Re: Paper & pencil password algorithm




James Taylor wrote:

Guy Macon <http://www.GuyMacon.com/> wrote:

That's interesting; I thought that perhaps *you* had lost interest
when you didn't respond to this:

No, I'm certainly not losing interest, in fact all my other work is on
hold until I can get a satisfactory algorithm for my passwords because I
want to use them for several aspects of the security architecture I am
putting into place on my main work computer, which is currently out of
commission pending the result of this quest. I'm losing potential work
because I'm stuck on this, so nothing is more important to me right now.

"...Or a site that used to be http://www.bigISP.com/~notbad/goodstuff.htm
and changes to being http://notbad.co.uk/goodstuff/index.html with
a 301 redirect from the old URL to the new URL..."

Have you thought about how to handle URLs that change?

I don't see it as a big problem. I was only going to base the password
on the site's domain name, not the whole URL. URLs do tend to change
occasionally, but domains change very rarely, in fact as domain names
tend to be a brand with value they even outlive companies. In the rare
case of a domain name changing I am pretty sure I'll be able to remember
what the old domain was, so I'll be able to log in using the old
password, and set a new password based on the new domain name.

But that means that you will have the same password for

http://www.bigISP.com/~homepageone/

and

http://www.bigISP.com/~homepagetwo/

....with entirely different owners. Such URLs *are*
reasonably common.

I suppose your question could be rephrased as "what am I going to do if
I have more than one account at the same website, or more than one login
account on the same computer?". The simple answer to that is to append
the username to the site name, before hashing it to get the password.
For making new passwords for any account, I can just append a version
number to the end of the site plus username. The quality of the hash
function is everything.

That just moves the problem to "how do I remember these different
usernames?" Given the constraints that you have chosen (pencil
and paper, memory only) you need to have a hash function or
something like it that you can memorize once and use for many
websites. As soon as you add anything per-website that you have
to memorize or write down, you have defeated your purpose -- you
might as well just memorize a password for each website.


--
Guy Macon
<http://www.GuyMacon.com/>

.

Relevant Pages

  • Re: PlusNets alternative Network
    ... All that was involved was a very small change to my username, ... router to accept the changes, it re-booted and off we went. ... First impressions are favourable. ... So apart from losing the static IP what's different? ...
    (uk.people.silversurfers)
  • TOT: Changing Username on Ebay
    ... username on Ebay without losing my existing status and sales feedback. ... All I want to do is change my username from a personal name to a business ...
    (uk.telecom.broadband)
  • Re: User directory
    ... How do you create a new username and copy that into the existing profile ... >> How about losing the HTML? ...
    (microsoft.public.windowsxp.newusers)
  • Re: User directory
    ... How do you create a new username and copy that into the existing profile ... >> How about losing the HTML? ...
    (microsoft.public.windowsxp.general)
Quantcast