Author Topic: One simple trick for passwords the big companies don't want you to know about!  (Read 15224 times)

0 Members and 1 Guest are viewing this topic.

Offline apis

  • Super Contributor
  • ***
  • Posts: 1667
  • Country: se
  • Hobbyist
We're talking about internet passwords here, not nuclear launch codes.

The big problem these days is that people use the same password everywhere.

The passwords are typically stored in an encrypted (hashed) list on the server (ideally, unfortunately many save them as plain text anyway). These lists get stolen. If you used a too weak password it can be cracked and the hacker will know your password and can use it to try logging in to your other accounts. You can be almost certain the password will leak, so never use the same password twice. If you use different passwords for different websites there isn't much of a problem though.

Your password still need to be good enough that someone can't brute force their way into your account. But the web-login should be rate limited (although you can't count on that either) so an attacker can't try more than 3 passwords per minute or something like that, which makes that method infeasible for the most part. Consider bank cards that are often only protected by a four digit pin code! but the card gets eaten if you enter the wrong code 3 times in a row.

If you're someone important and it would be valuable to get into your account, then people might target you directly. In that case you really do need to make the extra effort of using high entropy passwords. The commonly recommended minimum length today is 12 randomly chosen characters. But then you should probably also get help from a professional since there are many factors to consider.
« Last Edit: June 09, 2019, 12:47:07 pm by apis »
 

Offline golden_labels

  • Super Contributor
  • ***
  • Posts: 1337
  • Country: pl
We're talking about internet passwords here, not nuclear launch codes.
Yeah, leave your apartment open, because it contains no nuclear warheads(citation needed). I am not getting, why you and some other people are insisting on doing it wrong, when it can be done right without any issues.(1)

Your password still need to be good enough that someone can't brute force their way into your account. But the web-login should be rate limited (although you can't count on that either) so an attacker can't try more than 3 passwords per minute or something like that, which makes that method infeasible for the most part. (…)
Reality vs movie fiction confusion? Unless the attack is targeted at a specific victim, which is not the case for most people/services, this is not how it looks like. RBF will be unhampered by per-account rate limiting. A more useful method is requiring proof-of-work to be delivered with the log-in attempt, but its effectiveness also can be easily overestimated(2) and has its drawbacks.

(…) But then you should probably also get help from a professional since there are many factors to consider.
So why are you arguing against simple, working solutions suggested by professionals?
____
(1) I am fully aware of how bad locks are and why it is fine. But the analogy can’t be made, because we can have decent passwords at no cost.
(2) Typically the work required is orders of magnitude smaller than expected; the overestimation comes from using author’s own knowledge as a reference, while they know pretty much nothing and are full of misconceptions. Even if that is done right, the lack of knowledge about the actual cost of the work still makes it less effective.
« Last Edit: June 09, 2019, 02:15:09 pm by golden_labels »
People imagine AI as T1000. What we got so far is glorified T9.
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1667
  • Country: se
  • Hobbyist
So why are you arguing against simple, working solutions suggested by professionals?
I'm not, why do you keep saying I am? I'm only arguing that most people don't need to pay for an expensive service to maintain sufficient security.
 

Offline golden_labels

  • Super Contributor
  • ***
  • Posts: 1337
  • Country: pl
I am scratching my head…

KeePass: $0/life
KeePassX/KeePassX2: $0/life
KeePassXC: $0/life
PassSafe: $0/life
pass: $0/life

If you need online storage:
BitWarden: $0/mo., though the business model makes me apprehensive

Even the proprietary ones(1) are in the $3/mo. range. That is not very good in terms of value-per-price, but this is not far from the cost of deploying your own solution of this kind. And the target are people, who have no knowledge or experience to do it on their own.

So where are those “expensive services”?

____
(1) Mentioning them does not imply I’m considering them safe. But still, using a proprietary password manager is much better than using none at all.
People imagine AI as T1000. What we got so far is glorified T9.
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1667
  • Country: se
  • Hobbyist
I've already written many times I wasn't aware there were free and open source alternatives, I have no issue with those. I don't think the commercial ones offer anything most people need though, this fanatic push for password managers is just advertising. Naturally they wan't as many paying customers as possible. If some people want to pay for the convenience they offer that is fine, but there's no need to scare people into thinking it's a must have imo. So use a free password manager or some other method, as long as you don't reuse the same password everywhere. (For stuff that's not that important, for bank accounts and other stuff you want more security though, but the bank usually provide that).

$3/month is pretty expensive for what it offers imo. Let me do the math for you $3*12= $36/year or $360 for ten years, I can think of better ways of spending that money.
« Last Edit: June 09, 2019, 05:50:26 pm by apis »
 

Offline Mr. Scram

  • Super Contributor
  • ***
  • Posts: 9810
  • Country: 00
  • Display aficionado
That is pretty bad advice, do you really think it is a good idea to give away your password to some random website?

I can't think of a better way of filling a password dictionary.
Have I been pwned checks accounts, not passwords. Of course, it's the defacto standard when it comes to breached accounts. Calling it "some random website" doesn't do it justice. Calling it that may just make you look silly.
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1667
  • Country: se
  • Hobbyist
Errm, yes, sorry you are right, they asked for account name not password, my mistake. And you are also right that it's not a random site, it's advertising for commercial password managers.

From the site:
"Back then, I chose 1Password because it was the best fit for my needs; it was user friendly, it had clients for all the devices I used and it made syncing my passwords across them simple. 7 years and hundreds of passwords later, I partnered with them to help people who find themselves in a breach after searching HIBP get themselves into a great password manager.

Today, I use 1Password in all the same ways as I have since 2011, and more."  :blah:
« Last Edit: June 10, 2019, 02:42:24 pm by apis »
 

Offline Mr. Scram

  • Super Contributor
  • ***
  • Posts: 9810
  • Country: 00
  • Display aficionado
Errm, you are right, they asked for account name not password, my mistake. And you are also right that it's not a random site, it's advertising for commercial password managers.

From the site:
"Back then, I chose 1Password because it was the best fit for my needs; it was user friendly, it had clients for all the devices I used and it made syncing my passwords across them simple. 7 years and hundreds of passwords later, I partnered with them to help people who find themselves in a breach after searching HIBP get themselves into a great password manager.

Today, I use 1Password in all the same ways as I have since 2011, and more."  :blah:
Allow me to enlighten you.

https://en.wikipedia.org/wiki/Have_I_Been_Pwned
« Last Edit: June 10, 2019, 01:58:53 pm by Mr. Scram »
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1667
  • Country: se
  • Hobbyist
Not sure I understand what you are trying to say.

The site is advertisement for 1password, a commercial password manager, as even the Wikipedia page admits.

Also, the page is misleading, just because your account information has leaked doesn't mean you've been "pwned", it just means the account information has leaked (i.e. a website you used has been "pwned"), which is what this is all about: don't reuse the same password since you can be almost certain it will leak.

Anyway, I remember when he created the site, back then people didn't think passwords leaked, so the site served a purpose back then by illustrating that they did.
« Last Edit: June 10, 2019, 03:05:59 pm by apis »
 

Offline golden_labels

  • Super Contributor
  • ***
  • Posts: 1337
  • Country: pl
The site is advertisement for 1password, a commercial password manager, as even the Wikipedia page admits.
No, it isn’t and the Wikipedia article doesn’t tell that. It is a service for checking if a password is known to be in a leak. Additionally, since Troy Hunt endorsed 1password, it suggest using it if you use the website interface and the password is determined to be leaked. There is a difference between “contains an ad” versus “is an ad”. The website’s primary purpose never was and is not advertising that product. It is ridiculous to claim that a website focused on providing services to competitors of 1password is an advertisement for 1password. What’s next? EEVblog is an advertisement for Uni-T, because it contains their ads?

Also, the page is misleading, just because your account information has leaked doesn't mean you've been "pwned",
The website’s name is humorous — it claims nothing.

it just means the account information has leaked (i.e. a website you used has been "pwned"), which is what this is all about: don't reuse the same password since you can be almost certain it will leak.
No, it doesn’t. It has nothing to do with any service you use. It means that someone (probably not you) used the same password as you are checking and that password has leaked. There is no relation to your password policy. It is a statement about the password itself. And yes, that means the password is effectively pwned and should not be used by you, because it is a dictionary password. If you are already using it, it also means you should expect to be pwned soon.
People imagine AI as T1000. What we got so far is glorified T9.
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1667
  • Country: se
  • Hobbyist
The site is advertisement for 1password, a commercial password manager, as even the Wikipedia page admits.
No, it isn’t and the Wikipedia article doesn’t tell that. It is a service for checking if a password is known to be in a leak. Additionally, since Troy Hunt endorsed 1password, it suggest using it if you use the website interface and the password is determined to be leaked. There is a difference between “contains an ad” versus “is an ad”. The website’s primary purpose never was and is not advertising that product. It is ridiculous to claim that a website focused on providing services to competitors of 1password is an advertisement for 1password. What’s next? EEVblog is an advertisement for Uni-T, because it contains their ads?
I don't get Uni-T ads on EEVblog, I get keysight and JLCPCB.  :-//

Also, the page is misleading, just because your account information has leaked doesn't mean you've been "pwned",
The website’s name is humorous — it claims nothing.
It's not just chihumourous:
"Oh no — pwned!
Pwned on 9 breached sites (subscribe to search sensitive breaches)
Start using 1Password.com
<1Password Logo> 3 Steps to better security"


it just means the account information has leaked (i.e. a website you used has been "pwned"), which is what this is all about: don't reuse the same password since you can be almost certain it will leak.
No, it doesn’t. It has nothing to do with any service you use. It means that someone (probably not you) used the same password as you are checking and that password has leaked. There is no relation to your password policy. It is a statement about the password itself. And yes, that means the password is effectively pwned and should not be used by you, because it is a dictionary password. If you are already using it, it also means you should expect to be pwned soon.
Except as Mr. Scram kindly pointed out it doesn't check your password, it checks for your email.
...
Although I see now that it still has a feature that checks for passwords, so maybe I didn't remember incorrectly, maybe he changed how it works at some point in time  :-\

https://haveibeenpwned.com/Passwords

For which I'll repeat my original comment about the site:
do you really think it is a good idea to give away your password to some random website?

I can't think of a better way of filling a password dictionary.
 

Offline golden_labels

  • Super Contributor
  • ***
  • Posts: 1337
  • Country: pl
I don't get Uni-T ads on EEVblog, I get keysight and JLCPCB.  :-//
Look at the bottom. But this isn’t even the point of what I have said.

Except as Mr. Scram kindly pointed out it doesn't check your password, it checks for your email.
It allows checking both. As you have noticed yourself, so why claiming otherwise? It also allows searching for user names, which reveals nothing useful to HIPB.

do you really think it is a good idea to give away your password to some random website?
Random website? You call Troy Hunt random? Nonetheless… normally HIBP never sees your password. It doesn’t even see a full hash of your password. The actual check is performed on your local computer, based on information sent by HIBP. At worst what is revealed is a password that… is already leaked and therefore should not be used. So HIBP gains nothing. The exception from above is if you use the web interface. But this is not the core feature of the service. And if someone uses the web interfaces, they are probably not having a better option. So it’s a difference between having a possibly leaked password versus revealing to a quite trusted person, that someone(1) on the internet has a password like the one supplied. For average Joe this is a much better option.

I can't think of a better way of filling a password dictionary.
Filling a dictionary? Of whom? A well-known white hat, who professionally acquires huge collections of leaked passwords and has access to a dictionary, that would allow him to rob third part of the US population? Sure, probability of defection is never zero, but it is more likely that your family will steal your passwords than this guy.
____
(1) If they can’t anonimize themselves, it may also reveal, who is that “someone”. But with even the simples anonimization this is not the case.
People imagine AI as T1000. What we got so far is glorified T9.
 

Offline BeaminTopic starter

  • Super Contributor
  • ***
  • Posts: 1567
  • Country: us
  • If you think my Boobs are big you should see my ba
I knew this was how this thread would turn out. Most interesting was the pins and how lazy people are. 20 tries and you have 25% of all pins.

Back to digesting all the info in this thread. Stupid title but loads of info in this thread.  :clap: :-+ :-+
Max characters: 300; characters remaining: 191
Images in your signature must be no greater than 500x25 pixels
 

Offline free_electron

  • Super Contributor
  • ***
  • Posts: 8550
  • Country: us
    • SiliconValleyGarage
Here's my trick : use a word that is easy to remember but splittable. for example : birdfeedbox  . bird feed box. easy enough to remember
translate in 3 different languages

oiseau ( french )
futter ( german )
doos ( dutch )

and merge.

oiseaufutterdoos

good luck finding that one with rainbow or dictionary tables ...
Professional Electron Wrangler.
Any comments, or points of view expressed, are my own and not endorsed , induced or compensated by my employer(s).
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1667
  • Country: se
  • Hobbyist
do you really think it is a good idea to give away your password to some random website?
Random website? You call Troy Hunt random?
Yes. What is he famous for, according to the wikipedia page he's "Known for: Have I Been Pwned". Claiming it's not random because he's famous is a circular argument. Do I have any special reason to trust that page or that person? No. That is why I call it random.

I remember when he created the site. Back then people didn't think leaked passwords was a big problem. The site served a purpose then by illustrating that passwords really did leak and it was a big problem. There wasn't anything special about his password database either, he just took password lists that were already being shared publicly, and made them searchable from his website. It proved to normal people that reusing passwords was a bad idea, which I think we all agree with.

Looks like he changed the api over the years to try and make it safer, but it's still a terrible idea (and a sha1 hash won't protect you much). It's not that I have any reason to think he's a bad guy it's just that passwords are supposed to be a secret between two parties, sharing it with a third party sort of defeats the purpose and if you generate a random password of enough entropy there's no need.

Anyway, if you really want to know if your passwords are safe, you can send your password list to me and I'll check them against my 11TB password dictionary for you. ;)
« Last Edit: June 10, 2019, 08:47:49 pm by apis »
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1667
  • Country: se
  • Hobbyist
good luck finding that one with rainbow or dictionary tables ...
The problem is to come up with, and remember, a new secure password for every website that requires a password. If you reuse the same password you have a problem because it will leak, many websites have terrible security and some even save the passwords in clear-text on the server (i.e. unencrypted). As soon as your credentials leak from one website a hacker can then log in to all your other accounts. Password files from websites are commonly traded (and shared freely) among hackers. Reusing the same password is a much bigger problem than choosing a weak password.
 

Offline golden_labels

  • Super Contributor
  • ***
  • Posts: 1337
  • Country: pl
apis:
Troy Hunt known only for HIBP? Because a short overview on Wikipedia contains nothing more in the infobox? :palm: Let’s end this discussion here. Good luck harming more people. I just hope the next post I see will not suggest licking a live 230V wire, because Wikipedia article on tongue contains nothing about dangers of licking live wires.

Here's my trick : use a word that is easy to remember but splittable. for example : birdfeedbox (…)
The translation step adds only 3–6 bits.
People imagine AI as T1000. What we got so far is glorified T9.
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1667
  • Country: se
  • Hobbyist
Troy Hunt known only for HIBP? Because a short overview on Wikipedia contains nothing more in the infobox? :palm: Let’s end this discussion here. Good luck harming more people. I just hope the next post I see will not suggest licking a live 230V wire, because Wikipedia article on tongue contains nothing about dangers of licking live wires.
Right, authority and insults instead of arguments, easiest way to tell when people don't know what they are talking about.

Here's my trick : use a word that is easy to remember but splittable. for example : birdfeedbox (…)
The translation step adds only 3–6 bits.
It adds s log2 n bits, with s being number of words and n number of languages to choose from, so it depends on the number of languages (and words). Anyway, I think the point was to come up with something unlikely to be found in a password corpus, not necessarily high entropy. It's better to let a computer choose symbols randomly though, we humans are surprisingly bad at random.

« Last Edit: June 11, 2019, 01:52:51 am by apis »
 

Offline golden_labels

  • Super Contributor
  • ***
  • Posts: 1337
  • Country: pl
free_electron:
(Regarding the response from apis)
That has been described in detail earlier, but a short explanation: “dictionary” in “dictionary password” refers to a class of attacks, not to language corpus/dictionary. Actually a few very short, English words may form a very good password, that is also easy to remember(1): see diceware.

Note: I’m using generic you below.

While s·log₂n is indeed calculating entropy of something, that “something” is not sequence of translations. Unfortunately copying equations without understanding what they mean is not going to work :). s·lon₂n is entropy of a sequence of s randomly(!)(2) chosen symbols from alphabet of size n, under conditions that the probability of chosing each is the same and the choices are independent of each other. That is not the case here. The choice of languages is not random, the probability is not equal and the choices are not independent.

Assuming for a moment, that the language would be chosen randomly and there is no other issues, the equation would be: log₂((d - 0) · (d-1) · … · (d - s + 1)), where d is the number of languages, s is the number of words. That comes from the fact, that each language is used only once, so each word has one language less to choose from. So for 3 words and, let’s say, 4 languages: log₂ (4 · 3 · 2) = log₂ 24 ≈ 4.6 bits. If you would improve the method and allow reuse of languages, it would be(3) log₂(4³) ≈ 6. But that is lots of work for little gain: for comparison adding a single, short English word provides additional 13 bits. In other words transforming “birdfeedbox” into “oiseaufutterdoos” is worse than doing “birdfeedbox” → “birdfeedboxcat“.

But that’s not all, because the choices are not having equal probability and are unlikely to be independent(4). Unless you are a polyglot(5), that knows many languages very well, you will not be able to easily translate arbitrary word to another language. That limits, what language may be used on each position and hence affects the probabilities. You may try using a dictionary, but then you are introducing more things to memorize. More likely is that you’ll start taking shortcuts, decreasing entropy. The second problem is more subtle and harder to imagine, because everyone of us is nearly sure that we’re chosing symbols randomly. We’re not. Unfortunately there is no valid method for estimating entropy in that case, at least to my knowledge (someone correct me if someone found one). For years there was the famous NIST publication on that matter, but it has been disproved. It was also dependent on how brain processes language, not arbitrary symbols. However, using it as a general reference point and applying it to the proposed method, we end up with an appaling result. For 3 symbols taken from an alphabet of 94, NIST (over)estimated the entropy as 8 bits. Our dictionary is 23 times smaller, so… um… the ballpark estimate is around 0 bits of entropy. Of course this is probably exaggeration, but it gives some taste of what to expect. From the hypothetical 4.6 bits we’re moving to a much lower value. And this is where the 3–6 bits etimate came from.

And this is only about the translation phase. This is not the only problem. The words you are chosing are not independent. There isn’t many phrases that conform to the proposed scheme. And the large number of choices is everything. I would not be surprised if a single(!) diceware word would perform better.

Of course, as it has been said multiple times in the thread and the reason why passwords managers are recommended, you should always have different passwords for different services. Even the strongest password will be useless if you use it more than once.

You do not need to believe me. Not even any authority. Just try it and experiment yourself! See what happens when you change alphabet, the number of symbols in a password (just remember what a symbol is in a given method), how dependencies between positions affect the outcome etc. If you can, consider looking at some dictionary used for actual attacks — just to get rid of the misconception, what a “dictionary word” is.

This could all be a theoretical, academic dispute, if the cost of applying the right methods would be high. But nowadays having good security is practically costless.
____
(1) Though one should remember as small number of passwords as possible.
(2) Or close enough to be considered random, for example by using a CSPRNG.
(3) Which, BTW, is what apis has supplied, but in the original form: log₂(n^s) = s·log₂(n).
(4) Say “thanks” to how borked human brain is. :D
(5) Yes, I am making an assumption here. But since I think we’re talking about methods useful for most people and most people can’t even easily speak one foreigh language, the assumption seems justified.
« Last Edit: June 11, 2019, 03:08:26 am by golden_labels »
People imagine AI as T1000. What we got so far is glorified T9.
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1667
  • Country: se
  • Hobbyist
While s·log₂n is indeed calculating entropy of something, that “something” is not sequence of translations. Unfortunately copying equations without understanding what they mean is not going to work :).
Not sure why you would copy it when it's easy to derive.

(3) Which, BTW, is what apis has supplied, but in the original form: log₂(n^s) = s·log₂(n).
Why first write it isn't working when you end up with the same result?  :-//

Using different languages is actually not bad, even if it doesn't add many bits of entropy it reduces the likelihood that all the words would be part of a dictionary. But the words should be chosen randomly and preferably more than 4 (somewhat arbitrary number), and with a few symbols thrown in randomly perhaps.

The problem isn't that peoples accounts get brute forced/guessed because they used too weak passwords though, the problem is that people reuse passwords which makes them vulnerable to automatic attacks. If you need to protect against brute forcing and other targeted attacks you should really use some sort of two factor authentication scheme (that is what online banks typically do) because peoples passwords are often quite weak.
« Last Edit: June 11, 2019, 04:08:33 am by apis »
 

Offline Mr. Scram

  • Super Contributor
  • ***
  • Posts: 9810
  • Country: 00
  • Display aficionado
Yes. What is he famous for, according to the wikipedia page he's "Known for: Have I Been Pwned". Claiming it's not random because he's famous is a circular argument. Do I have any special reason to trust that page or that person? No. That is why I call it random.

I remember when he created the site. Back then people didn't think leaked passwords was a big problem. The site served a purpose then by illustrating that passwords really did leak and it was a big problem. There wasn't anything special about his password database either, he just took password lists that were already being shared publicly, and made them searchable from his website. It proved to normal people that reusing passwords was a bad idea, which I think we all agree with.

Looks like he changed the api over the years to try and make it safer, but it's still a terrible idea (and a sha1 hash won't protect you much). It's not that I have any reason to think he's a bad guy it's just that passwords are supposed to be a secret between two parties, sharing it with a third party sort of defeats the purpose and if you generate a random password of enough entropy there's no need.

Anyway, if you really want to know if your passwords are safe, you can send your password list to me and I'll check them against my 11TB password dictionary for you. ;)
Anyone who knows anything about computer security knows Troy Hunt, his website and what he's doing within the security community. That's also why people much more familiar with the subject matter trust him. He has a stellar record and reputation. Troy Hunt is definitely an authority when it comes to passwords.

If Hunt is a random guy with a random password site the Queen of England is a random old lady with a surprisingly large house.
 


Offline apis

  • Super Contributor
  • ***
  • Posts: 1667
  • Country: se
  • Hobbyist
Yes. What is he famous for, according to the wikipedia page he's "Known for: Have I Been Pwned". Claiming it's not random because he's famous is a circular argument. Do I have any special reason to trust that page or that person? No. That is why I call it random.

I remember when he created the site. Back then people didn't think leaked passwords was a big problem. The site served a purpose then by illustrating that passwords really did leak and it was a big problem. There wasn't anything special about his password database either, he just took password lists that were already being shared publicly, and made them searchable from his website. It proved to normal people that reusing passwords was a bad idea, which I think we all agree with.

Looks like he changed the api over the years to try and make it safer, but it's still a terrible idea (and a sha1 hash won't protect you much). It's not that I have any reason to think he's a bad guy it's just that passwords are supposed to be a secret between two parties, sharing it with a third party sort of defeats the purpose and if you generate a random password of enough entropy there's no need.

Anyway, if you really want to know if your passwords are safe, you can send your password list to me and I'll check them against my 11TB password dictionary for you. ;)
Anyone who knows anything about computer security knows Troy Hunt, his website and what he's doing within the security community. That's also why people much more familiar with the subject matter trust him. He has a stellar record and reputation. Troy Hunt is definitely an authority when it comes to passwords.

If Hunt is a random guy with a random password site the Queen of England is a random old lady with a surprisingly large house.
Sending your password to his server so he can check it against a database is a terrible idea whether you trust him or not. I'm sure he's a great guy, haven't said otherwise.
 

Offline free_electron

  • Super Contributor
  • ***
  • Posts: 8550
  • Country: us
    • SiliconValleyGarage
free_electron:
(Regarding the response from apis)
That has been described in detail earlier, but a short explanation: “dictionary” in “dictionary password” refers to a class of attacks, not to language corpus/dictionary. Actually a few very short, English words may form a very good password, that is also easy to remember(1): see diceware.


i am defending against things like social engineering and brute force attacks using lists of precalculated passwords. (there exist tables with most commonly used passwords ,and things like 'thisismypasswordletmein or TimpLmi). My construction will not be found in such tables... and if it is it will be near the very last ones being tried ...


birdfeedbox was just a simple example. i use words that have no relation . for example a color , a geographical name and an animal name. ( not what i am using, just an example. i use strings of 4 to 6 words)
You can try social engineering you still won't find out anything. For example : that geographical location is not a place i have ever been to. so you won't learn about that. I just spun google earth with my eyes closed and picked a name that was in the center of the screen. That bird does not exist in north america (where i live) , and so on.

As for languages ... i do know a few.  good luck finding a six word string  encoded in a sequence of , for example dutch, finnish, hindi, latin,  russian , french. (not what i am using)

I can scribble down the 'english' sentence on a paper napkin. As long as i keep my language 'key'  ( the language used and sequence of language rotations) secret .
In addition the english sentence could be 'descriptive' while the translation could be a 'slang' word for the english term. This adds to the complexitiy.
and i can write down the 'english' sequence as abbreviations.

The resulting character sequence is just as random for the computer as 5Q$de3&!lpQV902 , but it is much easier to remember for me.

For the important websites i have a little piece of paper that holds the english sequences. it is stuck to my monitor (and in an encrypted note on my iphone as well, that needs my face to unlock). It only serves as a memory 'jog' lookup . reading the sentence i immediateley remember the real password.
« Last Edit: June 11, 2019, 07:10:47 pm by free_electron »
Professional Electron Wrangler.
Any comments, or points of view expressed, are my own and not endorsed , induced or compensated by my employer(s).
 

Offline Mr. Scram

  • Super Contributor
  • ***
  • Posts: 9810
  • Country: 00
  • Display aficionado
Sending your password to his server so he can check it against a database is a terrible idea whether you trust him or not. I'm sure he's a great guy, haven't said otherwise.
I tend to look at it as a tool to show people how shoddy their choice of passwords is. Showing 8000 matches conveys the message a bit better.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf