Welcome Guest.   Make a donation to an author on the site August 28, 2014, 02:10:00 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
The N.A.N.Y. Challenge 2010! Download 24 custom programs!
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1] 2 Next   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Looking for password "scheme" suggestions  (Read 4544 times)
Josh
Charter Honorary Member
***
Posts: 3,324



View Profile Give some DonationCredits to this forum member
« on: January 25, 2012, 11:37:12 AM »

OK all, I am working on securing my passwords in a manner which would hinder most "passer-by" style hack attempts. What techniques do you use, or have you used, to setup a password system which is easy to remember and adapt to various sites and services. I have broken this down into three basic categories.

First, would be the majority of sites which do not arbitrarily limit you to "6-8 characters" and permit all special characters.

Second, those sites which limit which special characters you can use. This is fairly easy to adapt to the first item above.

Third, those sites which limit you to the number of characters.

So, with that said, what types of systems do you use or have you seen used? Please, feel free to be general so as to not give away personal info. I am just looking for ideas.
Logged

Strength in Knowledge
wr975
Charter Member
***
Posts: 369



View Profile Give some DonationCredits to this forum member
« Reply #1 on: January 25, 2012, 01:19:32 PM »

I'm using KeePass to store my passwords... since quite some years. Right now there're 839 entries in my database. ;-)

The KeePass password generator (a lot of options) creates random passwords, so each site has a different 8 chars password (examples: exoI5uAG, pUdgy8Mh, 39_8rm1E). For very important sites I'm using 18 chars passwords.

Many sites have problems with too long passwords, or special chars (! $ % & [ ] < >). For KeePass it's easy to generate passwords like "Õ¼1êyûq "äÔÐlAW" or "Ò³Îu¾øfÍ", but I can't use them. ;-)

I also like using "LastPass" to log into my accounts.


FWIW... already seen Gibson's "Haystack" site?

https://www.grc.com/haystack.htm

He claims the password "D0g....................." is stronger than "PrXyc.N(n4k77#L!eVdAfp9"
« Last Edit: January 25, 2012, 01:25:56 PM by wr975 » Logged
Josh
Charter Honorary Member
***
Posts: 3,324



View Profile Give some DonationCredits to this forum member
« Reply #2 on: January 25, 2012, 01:25:57 PM »

wr, I have used keepass, and use lastpass currently. What I want is something that eliminates the need for "Random password generators" and provides a simple mechanism I can use, on the fly, to generate my passwords. Perhaps something which incorporates the name of a site or system I am using. This way, I do not have to remember J@Bv8Hnk149*&&1j4^%^$#* as my password but could remember "Saffrazon like$ t0fu!" instead.
Logged

Strength in Knowledge
Deozaan
Charter Member
***
Posts: 6,319



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #3 on: January 25, 2012, 01:38:38 PM »

I haven't put much thought into this (which should be obvious) but for sites that don't limit you, you could just do something simple like:

donationcoderisthesiteiamlogginginto

Of course, to increase security you'd want to use mixed case and symbols and numbers. That could lead to something like this:

DonationCoderIsThe$ite!AmLoggingInto2Day

Easy to remember, long, and different for every site.

But the problem is that the pattern is too easy to see, so if anyone ever gets your password for any other site they will know it for every site.
Logged

40hz
Supporting Member
**
Posts: 10,608



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #4 on: January 25, 2012, 03:10:13 PM »

Unless you're using a true random and complex password for each different site (i.e. impossible to memorize) it's all pretty much moot according to one security specialist I asked. I showed her this (which has been posted on DC before):



She said it was at least as secure as 90% of what else is out there. And a lot easier to use.

I've since switched over to this, and added a little additional complexity by adding a few arbitrary number/punctuation mark strings to the above using a simple scheme I've come up with. It's not worth sharing since the internal logic only means something to me.

If somebody succeeds in guessing my passwords after that, all I can say is, "Oh well." Grin
Logged

Don't you see? It's turtles all the way down!
Stoic Joker
Honorary Member
**
Posts: 5,210



View Profile WWW Give some DonationCredits to this forum member
« Reply #5 on: January 25, 2012, 04:27:31 PM »

What ^he^ said  Thmbsup

However I have used a base mnemonic with special characters and a site specific code successfully in the past.
Logged
Edvard
Coding Snacks Author
Charter Honorary Member
***
Posts: 2,533



View Profile Give some DonationCredits to this forum member
« Reply #6 on: January 26, 2012, 06:47:08 AM »

ok, here's something similar to my scheme:

For a 9-character password with upper/lowercase and numbers/special chars:
Take first 5 letters of the site you're signing up at.
Pick a 4-number combo that you can remember (last 4 digits of phone #, SSN, etc.)
  • first letter - first number
  • hold down shift key
  • second letter - second number
  • let go of shift key
  • third letter - third number
  • hold down shift key
  • fourth letter - fourth number
  • let go shift key
  • fifth letter

That makes it easy to remember and complex at the same time.  Thmbsup

Like I've said before, a password is only as secure as the server it's stored on.
If somebody gets in, it doesn't matter if your password is d1O@n3A$t or mickey mouse.
$0.02
Logged

All children left unattended will be given a mocha and a puppy.
4wd
Supporting Member
**
Posts: 3,289



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #7 on: January 26, 2012, 06:20:14 PM »

For anything that can be >20 characters I use easily remembered sentences complete with punctuation/capitalisation/etc.

eg. Not one I use but a question I was asked that has stuck in my head for >30 years smiley

Passphrase: Does cam low profile alter valve train component acceleration?

For anything <20 characters, I use Password Card as mentioned here, kudos to joby_toss btw.
I have a pair of these laminated back to back, after using a password, (selected off them), a few times, I no longer need the card to look it up but it is there if I need it.

If I need something ridiculously complex, (ie. hard to remember), I'll take something easy to remember and ROT13 or ROT47 it, (or ROTxx).
Logged

Four wheel drive: Helping you get stuck faster, harder, further from help...........and it's no different on this forum Evil
Stoic Joker
Honorary Member
**
Posts: 5,210



View Profile WWW Give some DonationCredits to this forum member
« Reply #8 on: January 26, 2012, 06:49:00 PM »

Passphrase: Does cam low profile alter valve train component acceleration?

(Sorry about the side track, but...(this is gonna bug me)) I'd have to go with yes. Acceleration of the reciprocal mass is controlled by the ramp contour of the lobe. So a low profile cam would have a smoother transition and therefore open the valves more slowly. IIRC (It's been a while). Maybe best to PM me so we don't side track the thread.
Logged
AndyM
Charter Member
***
Posts: 615


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #9 on: January 26, 2012, 07:01:44 PM »

Does cam low profile alter valve train component acceleration?
yes Grin
Logged
4wd
Supporting Member
**
Posts: 3,289



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #10 on: January 26, 2012, 08:57:56 PM »

Passphrase: Does cam low profile alter valve train component acceleration?

I'd have to go with yes.

 Thmbsup

Back OT, like I said, it's just one of a number of phrases/questions/etc that just stuck in my head over the last 30-40 years.  Another good source is taglines, god knows having spent a considerable number of hours on Usenet over the years there's tons floating around in my head  Grin

Keyboards at the KGB have no 'Escape' key...
« Last Edit: January 26, 2012, 09:04:40 PM by 4wd » Logged

Four wheel drive: Helping you get stuck faster, harder, further from help...........and it's no different on this forum Evil
J-Mac
Supporting Member
**
Posts: 2,848


see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #11 on: January 27, 2012, 09:01:38 AM »

Slightly OT, but I use LastPass for my logins, and I also use Keepass to store a database of all my known logins, passwords, passphrases, etc. A big problem, though, is trying to keep the data somewhat synchronized!

Not all the data in Keepass is needed in LastPass, but I do want all of the LastPass data stored in Keepass. However I haven't found a way to automate this. At first I tried to gt all my LP data nice and correct after the initial import of Roboform data. Then I exported tht and imported it into Keepass. (First I exported the existing Keepass data to a csv file). Then I added the passphrase and other unique data back into Keepass. So at thqt point LP had all my web logins and Keepass had all of that plus all my other non-web data. Of course it all started crumbling from there! Mostly, as new and/or changed logins that occur in LP don't always get changed in Keepass also. I could just wipe my Keepass data regularly and replace it with the latest export from LP, but that doesn't cover my other Keepass data.

Ayone else find a way around this?

Thanks!

Jim
Logged

"I am getting so tired of slitting the throats of people who say that I am a violent psychopath."
40hz
Supporting Member
**
Posts: 10,608



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #12 on: January 27, 2012, 09:47:33 AM »


For anything <20 characters, I use Password Card as mentioned here, kudos to joby_toss btw.
I have a pair of these laminated back to back, after using a password, (selected off them), a few times, I no longer need the card to look it up but it is there if I need it.


The card idea is a good one. We used to do a variant of that by creating a card using data generated using tools over at www.random.org  Kiss

We'd then post it in the locked server room and pass out smaller pocket cards for the local server admins to use. All they neede to remember was a letter and two numbers for row, start position, and # of characters (ex: M-20-22).

It worked great until some idiots started highlighting their sequences so they'd be "easier to find."

And like a dummy, I always wondered why they'd ask us for fresh copies every other month when password changes were mandatory. Call me DUH!  undecided

Which further goes to show any security system is only as good as dumbest moron using it.
« Last Edit: January 27, 2012, 09:56:32 AM by 40hz » Logged

Don't you see? It's turtles all the way down!
MerleOne
Supporting Member
**
Posts: 885


4D thinking

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #13 on: January 27, 2012, 10:16:38 AM »

Hi,
I had a small software developed by a colleague named Passwd (the app, not the colleague!), which does the following :



Enter a master key (hidden or not),


or


Enter a name, typically the name of the service/website you want to create a password for and you get a 8 symbols password



symbols being chosen within a-z and 0 to 9 (32m option); within A-Z  and 0-9 (32M option), and a mix of all printable chars (64 option)



then you can copy/paste it.

It's basically a hash function, deterministic and non-reversible.

This colleague, David, unfortunetaly, lost the visual basic source, so it's difficult to improve it...

I still use it 10 years or so after it was done ...
Logged

.merle1.
MerleOne
Supporting Member
**
Posts: 885


4D thinking

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #14 on: January 27, 2012, 10:17:53 AM »

BTW, alpha is *NOT* my master key.... cheesy
Logged

.merle1.
40hz
Supporting Member
**
Posts: 10,608



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #15 on: January 27, 2012, 10:18:41 AM »


Like I've said before, a password is only as secure as the server it's stored on.
If somebody gets in, it doesn't matter if your password is d1O@n3A$t or mickey mouse.
$0.02


Excellent point, and very true.

Also don't leave out "as secure as the device it's entered on" (and the network it's connect to) since keyloggers and network sniffers also have their place in a blackhat's toolkit.

Not so much an issue for home users. But it's definitely a very real concern in business IT environments.
 smiley

 
Logged

Don't you see? It's turtles all the way down!
tranglos
Supporting Member
**
Posts: 1,079



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #16 on: January 27, 2012, 02:00:04 PM »

Like I've said before, a password is only as secure as the server it's stored on.
If somebody gets in, it doesn't matter if your password is d1O@n3A$t or mickey mouse.
$0.02

This is rule number one for me. It used to be that we were supposed to make passwords "easy to remember but hard to guess". Yeah, make it so that your family or your boss or your pals won't guess it (if that's who you want privacy from), but beyond that, the complexity, bits of randomness or key length don't matter much anymore. Once a server gets hacked into, there's no telling what happens next.

For the really important stuff (where I could lose money or critical access, like banking or my domain control panel) I use long, complex passwords; other than that I don't even bother any more.

What happens in the end that someone hacks into your ISP and they can't even tell exactly what was accessed. Or one day you find unauthorized charges to your credit card, because you paid with this card online once and some idiot thought it was a good idea to store your cc number on their badly secured server "for your convenience". (I was lucky and got every penny refunded by VISA within a week; the charges were obviously fraudulent, like $20 every hour from some UK gambling joint until the account was empty.)

But, FWIW, to me the most useful method for generating a fairly secure (in the outdated sense) password is to start with a quote or a line from a book or a song that you know well and take the first (second, third, take your pick) letter of each. Make some of them numbers or add punctuation if you want, but the important thing is to use a fairly long quite, and not something obvious like "to be or not to be".

Another way that I've used a few times: just type nonsense on the keyboard but in such a way as to let your fingers do the work for you. Type keys that feel natural to press one after another, so that the typing itself has a "flow". For example, if you use only the left hand, typing "wjzu" on a QWERTY keyboard is hard and slow, but typing "wdax" is quick and feels natural. Extend this to 10 or 12 characters and learn this flow, then your muscle memory will do the rest. I sometimes forget my PIN, but I remember the pattern of buttons to push, that's just as good.
Logged

tranglos
Supporting Member
**
Posts: 1,079



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #17 on: January 27, 2012, 02:04:47 PM »

...and just for your amusement, I should add that here in Poland the Anonymous and other hacking "collectives" have been ddos-ing and hacking into various government sites in response to the government's signing of ACTA. Apparently the prime minister's computer was secured with username 'admin' and password 'admin1'. Our PM has a new nickname now :-)

Logged

Stoic Joker
Honorary Member
**
Posts: 5,210



View Profile WWW Give some DonationCredits to this forum member
« Reply #18 on: January 27, 2012, 02:31:51 PM »

I was Just at a new client this morning that was using password as the password for the administrator account. They thought it was just fine because they'd renamed the Administrator account to something "clever"... *Sigh* ...Apparently they've also never heard of (the built-in account) GUIDs.
Logged
40hz
Supporting Member
**
Posts: 10,608



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #19 on: January 27, 2012, 03:09:49 PM »

Seen similar stupidity here. I had a client's server compromised because the owner of the company insisted on using Administrator as his login name coupled with a password so obvious it was laughable.

When I asked the local admin why she didn't follow the recommended practice of disabling or renaming that account, she said she did. But the owner insisted she put it back - and give it to him.

He seemed to think having Administrator (as an ID) conferred some über-Ninja powers not held by any other domain admin account. He figured if he had that, he could never get locked out of HIS server by someone else.

He had done some "reading up" on Windows 2003 Server don't you know?

Amazing! In this day and age...a guy running a successful multimillion dollar marketing operation, who's that technically clueless.

And he's younger than me!

I didn't think there were any of those left. Grin

Logged

Don't you see? It's turtles all the way down!
Shades
Member
**
Posts: 1,635


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #20 on: January 27, 2012, 05:10:05 PM »

@40hz:
It could be me, but I have the impression that most of the kids from today only know when "internet doesn't work" and that they (gladly) look to the previous generation to fix the problem they experience.

Besides that, I overheard some conversations between CS students (at a LAN party) how they solve networking issues and I was amazed about the bullcrap that came out of their (Microsoft-orientated) mouths. How they could come to their interpretation of the study material baffles me. Actually one of them is responsible for the IT in his fathers (fancy lawyer) office and already makes more than me. But he asked me to help out setting up the LAN for his LAN party, because he was not able to set it up properly.

It is really 'who you know, not what you know' that gets you ahead over here in these parts of the world.
[/off-topic]

[on-topic]
Personally I use a set of difficult passwords and mix-and-match them how I see fit, adding a random number and/or symbol. No-one that knows me is able to guess or deduce what the (complete) base set of my passwords is and adding mix-and-match....well, good luck! The numbers and/or symbols are there to comply with security definitions.

Not the best of schemes (by far!) but it is one I have no trouble remembering, makes for quite "messy" passwords and soothes my paranoia sufficiently.

And I agree wholeheartedly with the earlier statement which says where your password is stored is just as important as its difficulty.

Hence I trust my mind and ability to not communicate passwords best as those are under my control, while storage on servers isn't.
Besides, there is not much to keep secret and being (happily) without credit card I don't have an on-line access point to my money anyway.
Logged
40hz
Supporting Member
**
Posts: 10,608



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #21 on: January 27, 2012, 06:34:48 PM »

O.T. ALERT !!! Feel free to skip the following post. You have been WARNED!!!


@40hz:
It could be me, but I have the impression that most of the kids from today only know when "internet doesn't work" and that they (gladly) look to the previous generation to fix the problem they experience.

Besides that, I overheard some conversations between CS students (at a LAN party) how they solve networking issues and I was amazed about the bullcrap that came out of their (Microsoft-orientated) mouths. How they could come to their interpretation of the study material baffles me. Actually one of them is responsible for the IT in his fathers (fancy lawyer) office and already makes more than me. But he asked me to help out setting up the LAN for his LAN party, because he was not able to set it up properly.

That's been my impression more often than not.

But in the world of tech, the "digital plumbers" (as I like to think of myself) are fairly rare. You either love it and "get it" or you don't. If it's not for you, I won't fault you. But please don't come bothering me because you're simply too lazy to learn something about basic networking. It's not particle physics. I can teach a chimpanzee everything it needs to know in a few hours. And that includes having the chimp set up a basic secure network and a file/print server for itself. (Maybe even glom down some pizza and get in a quick few rounds of Snood while we're at it!) And then get chimp-boy/girl to repeat doing it two more times just so we're sure it wasn't luck.

Network and server technology isn't hard. Video and graphic applications are ten times harder to get good at. And most kids are great at those. So I'm skeptical of excuses about not being able to learn basic data network skills because "it's too hard."

It isn't. So grow up.

Quote
It is really 'who you know, not what you know' that gets you ahead over here in these parts of the world.

Pretty true most places I would guess.

In the USA there's enough of the shadow of a hint of a whisper of a meritocracy that it's kept its people from generally taking up arms for about the last 150 years. Or at least in most places. A stable economy and a high standard of living covers a multitude of sins.

What the future will bring, however, is anybody's guess. tellme

Logged

Don't you see? It's turtles all the way down!
kyrathaba
N.A.N.Y. Organizer
Honorary Member
**
Posts: 3,010



while(! dead_horse){beat}

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #22 on: January 27, 2012, 09:16:22 PM »

You're all a bit paranoid. I just use the word "password" for all my passwords. It's never failed me yet...
Logged

Win 7 Home Premium 64bit-SP1 AMD Athlon II X2 220 Socket AM3 (938) @ 2.1GHz 6GB RAM Firefox 26.0
_________________________________________________________________________________________

I'm fighting against patent trolls. Join me and tell your representative to support the #SHIELDAct: https://eff.org/r.b6JJ /via @EFF

My DC page: http://kyrathaba.dcmembers.com | My blog: http://williambryanmiller.com/ | Proofreading Service: http://bit.ly/1fQSqQP

Stoic Joker
Honorary Member
**
Posts: 5,210



View Profile WWW Give some DonationCredits to this forum member
« Reply #23 on: January 27, 2012, 09:21:13 PM »

You're all a bit paranoid. I just use the word "password" for all my passwords. It's never failed me yet...

What? I thought Open Sesame was the universal password...  cheesy
Logged
rgdot
Supporting Member
**
Posts: 1,586


View Profile WWW Give some DonationCredits to this forum member
« Reply #24 on: January 28, 2012, 12:37:44 AM »

I use justtryandguessmypassword everywhere  Wink
Logged
Pages: [1] 2 Next   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.065s | Server load: 0.06 ]