May 27th, 2003 04:02 AM
a nifty little gadget to keep track of your passwords:http://www.thinkgeek.com/gadgets/electronic/5a60/
-the hour has begun, your eyes are now opened-
May 27th, 2003 07:07 AM
First, choose a favorite poem or song (by favorite i mean you can memorize it by heart). Let's take this poem as a test case (the only reason i choose it is because it has 6 or more words in each line, which makes good 6-or-more-character passwords):
I was thinking about a problem with creating the best password. I know it should be a combination of upper/lowercase letters, digits and non-alphabetic characters. Another approach is to pick a favorite sentence (i.e I love Big Mac and Fries), take the first letter of each word (I, l, B, M, a, F) and make up a word of them (ilbmaf) maybe alternating an uppercase and a lowercase letter and ending it with a digit (IlBmAf4). The problem with this...
It's Been So Good to Have You as a Friend
It's been so good to have you as a friend:
As sweet and rich as honey-colored sun
Slanting steep across a summer lawn,
Gilding life with all that love can lend.
And now that you yourself have griefs to tend,
I want to be the strong and caring one
To count to you the lovely things you've done
Until these troubles pass and sorrows end.
You are so beautiful in form and soul
That you bring happiness to all you're near:
Just as a sea rose, flowering in mist,
Makes a paradise of some bleak shoal,
Turning truth to something far more clear,
No pain unsoothed or rain-swept cheek unkissed.
Copyright by Nicholas Gordon (nick[at]poemsforfree[dot]com - http://www.poemsforfree.com/itsbee.html)
Then, derive your favorite password from each line of the poem (excluding the title) like this (be creative):
Last, keep a readme file in the account:line# format like this (or other format, again be creative):
primary e-mail: 1
database app: 2
What a geeky list, isn't it? Anyway, do you understand what this list is for? Assuming that your ID is vercetti on all those accounts, by looking at the list you know that your primary e-mail password is 1b59thyaf, your database app password is a5arahcs, and so on...
See also the posts I made last year on this subject:
Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds
May 27th, 2003 10:53 AM
hereby an excellent paper about password based encryption.
The conclusion is:
As indiana said: choose but choose wisely ....
The unfortunate truth is that if the users pass phrase is weak, it will still be possible to break it using a dictionary attack. When building encryption software it is always a good idea to prevent users from choosing weak passwords.
It is a good idea to quickly search trough a small dictionary of English words for the users pass phrase, and if found suggest that they change it. Since at this point we have the original pass phrase and we do not have to derive it through the S2K function, this search can be fairly quick.
Another good idea is to include a random number generator in the software so that a user
has the ability to select a random pass-phrase. This has its own problems since it’s
extremely hard for users to memorize such pass phrases.
The last and most important advice is not to make it easy for an attacker to retrieve the
encrypted data. Without having local access to the file there is no way to mount a dictionary
attack in the first place.
[shadow] SHARING KNOWLEDGE[/shadow]
May 27th, 2003 11:51 AM
Ubuntu-: Means in African : "Im too dumb to use Slackware"
May 27th, 2003 02:04 PM
Ahem..... I have to say that all these methods are fine for the likes of us.... BUT..... The users are _generally_ too lazy or too unimaginative to keep up that level of security.
You must also realize that the password for a user should be directly proportional to their rights - the important part there is "their rights". Users that have access to extremely sensitive data usually understand that and come up with appropriate passwords. Users with extensive rights are the same...... It's the little buggers at the bottom of the pile that generally do little or nothing to assist the admin in keeping the system secure. But if admin tries to enforce a draconian password policy he gets, either, the wrath of the users, or, squashed by his superiors....... So, a creative solution is required such that a lowly user can change their password every 60 days for example, but also be able to remember it or even write it down if they want..... Heck.... Let's go all the way..... Keep the same "password", write it down _and_ put it on a sticky on their monitor........
Tell the user to pick a secret word that is at least 5 letters and no longer than 7 letters...... Lets use "Tropics"..... I like the tropics....... wish I was there......<s>. Now they should add a special character of their choice to the front and a number of their choice to the back.... We'll use "$" and "2" making their secret word "$Tropics2"...... Notice we also make them uppercase the first letter......
Now here comes the fun..... They must jumble that sequence up any way they please but they must use all the characters..... We'll do it this way "piT$2rocs"....... Now that's a nice little password that would be hard to crack and very difficult to remember......
But I can write a little sticky saying "My password is 562193478" and put it right in the middle of my monitor because each character has a numeric position in that sequence, ($=1, T=2, r=3 etc.).. Anyone trying that as the password will get a big fat "access denied". Anyone who knows this system and guesses that dear old Millie chose her dog's name "spotty" will still be 2 characters short which are harder to guess at and a brute force tool is still going to take a while before it comes up with the credentials to access this user's _properly_ limited permissions. Not worth it really......
Now comes 60 days later...... Dear old Millie doesn't have to change that secret character sequence..... She just re-jumbles the sequence, writes a new sticky and she is "off to the races".........
If you enforce a minimum password length of 7 characters then the user can't cheat and you can enforce a "no re-use of password" policy for say 2 years to prevent repitition but you have given them an opportunity to be more secure without the horrendous task of coming up with new passwords that are hard for them to remember all the time.
NOTE: You won't get all of them to use this system..... There are always the "whiners" who say it is too difficult..... IME, they are the ones that have the least rights anyway..... Just enforce the 7 characters and live with it......
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
May 27th, 2003 02:36 PM
You know, while it's true that in some cases using non-displayable characters can be more secure (for example, I believe l0ftcrack doesn't (or at least didn't in the past) show these characters in cracked passwords), it's however relevent to point out that having to type 4 keys to get only one character could be spent better by choosing 4 regular characters:
Originally posted here by Simo
alt+32 and alt+255 are characters that windows cant recognize. i use them
that alt+255 gives you only 256 more possibilites to test,
while adding 4 regular characters would give you (26*2+10)^4=14776336 more possibilites...
(26 chars * 2 for caps + 10 numbers)
This might not convince everyone or anyone but it's still worth considering...
Credit travels up, blame travels down -- The Boss
May 27th, 2003 02:38 PM
no offense to anyone, but for the most part, I can remember even all of my complex usernames and passwords. A lot of people overlook this, but you can always create complex passwords, and work on improving how well you remember things as opposed to trying to remember your workarounds. (I'm sure "MemorY" will love this post)
also, using a similar password and changing one character is a good one.
for instance, if your password is b4sketball for espn.com, you can easily make it b4sketb9ll for something else. but in an 8 letter password, and having 36+ possible substitutes, they have a .34% (not 34%, but .34%)chance in figuring it out, once they know your other password. most people don't put forth this much effort to track down multiple sites, usernames, etc. if you switch your username in a similar fashion, it makes it even harder (.0042%) to figure it out.
just my two cents.
i\'m starting to think that i\'m bound to always be the first guy on the second page of the thread.
May 27th, 2003 03:56 PM
First off; Simo, Alt+32 is a Space... and if I'm not mistaken, 255 is NULL....I'm not sure...
If you want a good password..theres a way of doing it..
First...Find a line or moto that you can remember...some thing like Confusius (or what ever that persons name was) Let's take the Password from Entrapment as an Example:
Don't use cannon to kill Mosquito
Step one; Make it one word with Capital on every word: Don'tUseCannonToKillMosquito
Step two; Replace atleast one word or letter with a number: Don'tUseCannon2KillMosquito
Step three; REMEMBER THE PASSWORD..
Passwords like this have the advantage that their long, easy to remember and hard to crack....just make sure you can type it fast enough
With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!
Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.
May 27th, 2003 11:02 PM
Or you could just go with ditching the use of passwords all together, they have always been one of the weakest links in security, a much better option would be to make use of biometrics and there are some decent devices now available which can actually make this practical. Smartcrards/ tokens are also useful. Get away from just going with what someone knows and make use of something they have or something they are.
In practice the majority of users will choose a simple to remeber password or think that they have increased the security greatly by subsitiuting a letter for a number, e.g. password becomes passw0rd, its still easy to crack and actually creates a false sense of security that does more bad then good.
Single sign on systems can help get around the need to remeber lots of username/password combinations, but if you use a password for those you still have a very weak protection mechanism in place.
Quis custodiet ipsos custodes