Looking for password "scheme" suggestions

[Josh]

OK all, I am working on securing my passwords in a manner which would hinder most "passer-by" style hack attempts. What techniques do you use, or have you used, to setup a password system which is easy to remember and adapt to various sites and services. I have broken this down into three basic categories.

First, would be the majority of sites which do not arbitrarily limit you to "6-8 characters" and permit all special characters.

Second, those sites which limit which special characters you can use. This is fairly easy to adapt to the first item above.

Third, those sites which limit you to the number of characters.

So, with that said, what types of systems do you use or have you seen used? Please, feel free to be general so as to not give away personal info. I am just looking for ideas.

[wr975]

I'm using KeePass to store my passwords... since quite some years. Right now there're 839 entries in my database. ;-)

The KeePass password generator (a lot of options) creates random passwords, so each site has a different 8 chars password (examples: exoI5uAG, pUdgy8Mh, 39_8rm1E). For very important sites I'm using 18 chars passwords.

Many sites have problems with too long passwords, or special chars (! $ % & [ ] < >). For KeePass it's easy to generate passwords like "Õ¼1êyûq "äÔÐlAW" or "Ò³Îu¾øfÍ", but I can't use them. ;-)

I also like using "LastPass" to log into my accounts.


FWIW... already seen Gibson's "Haystack" site?

https://www.grc.com/haystack.htm

He claims the password "D0g....................." is stronger than "PrXyc.N(n4k77#L!eVdAfp9"

[Josh]

wr, I have used keepass, and use lastpass currently. What I want is something that eliminates the need for "Random password generators" and provides a simple mechanism I can use, on the fly, to generate my passwords. Perhaps something which incorporates the name of a site or system I am using. This way, I do not have to remember J@Bv8Hnk149*&&1j4^%^$#* as my password but could remember "Saffrazon like$ t0fu!" instead.

[Deozaan]

I haven't put much thought into this (which should be obvious) but for sites that don't limit you, you could just do something simple like:

donationcoderisthesiteiamlogginginto

Of course, to increase security you'd want to use mixed case and symbols and numbers. That could lead to something like this:

DonationCoderIsThe$ite!AmLoggingInto2Day

Easy to remember, long, and different for every site.

But the problem is that the pattern is too easy to see, so if anyone ever gets your password for any other site they will know it for every site.

[40hz]

Unless you're using a true random and complex password for each different site (i.e. impossible to memorize) it's all pretty much moot according to one security specialist I asked. I showed her this (which has been posted on DC before):



She said it was at least as secure as 90% of what else is out there. And a lot easier to use.

I've since switched over to this, and added a little additional complexity by adding a few arbitrary number/punctuation mark strings to the above using a simple scheme I've come up with. It's not worth sharing since the internal logic only means something to me.

If somebody succeeds in guessing my passwords after that, all I can say is, "Oh well."

[Stoic Joker]

What ^he^ said 

However I have used a base mnemonic with special characters and a site specific code successfully in the past.

[Edvard]

ok, here's something similar to my scheme:

For a 9-character password with upper/lowercase and numbers/special chars:
Take first 5 letters of the site you're signing up at.
Pick a 4-number combo that you can remember (last 4 digits of phone #, SSN, etc.)

• first letter - first number
• hold down shift key
• second letter - second number
• let go of shift key
• third letter - third number
• hold down shift key
• fourth letter - fourth number
• let go shift key
• fifth letter

That makes it easy to remember and complex at the same time.  

Like I've said before, a password is only as secure as the server it's stored on.
If somebody gets in, it doesn't matter if your password is d1O@n3A$t or mickey mouse.
$0.02

[4wd]

For anything that can be >20 characters I use easily remembered sentences complete with punctuation/capitalisation/etc.

eg. Not one I use but a question I was asked that has stuck in my head for >30 years

Passphrase: Does cam low profile alter valve train component acceleration?

For anything <20 characters, I use Password Card as mentioned here, kudos to joby_toss btw.
I have a pair of these laminated back to back, after using a password, (selected off them), a few times, I no longer need the card to look it up but it is there if I need it.

If I need something ridiculously complex, (ie. hard to remember), I'll take something easy to remember and ROT13 or ROT47 it, (or ROTxx).

[Stoic Joker]

Passphrase: Does cam low profile alter valve train component acceleration?

-4wd (January 26, 2012, 06:20 PM)

(Sorry about the side track, but...(this is gonna bug me)) I'd have to go with yes. Acceleration of the reciprocal mass is controlled by the ramp contour of the lobe. So a low profile cam would have a smoother transition and therefore open the valves more slowly. IIRC (It's been a while). Maybe best to PM me so we don't side track the thread.

[AndyM]

Does cam low profile alter valve train component acceleration?

-4wd (January 26, 2012, 06:20 PM)

yes

[4wd]

Passphrase: Does cam low profile alter valve train component acceleration?

-4wd (January 26, 2012, 06:20 PM)

I'd have to go with yes.

-Stoic Joker (January 26, 2012, 06:49 PM)

 

Back OT, like I said, it's just one of a number of phrases/questions/etc that just stuck in my head over the last 30-40 years.  Another good source is taglines, god knows having spent a considerable number of hours on Usenet over the years there's tons floating around in my head 

Keyboards at the KGB have no 'Escape' key...

[J-Mac]

Slightly OT, but I use LastPass for my logins, and I also use Keepass to store a database of all my known logins, passwords, passphrases, etc. A big problem, though, is trying to keep the data somewhat synchronized!

Not all the data in Keepass is needed in LastPass, but I do want all of the LastPass data stored in Keepass. However I haven't found a way to automate this. At first I tried to gt all my LP data nice and correct after the initial import of Roboform data. Then I exported tht and imported it into Keepass. (First I exported the existing Keepass data to a csv file). Then I added the passphrase and other unique data back into Keepass. So at thqt point LP had all my web logins and Keepass had all of that plus all my other non-web data. Of course it all started crumbling from there! Mostly, as new and/or changed logins that occur in LP don't always get changed in Keepass also. I could just wipe my Keepass data regularly and replace it with the latest export from LP, but that doesn't cover my other Keepass data.

Ayone else find a way around this?

Thanks!

Jim

[40hz]

For anything <20 characters, I use Password Card as mentioned here, kudos to joby_toss btw.
I have a pair of these laminated back to back, after using a password, (selected off them), a few times, I no longer need the card to look it up but it is there if I need it.

-4wd (January 26, 2012, 06:20 PM)

The card idea is a good one. We used to do a variant of that by creating a card using data generated using tools over at www.random.org  

We'd then post it in the locked server room and pass out smaller pocket cards for the local server admins to use. All they neede to remember was a letter and two numbers for row, start position, and # of characters (ex: M-20-22).

It worked great until some idiots started highlighting their sequences so they'd be "easier to find."

And like a dummy, I always wondered why they'd ask us for fresh copies every other month when password changes were mandatory. Call me DUH!  

Which further goes to show any security system is only as good as dumbest moron using it.

[MerleOne]

Hi,
I had a small software developed by a colleague named Passwd (the app, not the colleague!), which does the following :



Enter a master key (hidden or not),


or


Enter a name, typically the name of the service/website you want to create a password for and you get a 8 symbols password



symbols being chosen within a-z and 0 to 9 (32m option); within A-Z  and 0-9 (32M option), and a mix of all printable chars (64 option)



then you can copy/paste it.

It's basically a hash function, deterministic and non-reversible.

This colleague, David, unfortunetaly, lost the visual basic source, so it's difficult to improve it...

I still use it 10 years or so after it was done ...

[MerleOne]

BTW, alpha is *NOT* my master key....

[40hz]

Like I've said before, a password is only as secure as the server it's stored on.
If somebody gets in, it doesn't matter if your password is d1O@n3A$t or mickey mouse.
$0.02

-Edvard (January 26, 2012, 06:47 AM)

Excellent point, and very true.

Also don't leave out "as secure as the device it's entered on" (and the network it's connect to) since keyloggers and network sniffers also have their place in a blackhat's toolkit.

Not so much an issue for home users. But it's definitely a very real concern in business IT environments.
 

 

[tranglos]

Like I've said before, a password is only as secure as the server it's stored on.
If somebody gets in, it doesn't matter if your password is d1O@n3A$t or mickey mouse.
$0.02

-Edvard (January 26, 2012, 06:47 AM)

This is rule number one for me. It used to be that we were supposed to make passwords "easy to remember but hard to guess". Yeah, make it so that your family or your boss or your pals won't guess it (if that's who you want privacy from), but beyond that, the complexity, bits of randomness or key length don't matter much anymore. Once a server gets hacked into, there's no telling what happens next.

For the really important stuff (where I could lose money or critical access, like banking or my domain control panel) I use long, complex passwords; other than that I don't even bother any more.

What happens in the end that someone hacks into your ISP and they can't even tell exactly what was accessed. Or one day you find unauthorized charges to your credit card, because you paid with this card online once and some idiot thought it was a good idea to store your cc number on their badly secured server "for your convenience". (I was lucky and got every penny refunded by VISA within a week; the charges were obviously fraudulent, like $20 every hour from some UK gambling joint until the account was empty.)

But, FWIW, to me the most useful method for generating a fairly secure (in the outdated sense) password is to start with a quote or a line from a book or a song that you know well and take the first (second, third, take your pick) letter of each. Make some of them numbers or add punctuation if you want, but the important thing is to use a fairly long quite, and not something obvious like "to be or not to be".

Another way that I've used a few times: just type nonsense on the keyboard but in such a way as to let your fingers do the work for you. Type keys that feel natural to press one after another, so that the typing itself has a "flow". For example, if you use only the left hand, typing "wjzu" on a QWERTY keyboard is hard and slow, but typing "wdax" is quick and feels natural. Extend this to 10 or 12 characters and learn this flow, then your muscle memory will do the rest. I sometimes forget my PIN, but I remember the pattern of buttons to push, that's just as good.

[tranglos]

...and just for your amusement, I should add that here in Poland the Anonymous and other hacking "collectives" have been ddos-ing and hacking into various government sites in response to the government's signing of ACTA. Apparently the prime minister's computer was secured with username 'admin' and password 'admin1'. Our PM has a new nickname now :-)

[Stoic Joker]

I was Just at a new client this morning that was using password as the password for the administrator account. They thought it was just fine because they'd renamed the Administrator account to something "clever"... *Sigh* ...Apparently they've also never heard of (the built-in account) GUIDs.

[40hz]

Seen similar stupidity here. I had a client's server compromised because the owner of the company insisted on using Administrator as his login name coupled with a password so obvious it was laughable.

When I asked the local admin why she didn't follow the recommended practice of disabling or renaming that account, she said she did. But the owner insisted she put it back - and give it to him.

He seemed to think having Administrator (as an ID) conferred some über-Ninja powers not held by any other domain admin account. He figured if he had that, he could never get locked out of HIS server by someone else.

He had done some "reading up" on Windows 2003 Server don't you know?

Amazing! In this day and age...a guy running a successful multimillion dollar marketing operation, who's that technically clueless.

And he's younger than me!

I didn't think there were any of those left.

[Shades]

@40hz:
It could be me, but I have the impression that most of the kids from today only know when "internet doesn't work" and that they (gladly) look to the previous generation to fix the problem they experience.

Besides that, I overheard some conversations between CS students (at a LAN party) how they solve networking issues and I was amazed about the bullcrap that came out of their (Microsoft-orientated) mouths. How they could come to their interpretation of the study material baffles me. Actually one of them is responsible for the IT in his fathers (fancy lawyer) office and already makes more than me. But he asked me to help out setting up the LAN for his LAN party, because he was not able to set it up properly.

It is really 'who you know, not what you know' that gets you ahead over here in these parts of the world.
[/off-topic]

[on-topic]
Personally I use a set of difficult passwords and mix-and-match them how I see fit, adding a random number and/or symbol. No-one that knows me is able to guess or deduce what the (complete) base set of my passwords is and adding mix-and-match....well, good luck! The numbers and/or symbols are there to comply with security definitions.

Not the best of schemes (by far!) but it is one I have no trouble remembering, makes for quite "messy" passwords and soothes my paranoia sufficiently.

And I agree wholeheartedly with the earlier statement which says where your password is stored is just as important as its difficulty.

Hence I trust my mind and ability to not communicate passwords best as those are under my control, while storage on servers isn't.
Besides, there is not much to keep secret and being (happily) without credit card I don't have an on-line access point to my money anyway.

[40hz]

O.T. ALERT !!! Feel free to skip the following post. You have been WARNED!!!

@40hz:
It could be me, but I have the impression that most of the kids from today only know when "internet doesn't work" and that they (gladly) look to the previous generation to fix the problem they experience.

Besides that, I overheard some conversations between CS students (at a LAN party) how they solve networking issues and I was amazed about the bullcrap that came out of their (Microsoft-orientated) mouths. How they could come to their interpretation of the study material baffles me. Actually one of them is responsible for the IT in his fathers (fancy lawyer) office and already makes more than me. But he asked me to help out setting up the LAN for his LAN party, because he was not able to set it up properly.

-Shades (January 27, 2012, 05:10 PM)

That's been my impression more often than not.

But in the world of tech, the "digital plumbers" (as I like to think of myself) are fairly rare. You either love it and "get it" or you don't. If it's not for you, I won't fault you. But please don't come bothering me because you're simply too lazy to learn something about basic networking. It's not particle physics. I can teach a chimpanzee everything it needs to know in a few hours. And that includes having the chimp set up a basic secure network and a file/print server for itself. (Maybe even glom down some pizza and get in a quick few rounds of Snood while we're at it!) And then get chimp-boy/girl to repeat doing it two more times just so we're sure it wasn't luck.

Network and server technology isn't hard. Video and graphic applications are ten times harder to get good at. And most kids are great at those. So I'm skeptical of excuses about not being able to learn basic data network skills because "it's too hard."

It isn't. So grow up.

It is really 'who you know, not what you know' that gets you ahead over here in these parts of the world.

Pretty true most places I would guess.

In the USA there's enough of the shadow of a hint of a whisper of a meritocracy that it's kept its people from generally taking up arms for about the last 150 years. Or at least in most places. A stable economy and a high standard of living covers a multitude of sins.

What the future will bring, however, is anybody's guess.

[kyrathaba]

You're all a bit paranoid. I just use the word "password" for all my passwords. It's never failed me yet...

[Stoic Joker]

You're all a bit paranoid. I just use the word "password" for all my passwords. It's never failed me yet...

-kyrathaba (January 27, 2012, 09:16 PM)

What? I thought Open Sesame was the universal password... 

[rgdot]

I use justtryandguessmypassword everywhere