[colug-432] Memorizing Unique Passwords

[michael at yanovich.net]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I once tried to use that algorithm method for generating passwords on various
sites, but the problem I kept running into (and why I don't use it anymore)
is that password requirements for different sites can widely vary.

For example:
 * minimum length
 * maximum length
 * have at least 1 of each 'set' of characters (1 capital, 1 lower, 1 special
    char, or 1 special char from this limited list that is different from
    another site.)


If password requirements were standardized across most sites, I could easily
see this method catching on, otherwise I'm going to keep using KeePassX.



On 09/10/2015 02:38 PM, Scott Merrill wrote:
> 
>>> "Amazon," for instance, becomes "5FHX7E" for a password using this scheme, but you don't have to memorize it --
>>> only the scheme itself.
>>
>> I realize that's an example, but it's also a very weak password - short, all uppercase, and no symbols.
> 
> That’s true, but passwords do not exist in a vacuum.  A password like the above might be easy to brute force from a hash downloaded from a database dump, but is less easy to brute force at the login screen at Amazon.com.
> 
> As with most things, one must perform some level of risk analysis.  Do you want an arbitrarily complex password that is resistant to offline attack, as in the case of the Ashley Madison data dump?  Or do you want a password that makes it sufficiently hard for someone to log in as you?  If you’re mostly concerned about the latter, then I’d wager that the above password is “good enough”, and it looks relatively secure against guesses based on public data about you.
> 
> How much security / safety does one gain by adding mixed case letters or special characters?  Sure, you get some, but that comes with the added complexity of a the mental burden to remember the algorithm.
> 
> If you use a different password at most sites, then a compromise of one is less likely to jeopardize your other passwords.  Unless someone is specifically targeting *you*, and therefore analyzing *your* passwords across multiple compromised services, your password algorithm is vanishingly unlikely to be noticed.  So even a weak algorithm offers increased overall security.
> 
> 
> While we’re sharing password generation algorithms, consider also the diceware solution:
>    http://world.std.com/~reinhold/diceware.html
>    http://rumkin.com/tools/password/diceware.php
> 
> 
> Also don’t forget about two factor authentication.  I enable two factor authentication for every site that offers it.  I was really happy to see the sixxs.net offers 2fa for their ipv6 tunnel service!
> 
> Cheers,
> Scott
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIbBAEBCgAGBQJV8dN/AAoJEKBpQL3CDq4dXB4P+KCsz3sSd/btugy56hCuumg9
GYtV6g9pGJSxVew4gbcSSp25XlOdp9XWwc6F73DpMPLSglXv1hEEnGs0uvPJKjti
02bYFOkPJ5dr3QvRRsuAgTu0kVxAljOsFTTO2QJjmdkHGEUpuCTrN9/BP78TqphP
km3wrNwp8Eg9q+Cop1+6zhlkvlCyMLeRSpXFbOQ6R1NwUBn+bN3hPQCXAFzjDnCV
NVCGk5kXwg7PbqqVrsh65UEaFkqF1hGJimIIzG4cEeMxwi76xZbF5dCZapi90gW7
q4FkZ4wMSpKTt+av9Q+z7HlhHmCREnLt8X1GxZoHMQ72NepmbBW8fYsYLPAnsOFJ
rFj8WELUibd0pxIEzeH/A6bECjNSvt97TNaYseqa9Hf6nJKI4obpLQzTtMdK77ox
SYoTFBuzsHXoYhPj3f29Op3iqhk9h4Q32tbLTrN1lCIXPxtXBJ37mDojqxP2MzXM
V4GHiZU4G1GqHA8BdRs34jbLrM+uhziRl7C/JpWTZ69CuHFMe5MSlchJdZZh9zth
gKl2i+A7JWprJGTZXavIQDGm3v/A1BQISwZW9ypC/JZ5LDmEIMQcPJosna8Sxt9V
y26GC5R8gzsm/iTi56NEPfme67K3Y2cH5s1U23zM4KMiee9LuvtP7lezChzQL/yQ
/M/r0MzgF0oe1MqsyKo=
=+94X
-----END PGP SIGNATURE-----