PWs are a near religious conversation on the web now, due to the
famous cracks being made.
In terms of PWs, there are really two issues in terms of ease of
cracking them algorithmically:
- Their length
- Unique per site.
Believe it or not, the pw cracker software is way smart. Yes it does
have combinatorics. But it also include a huge number of heuristics
like dictionary names, paired with numeric/character substitution.
Well I knew that but the big surprise yesterday for me while searching
was keyboard geometry has been added.
I doubt yours would be caught but many simple shapes are.
The fact is that passwords are approaching being obsolete. And all
the crazy stunts are useless. Only length and unique matter, and
adding in separaters (spaces, dashes and so on). This got a lot of
press:
http://www.baekdal.com/insights/the-usability-of-passwords-faq
and naturally the daddy of them all, xkcd's
http://xkcd.com/936/
(which did not include unique, just length)
To be fair, the brute force methods require having the hash/salted pw
file to begin with, which is no simple feat. And social hacks are
pretty successful .. Apple and Amazon gave up account information in
the Mat Honan case:
http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/
On the other hand, the linkedin hack was successful because linkedin
apparently did not salt the password files! Unbelievable.
But really, we should at least move on from our current logins. Two
factor is good but annoying, but some interesting social solutions are
sprouting. Toopher uses you phone and GPS:
http://venturebeat.com/2012/04/18/toopher-demo/
-- Owen
On Wed, Jan 30, 2013 at 8:57 AM, Grant Holland
<[email protected]> wrote:
> Owen,
>
> Here's a gimmick I came up with last year. Seems to work - but who knows...
>
> I use a combination of two patterns - one for consistency (the "static"),
> the other for change (the "dynamic").
>
> The key is that both are physical, geometric concepts relative to the keys
> on qwerty keyboard - rather than semantically-oriented patterns that
> everyone uses.
>
> Using physical, geometric keyboard shapes - like squares, triangles, etc. -
> makes the system easy to remember and use, but hard to explain in text. But
> here goes:
>
> I base the "static" pattern on some simple geometric shape - such as
> triangle or parallelogram. for example the keys AZCD form a parallelogram. I
> use this pattern as the "root" of my password. The remainder of my password,
> the "base", is something that I can remember easily, but with a capital and
> a special symbol - such as "fr!am3.14159". To generate my initial password I
> simply join the root and the base in some consistent way, such as
> AZCDfr!am3.14159. Of course, I can scramble this, but I would only do the
> scramble initially.
>
> Then, every month, or other period, I change this password in a consistent
> way. This is where the "dynamic" pattern comes in. The dynamic pattern is a
> rule for how I transform the "root" each month in a geometric way. For
> example, I may use the transform rule "move the 'root' up and to the right."
> This means that the "A" of the root becomes a "W", and all of the other root
> keys change accordingly. So, the second mont, the root becomes "WSFR". So,
> the second month's pword is "WSFRfr!am3.14159". Month 3's password would be
> "3ET5fr!am3.14159". For the fourth month, I "bounce" off of the top of the
> keyboard and head back down. After 16 months, I get to the right end of the
> keyboard. I usually develop a new root then and start all over again.
>
> Anyway, using these example patterns and base, the first five months of this
> set of passwords would be:
> AZCDfr!am3.14159
> WSFRfr!am3.14159
> 3ET5fr!am3.14159
> EDGTfr!am3.14159
> DCBGfr!am3.14159
>
> Of course, the permutations of this scheme are very large. And, you can
> change the base, the root and the dynamics at any time. And of course, you
> can site-specific symbols like "AN" for Amazon. Also, you can get creative
> with how you "slide" the dynamic pattern to make it harder to guess.
>
> The basic idea, though, is to use "keyboard geometry" for your root, rather
> than semantics.
>
> Anybody see any holes in this?
>
> Grant
>
>
> On 1/29/13 9:26 AM, Owen Densmore wrote:
>
> Well, yet another scare today ... an email to me from the name of
> someone I know but from a bogus email address. You know: "best
> friend" <[email protected]>.
>
> So I've looked into cranking up the password security a bit.
>
> It seems that the two most important ideas are:
> 1 - Long passwords
> 2 - Unique passwords, different for each site
>
> I realize password managers (keepass, 1password, ..) can generate
> gibberish passwords, any length you'd like. But it'd be nice to be
> able to remember them yourself. Besides, password managers don't work
> everywhere in these days of the "app" because they are browser
> centric.
>
> So looking into common pw formulas, like http://healthypasswords.com/
> & lifehacker http://goo.gl/hZ5rB propose, the site specific stunt is
> something like: az@xxxxx
> !yyy "sandwich" where I have a core xxxx or
> set of them, with prefix/postfix identifiers. In this case, az for
> amazon, and yyy for something else like b00ks. And yes you can
> scramble where az goes etc, but once a formula is seen, it's not going
> to be that hard to figure it out for google etc.
>
> Thus, even tho long and unique, it still could be fragile.
>
> So the choice does appear to be either a password manager and
> gibberish, or a nifty, human rememberable system that may be fragile.
>
> Has anyone tried the two-factor stunt? Google uses sms & your phone.
> I don't know what it would be like to use, but many sites lately allow
> you to login via google, facebook and others, so if the google login
> is 2-factor secure, maybe that's a good solution? Seems like it might
> be a pain and fail if your phone isn't working.
>
> -- Owen
>
> ============================================================
> FRIAM Applied Complexity Group listserv
> Meets Fridays 9a-11:30 at cafe at St. John's College
> to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
>
>
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
