Author Topic: One simple trick for passwords the big companies don't want you to know about!  (Read 3407 times)

0 Members and 1 Guest are viewing this topic.

Offline Beamin

  • Super Contributor
  • ***
  • Posts: 1377
  • Country: us
  • If you think my Boobs are big you should see my ba
I'm sure most of the people here are tech savvy and may already implement this but when I  tell people this they always say "I never thought of that"

So instead of paying or using a program to store all your passwords use the word "password" and the same password for everything (but add a step), and you can't forget it. It's just an algorithm for all your passwords so you only have to remember the algorithm and the passwords are always different and hard to figure out.
A simple Idea:
When logging into your account: Take the domain name ie "capitalone"
Look at their password requirements: 8 char min, letters AND numbers, one capital letter
Make an algorithm that meets the bare minimum of these requirements.
 You can make this be anything you want as long as you remember it. Here is one easy example
Take the word “password” as a starting password (can be any word)

Take the first two letters in the domain name and convert them into numbers CApitalone = c=3 a=1
Add this number to the front of your password: 31password
Needs capital letters, so take the last letter in the domain name: e and write it twice at the end of your password: 31passwordEE
Now you can do that but vary the letters with each website name and you have the same but different and hard to figure out password, add more steps and math to make it more secure. What ever happened to those ads that said “One simple trick” or “Language professors/car insurers HATE this”, anyways? Person that started that deserves to be shot.
Max characters: 300; characters remaining: 191
Images in your signature must be no greater than 500x25 pixels
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1668
  • Country: se
  • Hobbyist
Such systems can be ok, but if someone figures out your system you are toast. Still, it's a lot better than using the same password everywhere.

You shouldn't use the word "password" or any dictionary word as part of a password though, and you shouldn't use someone else's system, but using some sort of system is better than using the same password everywhere.
« Last Edit: June 02, 2019, 11:14:51 pm by apis »
 

Offline schmitt trigger

  • Super Contributor
  • ***
  • Posts: 1290
  • Country: mx
And for those websites requiring special characters, replace the S with a $, the X with a *, the l with a !, and so forth.
 

Offline Red Squirrel

  • Super Contributor
  • ***
  • Posts: 2229
  • Country: ca
One system I've seen is to make a card with a grid of random letter/characters, say 10x10.  For each site, you just need to remember the sequence of squares.    Optionally, you can tattoo it on yourself.  Change it up once in a while.

Me personally, I wanted a web based password manager that is locally hosted that does not require any special software or OS specific requirement.  Could not find anything so I just wrote my own.   I just copy and paste the password.  Eash site has it's own password.   Too many sites leaking credentials now days so I don't reuse passwords anymore.     If I need a password remotely, then I VPN in my network. Currently I only allow my work IP to access the VPN though, but work and home is about the only place where I can find myself wanting to access my home network.

As a side note, why do so many sites have so many limits to what characters you can use?  It's all getting hashed anyway (or it BETTER be), so don't even need to worry about filtering out any chars that could lead to a SQL injection.    Technically don't even need a character limit, but any password longer than the hash is probably diminishing returns.
 
The following users thanked this post: Beamin

Offline Beamin

  • Super Contributor
  • ***
  • Posts: 1377
  • Country: us
  • If you think my Boobs are big you should see my ba
And for those websites requiring special characters, replace the S with a $, the X with a *, the l with a !, and so forth.

OH $#!|  !!!
         
IF you have two factor couldn't your password just be "password" and its just as secure?


Max characters: 300; characters remaining: 191
Images in your signature must be no greater than 500x25 pixels
 

Online soldar

  • Super Contributor
  • ***
  • Posts: 2199
  • Country: es
Mostly I keep my passwords in an encrypted file and I do not want any site, browser or program remembering it. I have some "basic" units which I mix. I have a four digit and a five digit pin. My wife has another two. Then I have some basic combinations of letters. She has two. We both learned each other's and it is easy to combine different forms of these.

So most of the sites I use often I remember the PW.

Sometimes I make up something fancy on the spot. 2burguers7.50, 25milestoPapas, etc. Something that makes sense to me because I hate those you can never remember: Ft3bG76Hj*tr4%. Yeah, nobody is going to remember that.

It is also easy for me to remember by the position of keys on the keyboard like say, vb7nm. If I need a longer PW I can duplicate it: vb7nmvb7nm.

Whatever you can remember.
All my posts are made with 100% recycled electrons and bare traces of grey matter.
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1668
  • Country: se
  • Hobbyist
A system I have considered is to use a book code, pick a random book, use the method Beamin described to derive a page number in the book (might have to do modulo number of pages), then you take the third letter of the first/last/third word on each page, and so on. That way you can have passwords that are hard to guess and you don't have to have them written down anywhere. Might want to keep two copies of the book in different places though.
 

Offline jpanhalt

  • Frequent Contributor
  • **
  • Posts: 653
  • Country: us
The DNC in 2016 used that "password."  Most people consider it stupid.   They blamed President Trump when their servers were hacked.  America spent $35 million to show it was not Trump.  Was it worth that to protect Hillary and the DNC?
 

Offline golden_labels

  • Regular Contributor
  • *
  • Posts: 95
  • Country: pl
There is a saying: never implement your own crypto. The problem is, that such attempts are based on misunderstanding of the threat model, insufficient knowledge and experience to see weakness, and mistaking own inability to defeat the solution with its strength. Let me paint a picture to explain this. Kids are often mimicing the world of adults. They may build a “safe” from paper, draw a pinpad on it &c. In their eyes this is a perfectly valid method of protecting their tiny savings! You, as an adult, know that it will not work. The paper safe will be torn apart by a thief. But… actually the threat model is wrong too: the thief will take their laptop(1), and will never care about the few dollars :). Unless you are an experienced cryptographer, attempts to build your own security will be not different than that safe made of paper.

Humans are horrible at generating good passwords. Never trust your brain — it is too weak to be able to make a decent password. Whatever you come up with, most likely it is already shared with many other people. Your “super unpredictable password” is much less unpredictable than you think. Some real-world statistics: I once checked passwords in a service I was administrating. 30 most popular passwords were shared by 3% of all users: about a half thousand accounts.

Passwords should never be shared between services. An algorithm to modify the password seems like a good idea, because it fulfills that requirement. Unless you are a victim of an attack targeted at you personally, no one will try to guess the algorithm — it’s not how large scale attacks work nowadays. So is this a perfect solution? Unfortunately… no. It tries to protect against a non-existent threat (making it hard to derive a password from another one), while the actual danger is never addressed. The problem is, that the outcome of such an algorithm is expected to be a dictionary password anyway — no matter how many and how complex steps you employ. You just produce a series of weak passwords. Your algorithm might even be unbreakable, but a typical attacker will never touch it. They will go straight with the dictionary attack or reverse brute-force. You might try to check the password at Have I been pwned, but even that has limited use. The result of that check is not “is certainly not safe / is certainly safe”, but “is certanly not safe / is possibly unsafe”.

And all that under an assumtion, that your algorithm is good. As with generating passwords, the brain is bad at making password-modifying algorithms. This is evident in how people periodically change their passwords. And your algorithm must work both spatially — across services — but also in the time dimension. If your employer is a victim of a targeted attack, the intruders will guess your new passwords if they are modified by an algorithm. You may imagine, that adding more steps will be better. It is not: you are just requiring much more effort from yourself, withou introducing much complexity from the mathematical point of view. That’s why you do not see new encryption algos being developed by adding more steps. From perspective of mathematics, this is a single(!) bijective operation no matter what you do. Oh, and this is yet another point: you would have to prove that the algorithm is a bijection. Otherwise you will be slowly losing entropy with each generated password.
 
Adding digits, replacing characters with look-alikes, changing some letter to uppercase is not very useful. Depending on the method use, it gives 1–2 bits of entropy per step. This is close to nothing, considering that a random 8-character password is 48 bits and this is considered absolute minimum. Human-generated passwords of that length barely reach 20 bits.

What you want is a password that has high entropy. There are two well known methods, that work:
  • Generate random characters. This gives a relatively short password, but you have no chances of remembering it.
  • Systems like diceware, which with 4–6 words give good, easy to remember passwords.
Unfortunately diceware doesn’t solve the problem of remembering many passwords. So the best strategy is to have some kind of non-brain password storage and remember only a few passwords you really have to type by hand. You may do that using either a password manager or an encrypted file. The problem with files is that they may quickly become hard to manage and, if used with standard text processing tools, are far from perfect — they may leak the passwords. This is why password managers have been invented. A response to the problem. I haven’t seen any better option yet.

An additional bonus of not having to remember passwords? You can’t be forced to give them away, unless someone has your passwords database. For example you can’t put a gun to my head and expect me to give you access to my bank account. Even if I would like to, I have no option to do so.

Also, obligatory XKCD 936.
____
(1) For the sake of example let’s ignore current trends in developed countries: electronics becoming less and less wanted by thieves.
Worth watching: Calling Bullshit — protect your friends and yourself from bullshit!
 
The following users thanked this post: boffin, julianhigginson, cpt.armadillo

Online soldar

  • Super Contributor
  • ***
  • Posts: 2199
  • Country: es
A system I have considered is to use a book code,

No need. Every one of us knows a piece of poetry, verse, literature, ditty, whatever. You can work from there. Take the first letters of words, two letters, whatever.

I have my important files encrypted with PGP but I need the PGP keys to decrypt. What if I lose the PGP keys (even though I have secure copies in several places)? I have a last resort file which has my keys, passwords and important files and this file is encrypted using symmetrical encryption and the password is so long it takes a while to input but I will never forget it because it is based on something I learnt as a child and can never forget .
All my posts are made with 100% recycled electrons and bare traces of grey matter.
 
The following users thanked this post: apis

Offline wilfred

  • Frequent Contributor
  • **
  • Posts: 713
  • Country: au
I once worked for a company that had 8 character passwords. They required it not start with a number and have a number and various other rules. As far as I could work out they ended up reducing the set of available passwords by over 90%.

But I'm sure they thought they were on the cutting edge of security best practise.
 

Offline Beamin

  • Super Contributor
  • ***
  • Posts: 1377
  • Country: us
  • If you think my Boobs are big you should see my ba
The DNC in 2016 used that "password."  Most people consider it stupid.   They blamed President Trump when their servers were hacked.  America spent $35 million to show it was not Trump.  Was it worth that to protect Hillary and the DNC?

Can we leave Hillary back in 2016? Shes not going around doing campagna stops and speaking rallies playing with twitter talking shit. You know if you guys didn't constantly bring up Hillary no one would even think about her. But what about Hillary? But what about pizzagate? But what about the emails? But what about Benghazi? What about it? Give the whole Hillary thing a rest. The right wing brings her up so much that when she hears her own name she gets irritated I know I am.

I don't see what that has to do with anything. Whats your password? I want to check your accounts for viruses like that republican guy who got caught downloading porn and said he "was checking the porn sites for viruses" , come to think of it it was Hillary who put the porn on his computer. The Clintons will stop at nothing!


We should start a thread : What is your user name and password.


On AOL back in the day you could go into the "Newbie" chat room message people saying you worked for aol and needed their info and password, most times they gave it to you. Free  hours with AOL!
Max characters: 300; characters remaining: 191
Images in your signature must be no greater than 500x25 pixels
 

Offline onesixright

  • Frequent Contributor
  • **
  • Posts: 585
  • Country: nl
A system I have considered is to use a book code, pick a random book, use the method Beamin described to derive a page number in the book (might have to do modulo number of pages), then you take the third letter of the first/last/third word on each page, and so on. That way you can have passwords that are hard to guess and you don't have to have them written down anywhere. Might want to keep two copies of the book in different places though.
Or you generate a password [emoji3]  On a Mac that comes default (keychain) and you can set the conditions (length, characters).


Sent from my X using Tapatalk
 

Offline jpanhalt

  • Frequent Contributor
  • **
  • Posts: 653
  • Country: us
The DNC in 2016 used that "password."  Most people consider it stupid.   They blamed President Trump when their servers were hacked.  America spent $35 million to show it was not Trump.  Was it worth that to protect Hillary and the DNC?

Can we leave Hillary back in 2016? Shes not going around doing campagna stops and speaking rallies playing with twitter talking shit. You know if you guys didn't constantly bring up Hillary no one would even think about her. But what about Hillary? But what about pizzagate? But what about the emails? But what about Benghazi? What about it? Give the whole Hillary thing a rest. The right wing brings her up so much that when she hears her own name she gets irritated I know I am.

I don't see what that has to do with anything. Whats your password? I want to check your accounts for viruses like that republican guy who got caught downloading porn and said he "was checking the porn sites for viruses" , come to think of it it was Hillary who put the porn on his computer. The Clintons will stop at nothing!


We should start a thread : What is your user name and password.


On AOL back in the day you could go into the "Newbie" chat room message people saying you worked for aol and needed their info and password, most times they gave it to you. Free  hours with AOL!

You seem confused, rambling, and tangential. 

"Password" was used as the password by the head of the DNC and probably contributed to the hacking of its computers.
« Last Edit: June 03, 2019, 05:31:01 am by jpanhalt »
 

Offline sleemanj

  • Super Contributor
  • ***
  • Posts: 2361
  • Country: nz
  • Professional tightwad.
    • The electronics hobby components I sell.
Just use lastpass it's a whole lot easier.

"but what if lastpass gets compromised"

Well then you have an easy precompiled list of the sites you care about to change their passwords.
~~~
EEVBlog Members - get yourself 10% discount off all my electronic components for sale just use the Buy Direct links and use Coupon Code "eevblog" during checkout.  Shipping from New Zealand, international orders welcome :-)
 

Offline vk6zgo

  • Super Contributor
  • ***
  • Posts: 4792
  • Country: au
I mostly use model numbers of equipment I had a lot to do with decades ago, with extensions if necessary.
Unless someone had been living "in my pocket" for the last 50 years, it would be quite hard to find them out.

My Google password is pretty weak, I must admit, but trying  simple ones, then multiple complex ones for a hour or so, only to be told they were "already taken", led me to try an abusive password, which worked.

I was amazed that it wasn't already taken! ;D
It would probably be easy to crack, by just thinking up enough nasty things to say to or about Google.
But it's Google, who cares?

I don't do "online banking", the only things I pay online are my Ham licence (if the website is actually working), buy Lotto tickets from the State Lotteries Commission, & once with Paypal.

Other bills are paid at the Aussie Post shop who will accept payment for a lot of bills, or by cheque (yes, cheque!). :o
By reducing my financial exposure to the Internet, the dangers are reduced to a low level.

If I were really paranoid, my "nickname" on this & other forums would not be my Amateur Radio callsign, which is a matter of public record, along with my full name, address, etc.

In fact, by going to QRZ.com & searching for vk6zgo, you can find all that out, without having to brave the perils of ACMA's dysfunctional website!

You can follow that up, using Google Earth to get a 6 year old picture of my house.
At that point, someone would probably give up in disgust!


« Last Edit: June 03, 2019, 06:27:00 am by vk6zgo »
 

Offline Halcyon

  • Moderator
  • *****
  • Posts: 3596
  • Country: au
Using dictionary words (such as "Capital" and "One") are a bad idea overall. Even with character substitution, password cracking tools are designed with such permutations as part of their standard attacks. Everyone knows "tricks" like replacing the letter S with the number 5 or $ symbol, including attackers.

Just something to keep in mind.
 
The following users thanked this post: tooki

Online Jeroen3

  • Super Contributor
  • ***
  • Posts: 3242
  • Country: nl
  • Embedded Engineer
    • jeroen3.nl
Just use lastpass it's a whole lot easier.

"but what if lastpass gets compromised"

Well then you have an easy precompiled list of the sites you care about to change their passwords.
Sites you care about also use two-factor. If they do not, then you don't care about them enough, or vice versa.
When is this forum getting two-factor? (that's the next step after https right?  ;D)
« Last Edit: June 03, 2019, 07:03:12 am by Jeroen3 »
 

Offline CJay

  • Super Contributor
  • ***
  • Posts: 3303
  • Country: gb
  • M0UAW
You seem confused, rambling, and tangential. 

"Password" was used as the password by the head of the DNC and probably contributed to the hacking of its computers.

Beamin is confused and off on a tangent?

You brought the political BS into the discussion and created that tangent.

Anyway, passwords,

I'm one of those people who can remember car registration numbers for all sorts of things, the Black BMW that cut me up at the roundabout 6 weeks ago, the really nice old Morris Traveller in duck egg blue, etc. etc.

So, car registration numbers, plus something of the colour, the make, the model and a smattering of special characters.

Those and custom chip part numbers, the in-house marking of parts in custom computers, IBM bits, all sorts of random stuff only an engineer would place any significance on all work for me.

But, as I need ever more passwords and I get older I find I need a password manager, I don't like the idea of a piece of software that might be on one machine or could be compromised so I've been considering building myself something.

A nice little OLED display in a pocket sized case, perhaps about the size of an RSA ID fob, fingerprint reader and an ARM chip with a couple of buttons to 'scroll' through the list.

Maybe even give it USB connectivity so it can pretend to be a keyboard and 'type' the password for me, that'd make it possible to use impossible to remember, long passwords.

Another idea for the never to be completed pile of projects in notebooks
M0UAW
 
The following users thanked this post: BillyD

Offline NANDBlog

  • Super Contributor
  • ***
  • Posts: 4402
  • Country: nl
What big companies IT administrators, dont think about is the rest if the word.
I'm using keyboards with 5-6 different layouts. Some has characters like űáú on it, the others, you have to press shift to type numbers, some has US layout, some has UK, all of them has the special characters at the different place. Some is on touchscreen. I type my default password with muscle memory.

I just want to use the password that I used for 20 years. That's all.
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1668
  • Country: se
  • Hobbyist
Security comes with a price, you always have to weight the cost against the risks. If the risks are great you need to sacrifice more time and convenience on security.

There is a problem with using the same password everywhere, passwords leak from websites that get hacked (or are dishonest) so it will eventually end up in a list somewhere (someone else's list) and they will try to log into your other accounts.
 

Online T3sl4co1l

  • Super Contributor
  • ***
  • Posts: 13530
  • Country: us
  • Expert, Analog Electronics, PCB Layout, EMC
    • Seven Transistor Labs
I'm not going to comment on the "security" of this method.

However, I will note a more innocuous and beneficial application of similar nature:
https://gmail.googleblog.com/2008/03/2-hidden-ways-to-get-more-from-your.html
If you have a GMail account, you can do this, and hence keep track of which sites you've handed out your e-mail to (and which ones are leaking/selling them to advertisers/spammers).

Or if you own your e-mail domain/server, you can do the same thing, implemented directly.

Tim
Seven Transistor Labs, LLC
Electronic design, from concept to prototype.
Bringing a project to life?  Send me a message!
 

Offline Bratster

  • Regular Contributor
  • *
  • Posts: 246
  • Country: us
You seem confused, rambling, and tangential. 

"Password" was used as the password by the head of the DNC and probably contributed to the hacking of its computers.

Beamin is confused and off on a tangent?

You brought the political BS into the discussion and created that tangent.

Anyway, passwords,

I'm one of those people who can remember car registration numbers for all sorts of things, the Black BMW that cut me up at the roundabout 6 weeks ago, the really nice old Morris Traveller in duck egg blue, etc. etc.

So, car registration numbers, plus something of the colour, the make, the model and a smattering of special characters.

Those and custom chip part numbers, the in-house marking of parts in custom computers, IBM bits, all sorts of random stuff only an engineer would place any significance on all work for me.

But, as I need ever more passwords and I get older I find I need a password manager, I don't like the idea of a piece of software that might be on one machine or could be compromised so I've been considering building myself something.

A nice little OLED display in a pocket sized case, perhaps about the size of an RSA ID fob, fingerprint reader and an ARM chip with a couple of buttons to 'scroll' through the list.

Maybe even give it USB connectivity so it can pretend to be a keyboard and 'type' the password for me, that'd make it possible to use impossible to remember, long passwords.

Another idea for the never to be completed pile of projects in notebooks
Sounds like this:

https://www.themooltipass.com/

Sent from my Pixel 2 XL using Tapatalk

 
The following users thanked this post: CJay

Offline boffin

  • Supporter
  • ****
  • Posts: 857
  • Country: ca
Basically what you're doing is creating a salt using a fixed password, and then adding your own details for each website.  Most password hash algorithms already do this, but adding your own solves the problem that if you use the same password everywhere, cracked password on site A compromises everything.  Also poor sites that just use a simple (unsalted) hash are potentially the worse.  I worked in a place like that at one point (they've long since changed), and I had got to the point where I could recognize the md5 for a number of common passwords (like 1234, qwerty, & Password)

If you did something like make your base password "Secret1" and then your email password "Secret1gmail" and your banking password "Secret1money", etc etc, you're way way way further ahead than just using gmail and money as passwords.

However, as xkcd point out, just a string of random words provides more entropy.

 

Online soldar

  • Super Contributor
  • ***
  • Posts: 2199
  • Country: es
One simple trick for passwords the big companies don't want you to know about! ??

The "trick" is one more of millions but who are the "big companies" that don't want you to know? And why would they care?
All my posts are made with 100% recycled electrons and bare traces of grey matter.
 
The following users thanked this post: wraper, ucanel


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf