Re: Passwords

From: Stephen K. Gielda (steve_at_packetderm.com.bogus)
Date: 05/11/04

  • Next message: phn_at_icke-reklam.ipsec.nu: "Re: Windows vulnerability vs Linux vulnerability [Re: Would a firewall prevent Sasser worm?]"
    Date: Mon, 10 May 2004 21:38:18 -0400
    
    

    In article <p9vs90dpbb5raooepkcqen8ud5nveee58n@4ax.com>,
    david_removeablejunk_.rolph@cox.net says...
    > Hello,
    >
    > I am sure I am not the first person to encounter this problem. I hope
    > somebody can point me in the right direction to a solution for it.
    >
    > I am a fairly low tech computer user. Over time I have accumulated a
    > rather large collection of accounts and passwords.
    >
    > Some of them are for unimportant things like a on line forum I am a
    > member of. Some of them allow access to my bank account or the like.
    >
    > I have a half decent system for keeping passwords that relies mostly
    > on my own memory. But it regularly falls down on things I dont access
    > for a long time. I am aware of other methods like:
    >
    > writing them down on a piece of paper that I hide.
    > keeping a list in a computer file that I encrypt.
    > using the same password for lots of things.
    > allowing my browser to remember the passwords for me.
    > getting a password management program.
    >
    > I am willing to spend some, but not a massive amount of time on
    > managing these passwords. I think that there are probably people out
    > there who are capable of getting my passwords whatever I do. I'd like
    > to get some advice from the experts here on what is a good way to look
    > after my passwords.
    >
    > I am leaning towards getting a password manager program. Is that too
    > much of an all your eggs in one basket approach?

    As others have recommended, pgp is a decent solution. However, there
    are tricks to maintaining many passwords that are secure, yet easy for
    you to remember. For example, come up with a phrase like "Ask not what
    you can do for your country". Take the first letter of each word while
    substituting numbers and symbols where appropriate. "Ask not what you
    can do for your country" becomes A!wycd4yc. This is a normal technique
    for passwords, but you want them unique for each site and still easy for
    you to remember which you used for what, so take it a step further.

    Add the first and last letter of the site you are registering for to the
    mix. For example, Ebay take the E and the y, place the E at the
    beginning of your hash, the y at the end. You now have EA!wycd4ycy. As
    a password for e-bay. Register for Yahoo and it becomes YA!wycd4yco.
    You end up with a unique password for everything that becomes very easy
    for you to remember for each site because all you really have to
    remember is one hash.

    This is just an example, come up with your own, put the last letter of
    the site or machine name first and the first last, place them in the
    middle instead of the ends if you want. Whatever you feel gives you a
    good hash mix and is easy for you to remember the structure. Then use
    that constistently and you'll have unique passwords for everything that
    are easy for you to remember.

    /steve

    -- 
    Protect yourself on-line.  Hide your identifying details in e-mail, 
    usenet, and more. A privacy service like no other.
    No one gives you more control over your e-mail than we do!
    http://www.cotse.net/servicedetails.html
    

  • Next message: phn_at_icke-reklam.ipsec.nu: "Re: Windows vulnerability vs Linux vulnerability [Re: Would a firewall prevent Sasser worm?]"

    Relevant Pages

    • Re: Password hashes
      ... NTLM hash as the key. ... There is however no locally stored NTLMV2 hash of passwords. ... Auditing and reviewing the security logs ... secure their network and data and the documentation to do such at TechNet ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Windows XP / 2K3 Default Users
      ... Cracking the 'passwords' has never been ... The gist of the 'technique' is the "Modifying Windows NT Logon Credential" ... existing windows applications that use the hash currently set to ... and then re-use those hashes to try to get authenticated access to other ...
      (Pen-Test)
    • Re: SQL Storing Passwords?
      ... Subject: SQL Storing Passwords? ... First of all, storing salts next to a hash is not bad design, it ... we examine the importance of Apache-SSL and who needs an SSL ... use a thawte Digital Certificate on your Apache web server. ...
      (Security-Basics)
    • Re: Pidgin IM Client Password Disclosure Vulnerability.
      ... because we need to be able to generate the hash a given ... Some protocols can ask for different types of hashes at ... passwords stored in it ... lost, you have much bigger problems than lost IM passwords. ...
      (Bugtraq)
    • Re: Decrypt fails
      ... I am creating a MD5 hash data and then using it to derive a key ... (CALG_RC2 encryption algorithm). ... My requirement concerns more with not storing passwords in plain ... > that he provided and compare it to the hash in the database. ...
      (microsoft.public.platformsdk.security)