Re: Standard way to remember passwords



PGP wrote:
> "Shenan Stanley" <newshelper@xxxxxxxxx> wrote in message
> news:%23hZAcZ39FHA.2544@xxxxxxxxxxxxxxxxxxxxxxx
>
>>PGP wrote:
>>
>>>I have a config utility that lets users change service params and
>>>when it's time to apply changes, the user needs to supply his user
>>>name and pass as the services are created under the user so that
>>>user priviliges on certain resources would apply. I would like to
>>>remember the user's password if he choses to do so in a secure
>>>manner. Is this adviceable? If so, how is it done?
>>
>>There are several Password Manager products out there.
>>Are you talking about them remembering what they used.. Or YOU remembering
>>what they used?
>>
>>--
>>Shenan Stanley
>> MS-MVP
>>--
>>How To Ask Questions The Smart Way
>>http://www.catb.org/~esr/faqs/smart-questions.html
>>
>
> The username and password used here would be the user's system login
> credentials (for windows services). What i am trying to do is to find out if
> there is a prefered way to save these so the user dont have to retype them.
> So the answer would be me remembering the passswords.
>

The password managers I've used help when Windows is already running but
not during login or on another system. I use one that is simple to use
for Internet access (the free version of "Password Depot") and another
separate password manager as a master-list of everything (password safe
on a USB thingy).

But to remember a password, I first analyze the risk factor (The benefit
of a weak password vs. the potential consequences of it being broken).
My bank account has a much higher risk-factor than a forum, so it gets a
much stronger password.

If the risk-factor is very low I use the same simple password on all of
them. But that is nowhere near safe. If someone breaks one, they've
broken all of them. It's just that when I use it, I really don't care.
The hard part is getting the risk-factor right.

When the risk-factor is high, I come up with a complicated passphrase.

I get three or four random words out of a book by opening to a random
page and pointing to a random spot on the page. Then I choose one of the
words under my finger.

Then I munge the words so they look like leet speak. My standard is to
1) capitalize each word, change certain lower-case characters to
symbols, and change certain lower-case characters to numbers.

If I ever need to write the password down, I right down the unmunged
passphrase and then translate it in my head. After using the passphrase
two or three times, the random words stick in your mind like an annoying
lyric.

Now you've got a passphrase that is easy to remember, has a combination
of symbols, numbers, upper-case, and lower-case. And it cannot be found
in a dictionary. You've made it difficult for both brute force and
dictionary attacks. Birthday attacks I not sure of because I don't
understand them yet.

For example: SymbolsBreakWrite = Sym8015Br3@kWr!73 (three words in this
posting)

Believe me "symbols break write" is alot easier to remember than
"Sym8015Br3@kWr!73", but "Sym8015Br3@kWr!73" is much more secure than
"symbols break write".

There is a pattern here and I'm sure enough cleverness could break it.
But nothing is completely secure, and you'll drive yourself crazy if you
try too hard.

--

Liquid
.