managing passwords

SimonAH

I found out today that LinkedIn has apparently been hacked and that six million passwords are now in the public domain.

Now this got me thinking......

I have online passwords for about 20 regularly used sites, and every non-fiscal one is exactly the same - I use ******** for all of them. :-D

Seriously though, how in seven holy hells are you supposed to remember twenty odd secure cryptic passwords? Anyone got a cunning system?

rick_chasey

Fiddle with the numbers and capitals letters.

rubertoe

I dont use the internet.

essex-commuter

Keep a list in Excel and password protect the file?

daviesee

rubertoe wrote:

I dont use the internet.

the_fuggler

I have an app on my phone secured by a master password to store that stuff. Brain can't cope with the number of different passwords I have...

Kieran_Burns

There are multiple password manager applications available out there I use Password Corral personally.

However if you are looking for a 'good' way to create an easy to remember but difficult to hack password, try the following process:

1. Stop saying password and start saying pass phrase
2. Make up an easy to remember pass phrase: My house is detached (for example)
3. Merge and Capitalise: MyHouseIsDetached
4. Alpha numeric swap around (a=4, e=3, i=1, o=0, s=5) MyH0u5315D3t4ch3d

That'll do for most but if you want to go one step further, hit the SHIFT key whenever you type a number

5. Shift numeric: MyH)u%£!%D£t$ch£d

Guess that one!

It makes perfect sense and you have the private key and encryption method in your head. Your private key is the original pass phrase which as you can see is VERY easy to remember and you just need to remember to use the SAME encryption method whenever you create a new password.

daviesee

Kieran_Burns wrote:

There are multiple password manager applications available out there I use Password Corral personally.

However if you are looking for a 'good' way to create an easy to remember but difficult to hack password, try the following process:

1. Stop saying password and start saying pass phrase
2. Make up an easy to remember pass phrase: My house is detached (for example)
3. Merge and Capitalise: MyHouseIsDetached
4. Alpha numeric swap around (a=4, e=3, i=1, o=0, s=5) MyH0u5315D3t4ch3d

That'll do for most but if you want to go one step further, hit the SHIFT key whenever you type a number

5. Shift numeric: MyH)u%£!%D£t$ch£d

Guess that one!

It makes perfect sense and you have the private key and encryption method in your head. Your private key is the original pass phrase which as you can see is VERY easy to remember and you just need to remember to use the SAME encryption method whenever you create a new password.

Very clever.
But what about the ones that ask you to update your password on a regular basis - and you can't use one similar to one used previously?
Seriously asking as my head is getting wasted with passwords.

CiB

There a bazillion password managers out there; it's the sort of thing aspiring programmers like to have a go at as everyone thinks they can come up with a better solution. Whisper32 is my preferred choice just because I've been using it for years and it works, even though it's not as good as the one wot I wrote but never finished.

KB has it right (again; botheration) - pick a simple phrase and replace some characters with other characters that you can remember without effort. Avoid the obvious - password --> p455w0rd or monkey --> m0nk3y - these are top of the list when it comes to password hacking.

My favorite for a while was based on Leicester stuffing Derby C live on TV one Sunday afternoon, when the score was 0-4 after 12 minutes and the derby fans were starting to leave. Happy days. sh33p0-L31c35t3rC1ty4 - no password hacker will get that. Add a prefix or a suffix for each place that use it - BRsh33p0-L31c35t3rC1ty4 here, sh33p0-L31c35t3rC1ty4AN etc etc. Clearly I've moved on from that pwd strategy these days, in case you fancy having a go.

CiB

daviesee wrote:

Very clever.
But what about the ones that ask you to update your password on a regular basis - and you can't use one similar to one used previously?
Seriously asking as my head is getting wasted with passwords.

Add a character on the end and increment it by one each time. Don't start at A.

Mr Sworld

Use a common password but tailor it to each site by including the site name

Common password: Example2010

Password for this site: BikeRadarExample2010

Easy to remember and each site gets a unique password. 8)

CiB

Weren't the LinkedIn pwds hashed though, and the posted list was an invitation for hackers to attempt to reverse hash them? It should give people time to change them where necessary.

SimonAH

CiB wrote:

There a bazillion password managers out there; it's the sort of thing aspiring programmers like to have a go at as everyone thinks they can come up with a better solution. Whisper32 is my preferred choice just because I've been using it for years and it works, even though it's not as good as the one wot I wrote but never finished.

KB has it right (again; botheration) - pick a simple phrase and replace some characters with other characters that you can remember without effort. Avoid the obvious - password --> p455w0rd or monkey --> m0nk3y - these are top of the list when it comes to password hacking.

My favorite for a while was based on Leicester stuffing Derby C live on TV one Sunday afternoon, when the score was 0-4 after 12 minutes and the derby fans were starting to leave. Happy days. sh33p0-L31c35t3rC1ty4 - no password hacker will get that. Add a prefix or a suffix for each place that use it - BRsh33p0-L31c35t3rC1ty4 here, sh33p0-L31c35t3rC1ty4AN etc etc. Clearly I've moved on from that pwd strategy these days, in case you fancy having a go.

That's a neat one, like that concept.

The only problem is that - say - having got into my LinkedIn account and finding that my password is LIbeazlebubf4rt I guess it wouldn't take a genius to come on to here using BRbeazlebubf4rt. Still, I suppose it would be rather more secure than the "All for one, one for all" password strategy that I currently use! :oops: And also I guess that encrypting the suffix would really confuse matters.

Yes, yes I like that. Thanks CiB, thanks KB.

Headhuunter

Just write them down, perhaps in some kind of code... I read somewhere that writing passwords is in reality of little risk to security. You're more at risk from your password being hacked online or your details being leaked which is out of your control anyway. I write all mine down in a code that I understand. I write numerical passwords like PINs down within a fake phone number, I know that I can look up a certain fake name in my phone or address book and find the PIN number hidden within what looks like a phone number...

veronese68

I use part numbers or registration numbers as passwords and have a file with cryptic clues to the passwords. Thankfully, I have a very good memory for part numbers and such like.

jonnyboy77

I use KeePass and typically include uppercase, lowercase, numbers and symbols - e.g. K0na%2009 for annoying sites/apps that make me cycle passwords every 15-30 days I either increment numbers or use the builtin password generator in KeePass.

- Jon

bompington

My personal technique is to use an easy to remember phrase or sentence, then take the first letter:
bike radar is my favourite site -> brimfs -> br1Mfs

Secure enough for most uses

londonlivvy

One of my friends uses old car registrations (of cars he used to own). You could then use the car reg that's closest to the colour of the site on which you're registering. You'd be stuffed if they changed their branding, of course, but I quite like that idea but have only owned three cars so that probably doesn't provide enough options.

In any case, this geeky cartoon would seem to imply that we shouldn't make insanely hard passwords (like all the above that I would never remember in a billion years) but instead use a phrase. http://xkcd.com/936/
I have no idea whether the maths in this makes sense or not (my GCSE maths was a LONG time ago) so what do you folks make of it?

Kieran_Burns

londonlivvy wrote:

One of my friends uses old car registrations (of cars he used to own). You could then use the car reg that's closest to the colour of the site on which you're registering. You'd be stuffed if they changed their branding, of course, but I quite like that idea but have only owned three cars so that probably doesn't provide enough options.

In any case, this geeky cartoon would seem to imply that we shouldn't make insanely hard passwords (like all the above that I would never remember in a billion years) but instead use a phrase. http://xkcd.com/936/
I have no idea whether the maths in this makes sense or not (my GCSE maths was a LONG time ago) so what do you folks make of it?

I think you didn't bother reading my post

bompington

Who's calling XKCD a geeky website? I always thought that was just how normal people think, with some simple maths thrown in ;-)

londonlivvy

Kieran_Burns wrote:

londonlivvy wrote:

One of my friends uses old car registrations (of cars he used to own). You could then use the car reg that's closest to the colour of the site on which you're registering. You'd be stuffed if they changed their branding, of course, but I quite like that idea but have only owned three cars so that probably doesn't provide enough options.

In any case, this geeky cartoon would seem to imply that we shouldn't make insanely hard passwords (like all the above that I would never remember in a billion years) but instead use a phrase. http://xkcd.com/936/
I have no idea whether the maths in this makes sense or not (my GCSE maths was a LONG time ago) so what do you folks make of it?

I think you didn't bother reading my post

Oh Kieran I did read your post. And realised that I would never remember all that switching x to y or e to 3 or whatever. Christ, you lot could all get a job at SOE!

CiB

Easy enough surely?
A=4
E=3
I=1
O=0
U=U. It just does.

Car reg is another good one. You never forget your first so my old Mk1 Cortina sufficed for a while. It doesn't exist now and I left home years ago so is effectively untraceable as a character set that relates to me but is unforgettable.

greg66_tri_v2.0

londonlivvy wrote:

One of my friends uses old car registrations (of cars he used to own). You could then use the car reg that's closest to the colour of the site on which you're registering. You'd be stuffed if they changed their branding, of course, but I quite like that idea but have only owned three cars so that probably doesn't provide enough options.

In any case, this geeky cartoon would seem to imply that we shouldn't make insanely hard passwords (like all the above that I would never remember in a billion years) but instead use a phrase. http://xkcd.com/936/
I have no idea whether the maths in this makes sense or not (my GCSE maths was a LONG time ago) so what do you folks make of it?

My keyboard has 48 character keys, plus shift, plus spacebar, giving 97 possible characters.

Option 1: If I choose an 11 character password randomly from those keys (allowing for repeat keys), the chances of guessing it are 1 in 97^11. Or 1 in 7,153,014,030,880,800,000,000

Option 2: Take four random English words. I am choosing from a pool of about 170,000 words. So the chances of guessing are 1 in 170,000^4. Or 1 in 835,210,000,000,000,000,000.

Option 3: If you take a 9 character word and make "semi-obvious" substitutions (eg 0 for o), then assume each character has at most 3 substitutes. You chances of guessing it are 1 in 170,000*(3^9). Add two random characters on the end and you get 170,000*(3^9)*(97^2). Bigger than option 2, but much smaller than option 1. 1 in 31,483,548,990,000.

So they are right in that Option 2 is better than option 3, but neither is as secure as a totally random set of 11 characters. Although 11 totally random characters will be much harder to remember.

rick_chasey

Greg66 wrote:

londonlivvy wrote:

One of my friends uses old car registrations (of cars he used to own). You could then use the car reg that's closest to the colour of the site on which you're registering. You'd be stuffed if they changed their branding, of course, but I quite like that idea but have only owned three cars so that probably doesn't provide enough options.

In any case, this geeky cartoon would seem to imply that we shouldn't make insanely hard passwords (like all the above that I would never remember in a billion years) but instead use a phrase. http://xkcd.com/936/
I have no idea whether the maths in this makes sense or not (my GCSE maths was a LONG time ago) so what do you folks make of it?

My keyboard has 48 character keys, plus shift, plus spacebar, giving 97 possible characters.

Option 1: If I choose an 11 character password randomly from those keys (allowing for repeat keys), the chances of guessing it are 1 in 97^11. Or 1 in 7,153,014,030,880,800,000,000

Option 2: Take four random English words. I am choosing from a pool of about 170,000 words. So the chances of guessing are 1 in 170,000^4. Or 1 in 835,210,000,000,000,000,000.

Option 3: If you take a 9 character word and make "semi-obvious" substitutions (eg 0 for o), then assume each character has at most 3 substitutes. You chances of guessing it are 1 in 170,000*(3^9). Add two random characters on the end and you get 170,000*(3^9)*(97^2). Bigger than option 2, but much smaller than option 1. 1 in 31,483,548,990,000.

So they are right in that Option 2 is better than option 3, but neither is as secure as a totally random set of 11 characters. Although 11 totally random characters will be much harder to remember.

I always miss-spell my password words deliberately.

rjsterry

IIRC, the English vocabulary is around 600,000, so that may change Greg's calculations a bit. Nobody has suggested using words from the other (less common) languages. I'd be interested to know how secure a word in Gaelic or Welsh for example would be. If there are about 2,700 languages, then that makes about 500,000,000 words to choose from.

greg66_tri_v2.0

rjsterry wrote:

IIRC, the English vocabulary is around 600,000, so that may change Greg's calculations a bit. Nobody has suggested using words from the other (less common) languages. I'd be interested to know how secure a word in Gaelic or Welsh for example would be. If there are about 2,700 languages, then that makes about 500,000,000 words to choose from.

Being lazy, I read the first half of this: http://oxforddictionaries.com/words/how ... h-language

Foreign languages = fun and games. In WW1 and WW2 the US encrypted messages that were in various native American languages.

Cunning.

rjsterry

Greg66 wrote:

rjsterry wrote:

IIRC, the English vocabulary is around 600,000, so that may change Greg's calculations a bit. Nobody has suggested using words from the other (less common) languages. I'd be interested to know how secure a word in Gaelic or Welsh for example would be. If there are about 2,700 languages, then that makes about 500,000,000 words to choose from.

Being lazy, I read the first half of this: http://oxforddictionaries.com/words/how ... h-language

Foreign languages = fun and games. In WW1 and WW2 the US encrypted messages that were in various native American languages.

Cunning.

And IIRC, some units of the British Army have used Welsh when they knew that the enemy were listening in to radio communication. Here we are http://dropsafe.crypticide.com/article/974

Sharkyssurfers

my biggest bug bear is that most online sites do not acknowledge the english keyboard so you cannot use £ as a special character, and have to resort to something else. it makes you laugh really most online banking/credit card sites says you need a secure password so you add special characters and it goes nope you cannot use special characters.

edds

Greg66 wrote:

Option 1: If I choose an 11 character password randomly from those keys (allowing for repeat keys), the chances of guessing it are 1 in 97^11. Or 1 in 7,153,014,030,880,800,000,000

Option 2: Take four random English words. I am choosing from a pool of about 170,000 words. So the chances of guessing are 1 in 170,000^4. Or 1 in 835,210,000,000,000,000,000.

Option 3: If you take a 9 character word and make "semi-obvious" substitutions (eg 0 for o), then assume each character has at most 3 substitutes. You chances of guessing it are 1 in 170,000*(3^9). Add two random characters on the end and you get 170,000*(3^9)*(97^2). Bigger than option 2, but much smaller than option 1. 1 in 31,483,548,990,000.

So they are right in that Option 2 is better than option 3, but neither is as secure as a totally random set of 11 characters. Although 11 totally random characters will be much harder to remember.

Doing some simple maths on top of that. Current super computers can try around 90 billion passwords a secondurl=http://en.wikipedia.org/wiki/Password_cracking]cite[/url. So in real time terms to crack your passwords:

1. 2520 years url=http://www.wolframalpha.com/input/?i=%287%2C153%2C014%2C030%2C880%2C800%2C000%2C000+%2F+90+billion%29+seconds]wolfram[/url
2. 294.3 years url=http://www.wolframalpha.com/input/?i=%28835%2C210%2C000%2C000%2C000%2C000%2C000+%2F+90+billion%29+seconds]wolfram[/url
3. 5 mins 49 seconds url=http://www.wolframalpha.com/input/?i=%2831%2C483%2C548%2C990%2C000+%2F+90+billion%29+seconds]wolfram[/url

Personally I use 1Password and use 16 character letter, number, symbol passwords but using 4 random words is probably good enough for most people.

roger_merriman

if i'm honest I use http://en.wikipedia.org/wiki/Keychain_(Mac_OS) for managing passwords since I don't use the same for every site nor based on the same system, and i'm never going to remember which one for any given site.

infact due to the length of time i've been online and using it, I do occasionally bump into sites that it login that i've long forgotten about normally photo sharing sites and such.

most folks even the young and beautiful are hopeless with computers really. bit of social engineering seems to the the way now, rather than brute force.

Kieran_Burns

Incidentally - if I get repeated requests from the Support Engineers asking for a password reset 'cos they've forgotten it and locked their account again, I set it to:

1H4v345m4llP3n15

(or a variant)

and not allow them to change it.