[GRLUG] hacked

Michael Mol mikemol at gmail.com
Thu Jul 28 09:42:24 EDT 2011


On Thu, Jul 28, 2011 at 1:03 AM, Mike Williams <knightperson at zuzax.com> wrote:
> The key word there is passwords, plural, not password, singular. --

In this conversation, I keep seeing things like 'random',
'unguessable', etc. Those are really nice properties, but not what I
use.

My system works like this:

Prereqs:
* Per-account salt. Something easily derivable from some property of
the account, such as an acronym or name.
* Personal salt. Something that's really only in my head. Here,
bizarre random numbers and letters are great. It doesn't have to be
long.

Process:
Take the per-account salt and the personal salt, and combine them
using a simple cypher or hash.

It doesn't have to be complicated; append one to the other, or
interleave them, or count the number of points and holes on the
characters in a non-serif font and use the first N bars of Beethoven's
5th as sung by a screaming child.

You should be able to see that I'm getting silly here; the point is
that you only have to memorize your process and your personal salt.
The per-account salt is usually the first or second thing that comes
to mind when you think about the account--so something unique to the
way you already think.

Here's an example using a trivial process:

Using:
* A personal salt of "aZ8c" (generated via "dd if=/dev/urandom bs=1
count=3|base64")
* A Google account, from which the per-account salt for this
hypothetical person is simply "googly"

I'll take the personal salt and interleave it with the account salt.
agZo8ocgalZy

There's a 12-character password, and all you'd need to do is memorize
the personal salt and process (and make a habit of getting the process
right).

Now, in reality, you can't keep the same password forever. Sites like
Paypal will remember hashes of your old passwords and won't allow you
to reuse them. Some places force you to change your password every six
months.

As a consequence, I change my personal salt every now and again. I
pretty much only ever have two or three personal salts active, so if I
find an account that doesn't work with my current personal salt, it'll
work with a recent one, I'll be able to get in before a lockout, and
I'll update the password.

It sounds complicated, but it's easy to get used to., and I've got
15-20 character passwords, the majority of them unique.

--
:wq

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the grlug mailing list