PW management (was Re: break-in attempts)

dsr at tao.merseine.nu dsr at tao.merseine.nu
Tue Nov 22 06:45:55 EST 2005 

On Mon, Nov 21, 2005 at 01:28:21PM -0500, Rich Braun wrote:
> Alright, I'll bite.  Conventional wisdom on single-factor authentication has
> been brought up at least twice in this thread:
> 
> 1) Use a different password for each account.
> 2) Wherever possible, use an encrypted key instead of plain text password.
> 
> This strikes me as completely impractical for anyone who uses the web or has
> multiple logins anywhere.

These are different problems: anything web-based should be
assumed to be relatively insecure anyway.

Nevertheless, there's a decent approach that handles both: use a
system.

Here's a good system: use song lyrics from a relatively obscure
band -- not the Beatles, not your all-time-favorite band that
you obsessively promote to everyone you meet, but a band that
you like and remember the lyrics for many of their songs.

Let's say a significant line in the song is "I often thought how
proud I'd be in a boat like Gideon Brown". Take the initials:

IothpIbiablGB

that's a great password there, and you have a built-in mnemonic.

But wait, there's more.

Pick one of these solely for low-security accounts. Then append
or prepend the name of the service to it:

gmailIothpIbiablGB

or 

IothpIbiablGBhotmail

Voila! instant high-quality password for a low-security account.

The key to maintaining the security is to rotate the whole set
every so often, or if you ever suspect that one of a set of
passwords is compromised, treat the whole set as in need of
replacement.

And use a different song for each high-security account, please.

-dsr-



> 
> I'm *constantly* forgetting which password I used on which system, so I either
> lock up the account by trying too many different passwords, or I revert to a
> cheat-sheet that I've written down or stored in a text file in some
> hopefully-obscure place.
> 
> Cheat-sheets are a terrible approach.  Hardware dongles that keep track of
> passwords are only useful on the systems that have the needed software on
> them.
> 
> The only meaningful long-term solution to this problems will ultimately be
> some sort of government- or industry-mandated central registry of
> authentication information.  Bill Gates would love you to use his, he first
> proposed this concept at a talk he gave right here in Boston at a
> BCS-sponsored event.  And the FBI would love you to use a biometric method,
> which would prevent you from ever revoking an identity key.
> 
> Until some well-connected powerful rich guy imposes a grand-unified master
> authentication database on all of us, what are we to do?  I'm at a complete
> loss as to any practical method that works across multiple computers,
> including the ones I walk up to at a friend's house or Internet cafe or
> wherever.
> 
> Yes, I am challenging those of you who suggest these conventional PW
> management rules:  they DON'T WORK for me.  Do you have some secrets on
> successful use?
> 
> -rich
> 
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://olduvai.blu.org/mailman/listinfo/discuss

-- 
Separation of church and state protects religion.
(from itself, as well as from other religions.)

More information about the Discuss mailing list