Security Basics mailing list archives
Re: Choosing unique passwords - how paranoid is too paranoid?
From: "Eric Furman" <ericfurman () fastmail net>
Date: Wed, 25 Jun 2008 11:22:38 -0400
On Tue, 24 Jun 2008 23:27:37 -0400, "Johann MacDonagh" <johann () macdonaghs com> said:
Hi all, I've recently began a full on password change process where I'm increasing the security of passwords I use for various systems I use (computer systems, websites, etc...). In the past I've only used a few different passwords and hoped for the best. I'd like to start working on a new system that allows me to create easy to remember passwords for each unique system. I don't want to create completely random ones and rely on a password manager, because I use these systems at home, at work, and on my iPhone. They need to be something I can easily type. So my first scheme involved coming up with a rather long base password, choosing a 4 character acronym for each system, mixing it up in a certain way, and inputting those jumbled characters in predefined locations. This solved one issue: 1. If someone where to compromise one password, it's unlikely they would be able to deduce the same pattern for other systems. Then, I got paranoid. What if they had two passwords? The differences could be found, and analyzing the 24 different permutations (4!) of the differences could quickly find a pattern. So, I modified it a little. I took the name of each system, padded and mixed in yet *another* master password (this time much shorter), and ran it through this (on OS X): echo -n mypaddedstring | openssl dgst -md5 -binary | openssl enc -base64 and took the first few characters. I put that in a certain location of my master password. The reason to use a hash function is pretty obvious, and base64 allows me to add in additional bits to brute force with the same number of keys. This has worked out better. I've started using mnemonics to remember each system's unique part. Muscle memory! Now, I'm up against a wall. I can't possibly remember a different password for *each* system. So I came up with the (final) idea of classifying systems as high or low, depending on the problems a compromise would create. For example, my registration on some random forum is low, whereas my PGP passphrase is high. I know this is looking like there will never be a question, but there is. What does everyone think of this system? Would you classify sites that hold somewhat private information (such as Amazon.com without any saved payment methods) as high or low? Is there another way?
Anything with saved confidential personal info I consider High. I consider my address and phone number confidential. I know this doesn't really answer your question, but... What I did for (non critical) passwords where I had to change my passwords fairly frequently was I wrote them down. :-) This was my system. I wrote a list of passwds like; Ab25dQ9kQ5 s6tRM972Zw l8RW2sx9Wj o0pdF43Wv etc... Then one time I would use b25dQ9kQ, then 6tRM972Z then RW2sx9W... When done I would use 25dQ9kQ5 then tRM972Zw and so on. Given enough passwds on this list, even if this list was compromised and they even realized what it was, I believe it would provide more than enough security. Especially with 3 strikes and your locked out systems. For non critical systems (critical would be any admin passwd or your online banking passwd) I don't think you need separate passwds. Just one really good one.
Current thread:
- Choosing unique passwords - how paranoid is too paranoid? Johann MacDonagh (Jun 25)
- Re: Choosing unique passwords - how paranoid is too paranoid? Eric Furman (Jun 25)
- RE: Choosing unique passwords - how paranoid is too paranoid? Rivest, Philippe (Jun 25)
- Re: Choosing unique passwords - how paranoid is too paranoid? Orlin Gueorguiev (Jun 25)
- Re: Choosing unique passwords - how paranoid is too paranoid? Ansgar -59cobalt- Wiechers (Jun 26)
- Re: Choosing unique passwords - how paranoid is too paranoid? Kurt Buff (Jun 26)
- RE: Choosing unique passwords - how paranoid is too paranoid? Chris LoVerme (Jun 27)