[colug-432] Memorizing Unique Passwords
Scott Merrill
skippy at skippy.net
Thu Sep 10 14:38:46 EDT 2015
>> "Amazon," for instance, becomes "5FHX7E" for a password using this scheme, but you don't have to memorize it --
>> only the scheme itself.
>
> I realize that's an example, but it's also a very weak password - short, all uppercase, and no symbols.
That’s true, but passwords do not exist in a vacuum. A password like the above might be easy to brute force from a hash downloaded from a database dump, but is less easy to brute force at the login screen at Amazon.com.
As with most things, one must perform some level of risk analysis. Do you want an arbitrarily complex password that is resistant to offline attack, as in the case of the Ashley Madison data dump? Or do you want a password that makes it sufficiently hard for someone to log in as you? If you’re mostly concerned about the latter, then I’d wager that the above password is “good enough”, and it looks relatively secure against guesses based on public data about you.
How much security / safety does one gain by adding mixed case letters or special characters? Sure, you get some, but that comes with the added complexity of a the mental burden to remember the algorithm.
If you use a different password at most sites, then a compromise of one is less likely to jeopardize your other passwords. Unless someone is specifically targeting *you*, and therefore analyzing *your* passwords across multiple compromised services, your password algorithm is vanishingly unlikely to be noticed. So even a weak algorithm offers increased overall security.
While we’re sharing password generation algorithms, consider also the diceware solution:
http://world.std.com/~reinhold/diceware.html
http://rumkin.com/tools/password/diceware.php
Also don’t forget about two factor authentication. I enable two factor authentication for every site that offers it. I was really happy to see the sixxs.net offers 2fa for their ipv6 tunnel service!
Cheers,
Scott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://lists.colug.net/pipermail/colug-432/attachments/20150910/08100ee7/attachment-0001.bin
More information about the colug-432
mailing list