[GRLUG] hacked

Mike Williams knightperson at zuzax.com
Thu Jul 28 15:52:47 EDT 2011


That is the alternative to a password vault of some kind. I think it's a 
lot more work and not as secure. If you can do it, great, but since a 
lot of people can barely memorize one decent password, it's hopeless 
that very much of the population could get away with this. The other 
problem is that unless your equation is fairly complicated, anyone who 
manages to get the plain text passwords from a site where you used one 
could fairly easily figure out the equation. Admittedly, that might be 
enough against a random attack since there will be plenty of passwords 
in the database that are not based on an equation and much easier to do use.

On 07/28/2011 09:42 AM, Michael Mol wrote:
> In this conversation, I keep seeing things like 'random',
> 'unguessable', etc. Those are really nice properties, but not what I
> use.
>
> My system works like this:
>
> Prereqs:
> * Per-account salt. Something easily derivable from some property of
> the account, such as an acronym or name.
> * Personal salt. Something that's really only in my head. Here,
> bizarre random numbers and letters are great. It doesn't have to be
> long.
>
> Process:
> Take the per-account salt and the personal salt, and combine them
> using a simple cypher or hash.
>
> It doesn't have to be complicated; append one to the other, or
> interleave them, or count the number of points and holes on the
> characters in a non-serif font and use the first N bars of Beethoven's
> 5th as sung by a screaming child.
>
> You should be able to see that I'm getting silly here; the point is
> that you only have to memorize your process and your personal salt.
> The per-account salt is usually the first or second thing that comes
> to mind when you think about the account--so something unique to the
> way you already think.
>
> Here's an example using a trivial process:
>
> Using:
> * A personal salt of "aZ8c" (generated via "dd if=/dev/urandom bs=1
> count=3|base64")
> * A Google account, from which the per-account salt for this
> hypothetical person is simply "googly"
>
> I'll take the personal salt and interleave it with the account salt.
> agZo8ocgalZy
>
> There's a 12-character password, and all you'd need to do is memorize
> the personal salt and process (and make a habit of getting the process
> right).
>
> Now, in reality, you can't keep the same password forever. Sites like
> Paypal will remember hashes of your old passwords and won't allow you
> to reuse them. Some places force you to change your password every six
> months.
>
> As a consequence, I change my personal salt every now and again. I
> pretty much only ever have two or three personal salts active, so if I
> find an account that doesn't work with my current personal salt, it'll
> work with a recent one, I'll be able to get in before a lockout, and
> I'll update the password.
>
> It sounds complicated, but it's easy to get used to., and I've got
> 15-20 character passwords, the majority of them unique.
>
> --
> :wq
>


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the grlug mailing list