[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: One-line password generator

That was not my password, I only analyzed what was provided earlier and examined it in the way a Federal employee would have analyzed it who worked for the Navy a few years ago. I will not pass on memorable or non-memorable status here either. A couple practices for concealing written passwords may be useful to share here. A site usually has a user and password. With three sheets of paper a numbered list of sites could be on one page. A numbered list of user names could be on a second sheet. A numbered list of passwords could be on a third sheet. Each sheet would have a matching number and that single credential written beside it. Maybe all three sheets could be stored in different places with none of them having any kind of title information on them. Finally, passwords could be written on the third sheet say that are twice as long as what's used. Finally passwords could be written in reverse order with last character first and first character last. Now which half of which password is used and what order are characters properly keyed in? People are getting older and will need to do writing of passwords at some ages to keep functioning. That doesn't necessarily mean any of them need write passwords in the clear though. The important thing is to come up with a system and stick with that system.

On Sat, 2 Sep 2017, Brian wrote:

Date: Sat, 2 Sep 2017 13:10:47
From: Brian <ad44@cityscape.co.uk>
To: debian-user@lists.debian.org
Subject: Re: One-line password generator
Resent-Date: Sat,  2 Sep 2017 17:11:08 +0000 (UTC)
Resent-From: debian-user@lists.debian.org

On Sat 02 Sep 2017 at 12:52:32 +0200, Thomas Schmitt wrote:

Jude DaShiell wrote:
We have a 20 character password here with at least two of each kind of
symbol in it lowers uppers numbers and symbols.

If you produced it by a quite random method then my only potential
criticism would be the question how you memorize it without the risk
that it gets stolen.
(You should refuse to give any detail, of course.)

The problem with memorizable passwords is usually (*) that they stem from
a guessable base secret and then got modified by applying various good
advise, but without losing their property to be easily memorized.

This good advise is known to the attacker, too. The number of different
such advised methods is then an obstacle for enumeration.
The attacker has to try them, as he tries the guessable base secrets.
But that number is not large, compared to affordable computing power.
After all, one must be able to memorize the method which one used.
So it must be quite simple. Simple means few variations.

I think you had a provider's compromised database in mind when you wrote
this. An attacker would be limited by his imagination and monetary and
time costs but, in the end, it could be assumed he would get something
out of it. The compromise is also not the user's responsibilty and it is
unfair to put the burden for mitigating it on him

Jude DaShiell's 20 character password is good enough for online logins
to web accounts. The provider should have some type of account lockout
in place for failed logins (Facebook and Twitter do this) and 10,000
tries per second would surely be seen as a DoS attack, if not.

Guessable? Is this the type of guessing done by friends, acquaintances
and close family members to try to get at your gmail or bank account?
That is more likely to succeed than the efforts of a criminal mind.

(*) If you have a very unusual mindset, then your memorizable passwords
    might be separate enough from the clusters of other people's memorizable
    passwords. Attackers try the most rewarding guesses first.
    If you are a plain memory genius:
    Congrats. Make a good random password and be safe.

Random is excellent; write it down or use a password manager. Not so
random is less than excellent, but needn't be atrocious (a 20 character
password isn't) for an online login, memorable or not.


Reply to: