Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Bitcoin Discussion
Re: Is anyone still not using a Password Manager
by
Gareth Nelson
on 21/06/2011, 06:19:44 UTC
Quote from: imperi on June 21, 2011, 06:16:02 AM
Quote from: garethnelsonuk on June 21, 2011, 06:14:22 AM
Quote from: imperi on June 21, 2011, 06:05:23 AM
Quote from: Noam on June 21, 2011, 06:00:36 AM
Quote from: imperi on June 21, 2011, 05:57:41 AM
My "Password Manager" is in my brain, where nobody else can see them.


I keep about 50 passwords, each one with 12-16 random chars... my brain is just not up to that...

You can re-arrange the letters of a website to make passwords. For example, bitcoin.org could turn into n41iR32Rr22141R32Rr221.

The n is from the last letter of the domain.
The i is from the 2nd letter of the domain.
41R32Rr221 is what you memorize, and repeat it twice (with the i inserted into it). This is similarly done for every password. You could also have a number at the end for whether it's an even or odd number of characters in the domain.

A password I no longer use was once made up of the following (and this was years ago, so it's of no use to any potential attackers now):
6 random digits generated by a 386 (see, years ago)
another 6 letters+digits from the combination to the door lock for a hotel room somewhere in london

I mixed the 2 together to get a 12-digit password

But a website? That's silly

Another thing people commonly do is to take a dictionary word and add 2-3 digits, such as Flower29 - that's downright dumb, it only multiplies the number of words to try by 100 and that's not a lot.
You should try to avoid reducing the search space for a potential attacker - anything which has a yes/no answer you should consider as 1 bit of the key, if you answer yes or no, you've given away 1 bit of the key to the attacker on average.

People also do silly things like make their password a swearword when they're known for not swearing on the theory people won't try it - the common 4 letter swears are amongst the first tried (fuck, shit, cunt etc).

Generate random numbers, do whatever you must to memorise them, and if you really can't then store them on a completely disconnected device OR in paper form with something that stays on your person even while sleeping.

The purpose of my suggestion was to have a unique and effective password for every site that you can remember.

And that's good advice, but you should use true entropy and THEN add associations to help remember it, doing the reverse makes an attacker's job easier.
Here's a random password i've just generated (not used on any accounts of course):
77adc009ea6d
Totally random entropy, but I can find patterns to help me remember it.

adc? the band AC/DC with a bit missing
77 - 2 digits, easy to remember as it's duplicated
009 - 900 backwards, or 9/11 backwards -11

and so on


Basically, you use the same techniques schizophrenics use to find messages in the bible, but to find messages in your random password - it then sticks in your head better.