I h8 passw3rdz


I’m sick of passwords.


 


I want to be secure:



  • Never reuse a password, month-to-month or site-to-site

  • Use a secure, reliable random password generator

  • Change all my passwords each month

  • Don’t write them down on a post-it note on my monitor

 


I want it hassle-free, so I could:



  • Use the same password.

  • Never change it

  • Make it the name of my pet/son/wife/mistress

 


Some sites place restrictions on passwords, in an attempt to make them more secure.  If I’m doing a good job of selecting my password, then any restriction is a reduction in entropy in my password, actually making it less secure.


 


I’ve seen restrictions on the max length of the password, which is just the worst.


 


I want it something that helps me with my MS corpnet password, my bank’s web site, my Everquest message boards, my ATM PIN, etc. 


 


I need something that identifies me uniquely, and securely.  I also want my privacy, so I don’t want two providers to be able to figure out that my identity with one is the same as with the other. 


 


I want computers to help me with this problem.  What can be done?


 


Smart cards: By providing 2-layer security (the card + a pass code), it’s more secure because it’s harder to compromise both at the same time.  Fails the privacy test, as I have one smart card for all providers.


 


Send them all to my hotmail account: Any time I have a web browser, I have my passwords.  But it’s not secure.


 


Write them down on a piece of paper: Compromised if stolen; lost if washed in the laundry; annoying to type them in, useless if I forget it in my other pair of pants.


 


Carry a pocket PC: I don’t want to carry another piece of equipment that I must maintain, recharge, repair, replace, etc. 


 


I think the PGP Passphrase FAQ is a good read.

Comments (11)

  1. Personally I like Bruce Schneier’s solution http://www.cskk.ezoshosting.com/cs/goodstuff/bs-spc.html:

    He uses good, strong passwords, writes them down on a piece of paper and sticks it in his wallet.

    "A: That’s not because of computer-security flaws, it’s because I can’t remember all the passwords I need to have. My wallet is already a secure container; it has valuable things in it, and I have a lifetime of experience keeping it safe. Adding a piece of paper with my passwords seems like a natural thing to do."

    (from http://uk.biz.yahoo.com/030902/244/e7d3m.html)

  2. Raj says:

    FYI, I carry my passwords in an encrypted file on on my USB that is on my keychain. If I forget the password to decrypt the file, I am screwed.

  3. 3l33th4x0r says:

    cvghyu8iol

    It looks rather random and can take a bit of time to bruteforce. But there’s a pattern to it. If someone developed a pattern dictionary hack, then you could be screwed even with a long password which uses this method.

    Other thing is you could scramble the passwords you write down with some algorithm you can remember for sure and also obscure it with extra data (I do this for ATM numbers).

    My final answer is 100 random password, but instead of remembering what it is, memorize how you moved fingers when entering it. Too many of these is not good though, after a few I start messing up.

  4. Check out AI RoboForm, it’s a password keeper/generator/form filler that integrated with IE and keeps all of the data in an encrypted file, but best of all it is designed so that the encrypted file can be kept on a USB key. This way you get the benefit of two factor authentication, but it’s still quite convenient. Also, at the moment you can get a second license for $8 so you can use it at home too. You can also print the list of usernames and passwords so you can keep a hardcopy somewhere safe.

    I’m not associated with the company, i’ve just been using the free version and have been pretty happy with it.

  5. jaybaz_MS says:

    These are all interesting ideas, thanks for taking the time to offer them up.

  6. Andrew says:

    Here’s my current scheme, FWIW. To generate passwords I think of a memorable sentence and then use the first letter of each word as the password. The end result is usually a pretty random password that is almost always immune to a dictionary attack.

    I then write down one unique word of the sentence on an easily accessible plaintext password list to act as a memory trigger. Quite often though I find I remember the sentence without having to look up the trigger (it helps if the account name is related to the topic of the sentence somehow). The really cool part of this scheme is that I know that even if my plaintext list gets stolen or compromised my passwords are safe as the attacker only has one letter of each password.

    As a backup I also keep a list of sentences in a secure inaccessible location. This list only contains the sentences not the accounts they are associated with as an additional security precaution.

    Andrew.

  7. jaybaz [MS] says:

    Not bad, Andrew.

    One of the attributes of any good password scheme is that you can explain it to someone without compromising its security.

  8. Joshua Allen says:

    I use Andrew’s scheme for passwords too. OTOH, I agree with you that identity is something that is intrinsic to us, and it is insulting that computers still require us to use such poor proxies for our selves. I ranted about this awhile ago: http://www.netcrucible.com/blog/PermaLink.aspx?guid=547db2e8-f394-4734-8be0-006d2805c7d3.

  9. Try PasswordSafe (http://passwordsafe.sourceforge.net) – encrypted db for storing strong password (it is originally created by Bruce Schneier’s Counterpane Labs)

  10. Martin Liversage says:

    I havn’t tried either RoboForm or the new open source PasswordSafe, and both are free, but I would still like to recommend Password Agent (http://www.moonsoftware.com/pwagent.asp) which has a $20 price tag. It is certainly much better than the original PasswordSafe. By the way, I’m in no way affilliated with Moon Software, but I certainly like their product.