If you can't remember where all your accounts are, why bother to have memorable passwords for them?
There was a consolidated stolen password file going around at some point in the last year -- that or a clever password harvester -- you type your password into a web page and it tells you if the password appears in the consolidated file. I believe I believed that the web page was computing the hash and sending that to a server. The point being that it doesn't matter much if the villains know your password or not, if anything close to your memorable password appears in the consolidated file then they will find your password by a simple random walk away from the examples in the file. Ditto if you're going to use a pattern involving the target host and user name, you're just making life easy for the villains for reasons which don't hold up. The other problem here is that you end up using the same user identifier everywhere. You should be generating 64 character random user names for every web site account, too, along with the 64 character random passwords. You're trading off your personal convenience against your security, and you're only winning so far because the villains have been too stupid and too slow to take advantage of you, yet. Then, again, maybe that web site is using this security auditor: http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants in which case you're totally screwed. -- rec -- On Thu, Jan 31, 2013 at 9:48 AM, Owen Densmore <[email protected]> wrote: > On Wed, Jan 30, 2013 at 8:59 AM, Jon Bringhurst <[email protected]> wrote: > >> For my home server I use a yubikey to connect via ssh. > > > Way cool, I had heard of yubikey and possible acquisition/partnering with > google. It was in the "google declares war on passwords" article: > http://www.wired.com/wiredenterprise/2013/01/google-password/all/ > I'll give it a try. > > For everything else, I use lastpass. You can also use a yubikey for >> two-factor with lastpass. >> > > Lastpass, 1password, keepass et al make sense. I've used one of them for a > little over a year simply to remember *where* I have accounts. I don't yet > trust the idea of a unique random string for all my logins. I really want > a human rememberable password, again unique but with a formula. The > problem is making sure if one pw is seen in the clear, all can't be > generated by discovering the formula. > > Do you use long random strings, non-human memorable? > > >> I'd also like to point out that the entropy of a password isn't exactly >> the best metric. For example, it would take about 8.52 hundred-million >> centuries to guess the password "0wen............", but only 18.62 >> centuries to guess "B&ITu6rv^BF" (at about one-hundred billion guesses per >> second). >> > > Agreed, certainly the idea of obscurity with letters etc is becoming less > effective. But alas, the heuristics now being used would certainly > discover 0wen............ in less than combinatoric time. > > >> You might want to consider picking a longer password, but one that's much >> easier to remember. > > > Yup, I'm doing that. > > Thanks for the details, nice to know. > > -- Owen > > ============================================================ > FRIAM Applied Complexity Group listserv > Meets Fridays 9a-11:30 at cafe at St. John's College > to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com >
============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
