Everyone has a password scheme. For some people, their scheme is to write it down on a post-it note and stick it to their monitor. For some people, their scheme is to have one in memory and us it for their bank, their email, their online stores, their social media sites, etc. And, for a lot of people, their password is a string that they'll remember, like the name of a loved one or pet, or the registry number of their favorite starship.
The last scheme is profoundly stupid, especially when you can easily pop out hundreds of really random passwords.
The first scheme is seriously unadvisable. You should never ever ever ever ever write down a password.
The middle one .... it has problems. But assuming that you're not writing 'em down and leaving 'em everywhere, and assuming that you're using passwords that meet a strong security definition (8 characters or more, uppercase and lowercase and digits, not real dictionary words), you have a set of passwords that do not fit easily into your head and thus fall out when you need them.
I'm still struggling with this. But I have developed a password generator, included here, that's configurable for password length, using upper-case letters and digits, and number of rows of passwords. My take is to make a long list of passwords, find one you can make a mental mnemonic for, start using that one until you have it in your head, and then delete the list. If you have a secure machine to hold these passwords, they're held securely. So it's not really writing them down.
If the technique works for you, great. If you think it's dumb, tell me in comments and I'll adjust to a better scheme.
#!/usr/bin/perl # A big password list generator use 5.010 ; use strict ; use warnings ; use Getopt::Long ; srand ; my @uppercase = 'A' ... 'Z' ; my @lowercase = 'a' ... 'z' ; my @digits = 0 .. 9 ; my @chars ; my $uppercase = 0 ; my $lowercase = 1 ; my $digits = 0 ; my $cols = 8 ; my $rows = 20 ; my $chars_per_column = 78 ; GetOptions( 'uppercase' => \$uppercase , 'digits' => \$digits , 'cols=i' => \$cols , 'rows=i' => \$rows , ) ; if ( $lowercase ) { push @chars , @lowercase ; } if ( $uppercase ) { push @chars , @uppercase ; } if ( $digits ) { push @chars , @digits ; } my $chars = $#chars ; for ( 1 .. $rows ) { my @x ; for ( 1 .. int $chars_per_column / ( $cols + 1 ) ) { my $password ; for ( 1 .. $cols ) { $password .= $chars[ int rand $chars ] ; } push @x , $password ; } say join ' ' , @x ; }
not exactly sure what this outputs, anything that you might be able to regenerate to recover your password?
ReplyDeletebut I've wrote this a while ago
http://xenoterracide.blogspot.com/2008/04/making-secure-recoverable-passwords.html
recently I was thinking about URL's and Base64 encoding and thinking that converting the hash to Base64 might make an even better recoverable password.
This might be fun too:
ReplyDeletehttp://webcache.googleusercontent.com/search?q=cache:YtY-tKpvyH4J:www.itl.nist.gov/fipspubs/fip181.htm+pronounceable+password+specification&cd=3&hl=en&ct=clnk&gl=us&client=safari
(linked to the cache because nist.gov is awful slow)
I'm going crazy random here, so if things were recoverable or rerunable, I'd be redesigning it as we speak, xeno. Will read your code and see if there's anything there.
ReplyDeleteNunya, that looks like an exercise worth doing.
@Dave well mine's not really code... it's more take a string, make it a sha1 (or other digest) and then use that. I didn't know about Base64 (or much about coding) back then... but I think outputting the hash in Base64 (or maybe url safe base64 or even just pick your own 2 other chars base64)would add more variety to your final password making it seem even more random, even though it isn't.
ReplyDelete@Dave this random looking enough for you. Let's say I can remember my password is the what date christmas is.
ReplyDeleteecho -n "1225" | sha1sum |base64
MWQzMjIzODQ5NmRmNWFlMWM5ZTA2YWE4MThmODJjYTdmYWM5OWNkMSAgLQo
NOw just pick the the first however many characters you need. If you forget your pw all you have to do is remember it was based on "1225" and you can recreate it.
There is something to that. I do like it. There is only a qualitative difference between having your password be your birthday and your password be an MD5 hash of your birthday, but still, it's basing your password on something easily guessable. But I repeat, there is something to it.
ReplyDeletewell it's guessable but if you don't run around telling people which hash you're using or how many characters of it you're using. I also state that you can easily throw them off completely by remembering something like. My password is always starts with a $ and ends with a ! and everything in between will be the hash (or something like that).
ReplyDeleteso long as you have access to a computer with those tools you can write your base down all you want and no one else can easily reproduce your final password (unless you tell them your exact algorithm)