On Thu, Jan 31, 2013 at 10:08 AM, Roger Critchlow <[email protected]> wrote:
> If you can't remember where all your accounts are, why bother to have > memorable passwords for them? > So you might as well as use a password manager or hash generator with random, long strings, right? But in terms of the accounts .. I haven't a list kept from The Beginning. I often beam into forums that I try a login and if it works, add it to my growing 1P list. I'm over 125 now .. after also including google's "remember this password" keychain. There was a consolidated stolen password file going around at some point in > the last year -- that or a clever password harvester -- you type your > password into a web page and it tells you if the password appears in the > consolidated file. I believe I believed that the web page was computing > the hash and sending that to a server. The point being that it doesn't > matter much if the villains know your password or not, if anything close to > your memorable password appears in the consolidated file then they will > find your password by a simple random walk away from the examples in the > file. Ditto if you're going to use a pattern involving the target host and > user name, you're just making life easy for the villains for reasons which > don't hold up. > I liked that they made the hashes available so that you could get them, compute your hash, and find it in the file (251.9MB). Spooky. But the site itself seemed secure .. using a local hash generator. That there was no salt was a surprise. > The other problem here is that you end up using the same user identifier > everywhere. You should be generating 64 character random user names for > every web site account, too, along with the 64 character random passwords. > You're trading off your personal convenience against your security, and > you're only winning so far because the villains have been too stupid and > too slow to take advantage of you, yet. > Can you reset your "username" on sites once you create it? I think not, in general. > Then, again, maybe that web site is using this security auditor: > http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants > in > which case you're totally screwed. > Err.. but it *was* impossible. I'm glad the author persevered. > -- rec -- > > > On Thu, Jan 31, 2013 at 9:48 AM, Owen Densmore <[email protected]>wrote: > >> On Wed, Jan 30, 2013 at 8:59 AM, Jon Bringhurst <[email protected]> wrote: >> >>> For my home server I use a yubikey to connect via ssh. >> >> >> Way cool, I had heard of yubikey and possible acquisition/partnering with >> google. It was in the "google declares war on passwords" article: >> http://www.wired.com/wiredenterprise/2013/01/google-password/all/ >> I'll give it a try. >> >> For everything else, I use lastpass. You can also use a yubikey for >>> two-factor with lastpass. >>> >> >> Lastpass, 1password, keepass et al make sense. I've used one of them for >> a little over a year simply to remember *where* I have accounts. I don't >> yet trust the idea of a unique random string for all my logins. I really >> want a human rememberable password, again unique but with a formula. The >> problem is making sure if one pw is seen in the clear, all can't be >> generated by discovering the formula. >> >> Do you use long random strings, non-human memorable? >> >> >>> I'd also like to point out that the entropy of a password isn't exactly >>> the best metric. For example, it would take about 8.52 hundred-million >>> centuries to guess the password "0wen............", but only 18.62 >>> centuries to guess "B&ITu6rv^BF" (at about one-hundred billion guesses per >>> second). >>> >> >> Agreed, certainly the idea of obscurity with letters etc is becoming less >> effective. But alas, the heuristics now being used would certainly >> discover 0wen............ in less than combinatoric time. >> >> >>> You might want to consider picking a longer password, but one that's >>> much easier to remember. >> >> >> Yup, I'm doing that. >> >> Thanks for the details, nice to know. >> >> -- Owen >> >
============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
