encrypted file. Make that three. My login password. I have never had a problem with my passwords being compromised. The most difficult password I have to come up with is the one for my .mil email address, which requires uppercase+lowercase+number+symbol and must be at least 10 characters and has to be changed every 60 days.

**oshunluvr** · Jan 24, 2011, 10:04 AM

Re: How to choose passwords

Ah! Finally, a good topic

Originally posted by pwabrahams

Here' what I see as the criteria for a good password-invention strategy:

1. It should work for creating a large set of passwords, not for just one. I'm not unusual in having perhaps 30 sites I use where I care about the security of the passwords, and many more where I don't care much about it. (For the ones where security doesn't matter, a single password probably suffices -- not to worry if it's stolen.)

2. If one password in the set is compromised, the others should remain invulnerable. Passwords can be and often have been compromised through no fault of the user, e.g., stolen.

3. It should not require a good memory but should not depend on writing anything down.

4. It should account for the fact that different website have different criteria for valid passwords. For instance, some sites require a password to contain at least one non-alphabetic, non-numeric character, while other sites reject passwords with such characters. Minimum and maximum valid password lengths also vary.

5. It should work on multiple machines, including ones only temporarily accessible.

6. It should somehow be able to cope with periodic changes to the passwords, though it should not require changing all of them at once.

I imagine there are as many ideas on this as there are users on this forum. Keep in mind that I'm not paranoid: sorry, I don't buy that everyone is out to get me or that there's an organized secret government scheme designed to keep me "down" so my ideas are not going to be as strong as some others. Here's my take:

In my world, I have three password "sets": Social, Personal/Critical, Work

I have one password for what I deem to be "social" sites that change infrequently. I use the same one for all of them so I don't have to think too hard to remember this one. If the need arises to change this one - I change them all in one sitting. If this password gets compromised, I will only have some apologizing to do but no serious damage.

For the others: I come up with a word that has some meaning only to me so I can remember it but others wouldn't know it unless the were very close to me. For example: my wife's nickname for our dog. I then use variations on this name using caps and number/symbol substitutions for letters. I also will sometimes add a significant number to this word that has meaning related to the word. In this way I can easily remember the "base" word and need only work out the substitutions to "remember" the password. I use this scheme for two different password sets, one for financial one for work related.

Example:
My dog's name is Dorothy. She was born in 2008. My wife frequently calls her Dorky and sometimes BooBoo but never outside the house. So I would start with dorkyboo08. Then I might substitute an @ or an * for an o or an ! for a 1 or i and so on.

Since the substitutions somewhat follow a theme and I can easily remember the base word; on the occasion I can't exactly recall what combination I used for a particular site, I can usually work it out after a bit. IMO, this method fills all the criteria set forth in the OP.

For the record, I have had one password cracked (my gmail account) but they didn't get too far with it. It was just before xmas and the source was a chinese IP. Google detected the unusual activity, locked my account and sent me an email. I have since moved my email passwords from the Social category to the Personal/Critical level

I periodically do a password purge when I encounter a new good base-word.

**pwabrahams** · Jan 24, 2011, 07:19 PM

Passwords for several banks

Originally posted by oshunluvr

In my world, I have three password "sets": Social, Personal/Critical, Work

What category do you use for websites like the Kubuntu Forum, or Amazon.com (assuming you have an account there)?

Example:
My dog's name is Dorothy. She was born in 2008. My wife frequently calls her Dorky and sometimes BooBoo but never outside the house. So I would start with dorkyboo08. Then I might substitute an @ or an * for an o or an ! for a 1 or i and so on.

Since the substitutions somewhat follow a theme and I can easily remember the base word; on the occasion I can't exactly recall what combination I used for a particular site, I can usually work it out after a bit. IMO, this method fills all the criteria set forth in the OP.

So suppose you have accounts at three banks Bank1, Bank2, and Bank3. How would you create different memorable passwords for all three?

Announcement

How to choose passwords

How to choose passwords

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment