[ISN] Simple passwords no longer suffice

R. A. Hettinga rah at shipwright.com
Fri Jun 4 08:39:25 EDT 2004 

--- begin forwarded text


Date: Fri, 4 Jun 2004 01:29:59 -0500 (CDT)
From: InfoSec News <isn at c4i.org>
To: isn at attrition.org
Subject: RE: [ISN] Simple passwords no longer suffice
Reply-To: isn at c4i.org
List-Id: InfoSec News <isn.attrition.org>
List-Archive: <http://www.attrition.org/pipermail/isn>
List-Post: <mailto:isn at attrition.org>
List-Help: <mailto:isn-request at attrition.org?subject=help>
List-Subscribe: <http://www.attrition.org/mailman/listinfo/isn>,
	<mailto:isn-request at attrition.org?subject=subscribe>
Sender: isn-bounces at attrition.org

Forwarded from: myemailaccount at fastmail.fm

I consider password security to be most important. I understand
regular users cannot think of thousands of passwords and not write
them down. Because my memory is also not perfect I have developed the
following password scheme:

I memorized 8 difrent sequences of alphanumerical characters, let's
call them SAC's. (just inventing a new abbreviation here).

Each difrent in size and using some Uppercase letters. I give them all
a number (so SAC1, SAC2, SAC3 etc.)

For every account I select three of these sequances of alphanumerical
characters, and put them in a certain order. That is my password.  I
then write down the order in a password protected database. (with a
simpler password, don't care that much if the database is compromised)

So for example:

For hotmail I might use sequance SAC4, SAC5, SAC2.

I just add to my password database "Hotmail 452" and I know what the
password is.

For sequance SAC1, SAC8, SAC3 I use with my mail certificate the note
I have written down is "mail certificate 183"

Somewhere else I have as a reminder a list of all my SAC's but only
with the first two characters being correct, the rest is put there as
desinformation. So I actually look only at the first two characters
and then remember what that SAC was again.

So I have a list that looks like this:

SAC# written down  - real password
SAC1 fuh355y9wtga9 - fuh5y05edh
SAC2 g8betb8g - g8bs=hb56hRRTYsh
SAC3 l;kyh35h9 - l;g588bas3DR
SAC4 aBfbvsdh4 - aBbdnitbAA$
SAC5 GgfasdG - Gggrw422a~
SAC6 >>GSDFGWRw444  - >>GAEB53th8g3e
SAC7 BbgRhgw52354 - Bdghbwtrb53
SAC8 6775u3ed5us - 67hJ^$6493

So for example when I need my password to get into hotmail I just open
my password database or grab my paperprint out of the list and lookup
the hotmail account, I see "Hotmail 452". I also look up my SAC list
up here and by looking at the first few characters I remember what
each SAC is.

So the password is "aBbdnitbAA$Gggrw422a~g8bs=hb56hRRTYsh" without the
quotes.


Once you have the discipline to set up something similar and stick to
it your password security will be increadable. (and it's worth the
look on peoples faces when they see you enter passwords of more then
20 characters at lightning speed, try to sneak up that one =D )

Also I try to maintain my habit to type in numbers on the number
keypad and as I do so cover up my hand with the other hand so it
cannot really be seen or recorded by camera's. Just as one would
protect their pin-code. (also considering those credit thieves that
build in camera's in ATM machines and devices that record your
magnetic strip. Haha, have fun with my strip, but you couldn't see my
pin code :P)


Greetings,
Da paranoid android ;-)


> -----Oorspronkelijk bericht-----
> Van: isn-bounces at attrition.org
> [mailto:isn-bounces at attrition.org] Namens InfoSec News
> Verzonden: Thursday, June 03, 2004 09:31
> Aan: isn at attrition.org
> Onderwerp: [ISN] Simple passwords no longer suffice
>
> http://www.cnn.com/2004/TECH/ptech/06/01/beyond.passwords.ap/i
> ndex.html
>
> June 1, 2004
>
> (AP) -- To access her bank account online, Marie Jubran opens a Web
> browser and types in her Swedish national ID number along with a
> four-digit password.
>
> For additional security, she then pulls out a card that has 50
> scratch-off codes. Jubran uses the codes, one by one, each time she
> logs on or performs a transaction. Her bank, Nordea PLC,
> automatically sends a new card when she's about to run out.
>
> As more Web sites demand passwords, scammers are getting more clever
> about stealing them. Hence the need for such "passwords-plus"
> systems.
>
> Scandinavian countries are among the leaders as many online
> businesses abandon static passwords in favor of so-called two-factor
> authentication.
>
> "A password is a construct of the past that has run out of steam,"
> said Joseph Atick, chief executive of Identix Inc., a Minnesota
> designer of fingerprint-based authentication. "The human mind-set is
> not used to dealing with so many different passwords and so many
> different PINs."
>
> When a static password alone is required, security experts recommend
> that users combine letters and numbers and avoid easy-to-guess
> passwords like "1234" or a nickname.



_________________________________________
ISN mailing list
Sponsored by: OSVDB.org

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list