Announcement

Collapse
No announcement yet.

How to choose passwords

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    How to choose passwords

    There's no shortage of advice around on how to choose passwords, but just about all of it I've seen is inadequate. It tells you what not to do, but there are often problems in following the suggestions on what you should do. My apologies if this topic seems a bit afield for a Kubuntu forum, but this seems like a good place to ask the question.

    I'm no security expert, but it seems to me that password attacks have to follow one of two strategies: exhaustive search or sophisticated limited search. Dictionary attacks and attacks based on knowledge of the user, like her birthday, are sophisticated limited search. It's hard to see how the two strategies can be combined, although they certainly can both be used independently and possibly interleaved. Any password-invention strategy has to consider what it's defending against.

    Here' what I see as the criteria for a good password-invention strategy:

    1. It should work for creating a large set of passwords, not for just one. I'm not unusual in having perhaps 30 sites I use where I care about the security of the passwords, and many more where I don't care much about it. (For the ones where security doesn't matter, a single password probably suffices -- not to worry if it's stolen.)

    2. If one password in the set is compromised, the others should remain invulnerable. Passwords can be and often have been compromised through no fault of the user, e.g., stolen.

    3. It should not require a good memory but should not depend on writing anything down.

    4. It should account for the fact that different website have different criteria for valid passwords. For instance, some sites require a password to contain at least one non-alphabetic, non-numeric character, while other sites reject passwords with such characters. Minimum and maximum valid password lengths also vary.

    5. It should work on multiple machines, including ones only temporarily accessible.

    6. It should somehow be able to cope with periodic changes to the passwords, though it should not require changing all of them at once.

    Algorithmic password generators are not adequate because of criterion 1. The most promising strategies seem to use some kind of mental generating strategy, like partly basing each password on the URL of the website to which it applies. An example of such a strategy would be to create passwords by having passwords consisting of word 1 followed by the first three letters of the URL in reverse order followed by word 2, probably with some fixed leavening of digits and special characters. I'm unsure, however, of how secure such passwords would be in the face of an attack based on knowledge of another one of the user's passwords. If the relationship of the middle component to the URL can be inferred, then the other passwords become insecure.

    My own strategy has been to create a written list, but that has several disadvantages. I'm not so concerned about the list being stolen, since it's unlikely that a housebreaker would be interested in it.
    But the portability problem is significant; it's quite inconvenient always to have it on my person.

    Are my criteria too demanding? Not demanding enough? Some combination of these? And what strategy might meet the criteria? I'd be interested in the thoughts of others on this topic.

    #2
    Re: How to choose passwords

    People are the weakest component of any password.

    The problem with strong/very strong password 'schemas' is that they are difficult, if not impossible for many people to remember. Thus, they get recorded - written down - and therefore become subject to compromize, and so, the systems they purport to protect, become 'less protected/secure.' I know, as I do this at work, because I can't remember all the passwords to all the systems I have accounts on. Each system has it's own requirements, so each ones password has unique requirements.
    Windows no longer obstructs my view.
    Using Kubuntu Linux since March 23, 2007.
    "It is a capital mistake to theorize before one has data." - Sherlock Holmes

    Comment


      #3
      Re: How to choose passwords

      I find your criteria a bit demanding, but nevertheless follow a related strategy. I've got a lot of passwords and some of them are quite long. However, I seem to remember them because they are a kind of personal alphanumeric poetry which has evolved over the years. My memory is otherwise very bad so I do keep a book with stuff like that, but it would not be available to anybody else as it stays at home.

      It is important to write this stuff down because sometimes a year or two can go by between needing it. I've also learnt the lesson of writing down what name I use as well as the e-mail address. Although I try to use my real name, some sites don't allow that, for example by not allowing a space. If you're like me the e-mail address could be anything, but I have started narrowing it down to types. Sometimes a separate account it suitable. A recent funny one is "facebook@mydomain". lol

      Has anybody ever experienced their login being compromised anywhere? Nobody ever mentions it. It hasn't happened to me. I think it is not an issue. That said, I do take root passwords on servers quite seriously. The reason is that there would actually be a payoff to getting that. The root password to my home computer is sufficiently secure, but still someone accessing my personal stuff wouldn't really matter to me.

      Comment


        #4
        Remembering passwords

        Originally posted by Snowhog
        The problem with strong/very strong password 'schemas' is that they are difficult, if not impossible for many people to remember.
        That' my criterion 3. There are ways to make single secure passwords memorable -- but making 30 of them memorable is a far more difficult problem.

        I guess you also are flummoxed by this problem, which is why you, like me, write your passwords down.

        Comment


          #5
          Writiing them down

          It's interesting that both of the folks who've responded to my post so far have adopted the same strategy that I do: writing the passwords down. It's the best I can do, but I'm not satisfied with it.

          If my criteria are too demanding, how would you relax them?

          As to logins being stolen: isn't that what happens when banking sites get compromised?

          Comment


            #6
            Re: Remembering passwords

            Originally posted by pwabrahams
            Originally posted by Snowhog
            The problem with strong/very strong password 'schemas' is that they are difficult, if not impossible for many people to remember.
            That' my criterion 3. There are ways to make single secure passwords memorable -- but making 30 of them memorable is a far more difficult problem.

            I guess you also are flummoxed by this problem, which is why you, like me, write your passwords down.
            or you could keep them in a password protected .rar archive .................ya a nuther password

            as far as brute force attack the length of the password and using upper and lower case along with some special caricatures #$%^& is the key .........IF say using something like john the riper once you get to 13 caricatures it takes a vary strong box years to go through all the posable combos .........or at leas it did .

            VINNY
            i7 4core HT 8MB L3 2.9GHz
            16GB RAM
            Nvidia GTX 860M 4GB RAM 1152 cuda cores

            Comment


              #7
              Re: How to choose passwords

              A compromise might be a password program like keepassx or fpm2, which stores passwords together with their relevant links in a password (and keyfile) protected database. That way, you really only have to remember one password -- and hope you don't lose that keyfile.

              My feeling about passwords is that any password protection scheme can be cracked. The question is, how important is it to the cracker to do so? If it is someone fishing for website passwords, for example, who has no specific knowledge of individual users, my guess is they are not going to spend a lot of time and effort on any particular account. Probably won't go much beyond a basic lexical attack. On the other hand, if it's the NSA trying to crack an encrypted file on your hard disk, unless you have been very careful about using gpg properly (including not having your secret key on the disk), it's only a blink of an eye for a Cray to crack any password protection, no matter how long or convoluted it may be.


              We only have to look at ourselves to see how intelligent life might develop into something we wouldn't want to meet. -- Stephen Hawking

              Comment


                #8
                Password vaults and password security

                Originally posted by doctordruidphd
                A compromise might be a password program like keepassx or fpm2, which stores passwords together with their relevant links in a password (and keyfile) protected database.
                Isn't that what kwallet does?

                My feeling about passwords is that any password protection scheme can be cracked.
                With a quantum computer, perhaps -- but a long enough password with no internal structure and no foreknowledge on the part of the attacker is going to be uncrackable. Each character you add, even just assuming upper/lowercase alphabetics and digits, multiplies the cracking difficulty by 62. And 62**n can exceed the number of atoms in the universe if n is large enough.

                The problem I have with password vaults is how to make them practicable when you're using multiple computers, and in particular computers you have no control over.

                Comment


                  #9
                  Re: How to choose passwords

                  kwallet is nice, the firefox addition lastpass is another and there are countless others. I use lastpass for most websites, forums, what-have-you.

                  As for passwords that I don't trust a third party with I just pick lyrics or a book title or a music score or series of prime numbers, exchange letters and digits and vice versa, clonk the occasional exceptional character in there and find there is no need to write down the password.

                  While I only use seven of those I dare say that with training and frequent use thirty or more shouldn't be a problem. However, what is the point of Alcatraz security for something like this (or any other) forum?
                  Once your problem is solved please mark the topic of the first post as SOLVED so others know and can benefit from your experience! / FAQ

                  Comment


                    #10
                    Re: How to choose passwords

                    Originally posted by aldabright
                    thanks for your tips, it's helpful. whenver I choose a password, I choose the same one all along, for better memorization.
                    sasaz is right. I recently got an email from mozilla saying their data had been hacked and that all passwords had been reset. Plus they could not guarantee who might have had access to it all...

                    In the olden days I used to have one password for them all, but this incident just goes to show that _any_ organisation can be compromised and once the bad guys have your password you might as well kiss good-bye to your online identity (or worse, current accounts!).
                    Once your problem is solved please mark the topic of the first post as SOLVED so others know and can benefit from your experience! / FAQ

                    Comment


                      #11
                      Re: How to choose passwords

                      Nice poetry sasaz.

                      I like to have a number or two in there. So instead of using birth dates or addresses and stuff like that, I use parts numbers. If you're an old fart like me you'll properly have a few tube numbers and transistors that keep going through your head - whether you want it or not. (Hmm, perhaps that what's getting in the way of remembering new stuff - ... anyway.) Numbers like 2N170 and 2N107 transistors make great inserts. Since they are pnp and npn you can play with that too. I don't use those by the way - I'm much older than that.

                      PS: I see you just answered aldabright's post. He's just pulling your leg - that's link spam. lol

                      Comment


                        #12
                        Re: How to choose passwords

                        yep, and he pulled it right and proper
                        Once your problem is solved please mark the topic of the first post as SOLVED so others know and can benefit from your experience! / FAQ

                        Comment


                          #13
                          Re: How to choose passwords

                          I let the extension Lastpass remember my passwords. I also keep a list of my passwords in an encrypted file. So I only have to remember two passwords. The one for Lastpass and the one for the encrypted file. Make that three. My login password. I have never had a problem with my passwords being compromised. The most difficult password I have to come up with is the one for my .mil email address, which requires uppercase+lowercase+number+symbol and must be at least 10 characters and has to be changed every 60 days.

                          Comment


                            #14
                            Re: How to choose passwords

                            Ah! Finally, a good topic

                            Originally posted by pwabrahams
                            Here' what I see as the criteria for a good password-invention strategy:

                            1. It should work for creating a large set of passwords, not for just one. I'm not unusual in having perhaps 30 sites I use where I care about the security of the passwords, and many more where I don't care much about it. (For the ones where security doesn't matter, a single password probably suffices -- not to worry if it's stolen.)

                            2. If one password in the set is compromised, the others should remain invulnerable. Passwords can be and often have been compromised through no fault of the user, e.g., stolen.

                            3. It should not require a good memory but should not depend on writing anything down.

                            4. It should account for the fact that different website have different criteria for valid passwords. For instance, some sites require a password to contain at least one non-alphabetic, non-numeric character, while other sites reject passwords with such characters. Minimum and maximum valid password lengths also vary.

                            5. It should work on multiple machines, including ones only temporarily accessible.

                            6. It should somehow be able to cope with periodic changes to the passwords, though it should not require changing all of them at once.
                            I imagine there are as many ideas on this as there are users on this forum. Keep in mind that I'm not paranoid: sorry, I don't buy that everyone is out to get me or that there's an organized secret government scheme designed to keep me "down" so my ideas are not going to be as strong as some others. Here's my take:

                            In my world, I have three password "sets": Social, Personal/Critical, Work

                            I have one password for what I deem to be "social" sites that change infrequently. I use the same one for all of them so I don't have to think too hard to remember this one. If the need arises to change this one - I change them all in one sitting. If this password gets compromised, I will only have some apologizing to do but no serious damage.

                            For the others: I come up with a word that has some meaning only to me so I can remember it but others wouldn't know it unless the were very close to me. For example: my wife's nickname for our dog. I then use variations on this name using caps and number/symbol substitutions for letters. I also will sometimes add a significant number to this word that has meaning related to the word. In this way I can easily remember the "base" word and need only work out the substitutions to "remember" the password. I use this scheme for two different password sets, one for financial one for work related.

                            Example:
                            My dog's name is Dorothy. She was born in 2008. My wife frequently calls her Dorky and sometimes BooBoo but never outside the house. So I would start with dorkyboo08. Then I might substitute an @ or an * for an o or an ! for a 1 or i and so on.

                            Since the substitutions somewhat follow a theme and I can easily remember the base word; on the occasion I can't exactly recall what combination I used for a particular site, I can usually work it out after a bit. IMO, this method fills all the criteria set forth in the OP.

                            For the record, I have had one password cracked (my gmail account) but they didn't get too far with it. It was just before xmas and the source was a chinese IP. Google detected the unusual activity, locked my account and sent me an email. I have since moved my email passwords from the Social category to the Personal/Critical level

                            I periodically do a password purge when I encounter a new good base-word.

                            Please Read Me

                            Comment


                              #15
                              Passwords for several banks

                              Originally posted by oshunluvr
                              In my world, I have three password "sets": Social, Personal/Critical, Work
                              What category do you use for websites like the Kubuntu Forum, or Amazon.com (assuming you have an account there)?

                              Example:
                              My dog's name is Dorothy. She was born in 2008. My wife frequently calls her Dorky and sometimes BooBoo but never outside the house. So I would start with dorkyboo08. Then I might substitute an @ or an * for an o or an ! for a 1 or i and so on.

                              Since the substitutions somewhat follow a theme and I can easily remember the base word; on the occasion I can't exactly recall what combination I used for a particular site, I can usually work it out after a bit. IMO, this method fills all the criteria set forth in the OP.
                              So suppose you have accounts at three banks Bank1, Bank2, and Bank3. How would you create different memorable passwords for all three?

                              Comment

                              Working...
                              X