I use the one and a half factor authentication mechanism for gmail. I say 1 and 1/2 because it really isn't two-factor. A cell phone is not sufficiently unique and protected to actually be "something you have" in the sense of two-factor authentication. Since gmail and other sites are aware of my cell-phone I would have to presume an adversary would be aware of it and, if they didn't target it first, they would target it along with my on-line identities.
I use a formulaic mechanism that involves the site name (always the same) and leet-speak filler. The filler varies - sometimes I derive it from an on-line identity, sometimes I derive it from a vehicle that I used to own, and frequently it involves non-English words. The primary goal is to have a password that uses the full ASCII character set and exceeds 15 characters in length. The biggest problem is that many sites have stupid rules that prevent me from doing exactly that. Sometimes they have length limits, sometimes they have character set limits, and sometimes they have limits they don't tell me (I have to derive what is acceptable through a repeated process of trial and error - I still don't know what is acceptable on my mortgage company's web-site). I'm not terribly worried that someone will derive my formula from a hacked site that stores passwords in poorly encrypted form - if the site uses poor encryption it's probably one of the ones that won't let me use my full formula. Thus, an adversary who gets my password on one of those sites will not be able to derive the full formula. My eleven character password on LinkedIn was compromised but probably not cracked - but I changed it to a 16 character password with a differently derived filler. Ray Parks Consilient Heuristician/IDART Program Manager V: 505-844-4024 M: 505-238-9359 P: 505-951-6084 NIPR: [email protected]<mailto:[email protected]> SIPR: [email protected]<mailto:[email protected]> (send NIPR reminder) JWICS: [email protected]<mailto:[email protected]> (send NIPR reminder) On Jan 29, 2013, at 9:26 AM, Owen Densmore wrote: Well, yet another scare today ... an email to me from the name of someone I know but from a bogus email address. You know: "best friend" <[email protected]<mailto:[email protected]>>. So I've looked into cranking up the password security a bit. It seems that the two most important ideas are: 1 - Long passwords 2 - Unique passwords, different for each site I realize password managers (keepass, 1password, ..) can generate gibberish passwords, any length you'd like. But it'd be nice to be able to remember them yourself. Besides, password managers don't work everywhere in these days of the "app" because they are browser centric. So looking into common pw formulas, like http://healthypasswords.com/ & lifehacker http://goo.gl/hZ5rB propose, the site specific stunt is something like: az@xxxxx!yyy "sandwich" where I have a core xxxx or set of them, with prefix/postfix identifiers. In this case, az for amazon, and yyy for something else like b00ks. And yes you can scramble where az goes etc, but once a formula is seen, it's not going to be that hard to figure it out for google etc. Thus, even tho long and unique, it still could be fragile. So the choice does appear to be either a password manager and gibberish, or a nifty, human rememberable system that may be fragile. Has anyone tried the two-factor stunt? Google uses sms & your phone. I don't know what it would be like to use, but many sites lately allow you to login via google, facebook and others, so if the google login is 2-factor secure, maybe that's a good solution? Seems like it might be a pain and fail if your phone isn't working. -- Owen ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
