[colug-432] Memorizing Unique Passwords
thomas.w.cranston at gmail.com
Thu Sep 10 15:53:09 EDT 2015
On 09/10/2015 02:01 PM, michael at yanovich.net wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> I once tried to use that algorithm method for generating passwords on various
> sites, but the problem I kept running into (and why I don't use it anymore)
> is that password requirements for different sites can widely vary.
> For example:
> * minimum length
> * maximum length
> * have at least 1 of each 'set' of characters (1 capital, 1 lower, 1 special
> char, or 1 special char from this limited list that is different from
> another site.)
> If password requirements were standardized across most sites, I could easily
> see this method catching on, otherwise I'm going to keep using KeePassX.
> On 09/10/2015 02:38 PM, Scott Merrill wrote:
>>>> "Amazon," for instance, becomes "5FHX7E" for a password using this scheme, but you don't have to memorize it --
>>>> only the scheme itself.
>>> I realize that's an example, but it's also a very weak password - short, all uppercase, and no symbols.
>> That’s true, but passwords do not exist in a vacuum. A password like the above might be easy to brute force from a hash downloaded from a database dump, but is less easy to brute force at the login screen at Amazon.com.
>> As with most things, one must perform some level of risk analysis. Do you want an arbitrarily complex password that is resistant to offline attack, as in the case of the Ashley Madison data dump? Or do you want a password that makes it sufficiently hard for someone to log in as you? If you’re mostly concerned about the latter, then I’d wager that the above password is “good enough”, and it looks relatively secure against guesses based on public data about you.
>> How much security / safety does one gain by adding mixed case letters or special characters? Sure, you get some, but that comes with the added complexity of a the mental burden to remember the algorithm.
>> If you use a different password at most sites, then a compromise of one is less likely to jeopardize your other passwords. Unless someone is specifically targeting *you*, and therefore analyzing *your* passwords across multiple compromised services, your password algorithm is vanishingly unlikely to be noticed. So even a weak algorithm offers increased overall security.
>> While we’re sharing password generation algorithms, consider also the diceware solution:
>> Also don’t forget about two factor authentication. I enable two factor authentication for every site that offers it. I was really happy to see the sixxs.net offers 2fa for their ipv6 tunnel service!
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> -----END PGP SIGNATURE-----
> colug-432 mailing list
> colug-432 at colug.net
I don't see the need to have a unique password for most of the sites I
need to log into. I am not concerned about places like bobistheoilguy
forum or ford escort owners forum. There's too many of those places to
have a unique password for. Anything identity or financial related I use
the strongest and unique password for each. I also do a bare minimum of
such transactions, and no banking at all.
Sent by LinuxMint
More information about the colug-432