Subscriber Discussion

Use One Password Scheme For All Your Websites, Safe Or Unsafe?

RW
Rukmini Wilson
Mar 08, 2014

Choosing passwords: You can do it "right" or do it "wrong".

Doing it right entails choosing different passwords for every site you need creds for, for some people that is easily over 100. You would need to store that list somehow manually or with a password manager.

Doing it wrong means using one password everywhere (or in my former setup three, one for banking, one for commerce, one for everything else).

Both have "pros" and "cons" that I am sure everyone is aware of.

I am using a new scheme now based upon trying to keep the pros of both with the cons of neither. Please Poke a Hole if you can!

New scheme is this: password consists of three parts, prefix, infix, suffix; The infix is some easily memorable but disjoint and unique phrase like "marTyism0zart", (not my real one), the prefix and suffix are derived from the site you are login into via some homemade transform that you always use.

Let's say my transform, a simple one for illustration, is just take the first two letters of the domain and for the prefix and the last two for the suffix, shifted by one letter. So ip=jq and vm=wn so the whole thing would be jqmarTyism0zartwn. But the key is to use make up your transform yourself. Then you can just remember one phrase and one transform and have unique passwords on all sites without storing them anywhere? Holes?

Avatar
Marty Major
Mar 08, 2014
Teledyne FLIR

Because you are using a codified encryption method that does not require a 'key' be known/acquired by a receiving party, the only hole I can see (or maybe better, weakness) is if you are personally tortured to reveal the key (or code) that only you know.

Then it just becomes a pain threshold exercise.... :)

Avatar
Brian Rhodes
Mar 08, 2014
IPVMU Certified

The password isn't as strong as it could be with, less characters:

Including more randomness and symbols helps slow down cracker programs. Including numbers in place of words can give Mneumonics to a seemingly random string. '5A1&ip$35' is easy to remember for me and only needs 9 digits to get the 100% mark.

Of course, dropping your password into a nonHTML5 'analyzer' is probably pretty stupid anyway.

Wait.

RW
Rukmini Wilson
Mar 08, 2014

The password isn't as strong as it could be with, less characters

Agreed: Though in all honesty it was chosen primarily as an entreatment to MM.

So Brian how do you choose/remember passwords, the right way or the wrong or in-between?

Avatar
Marty Major
Mar 08, 2014
Teledyne FLIR

Rukmini,

Cryptography and 'codes' have always fascinated me - cryptograms were the main reason I bought a lot of puzzle books as a kid. Word searches are like cracking a bicycle lock with only 3 number cylinders on it. :(

Passwords are a variant of cryptography - except you have the benefit of the creator being the only one who will ever need to 'decode' it (as mentioned above).

Because of this, your mnemonic method of encryption is, if not failproof, at least a great tool to use for those that find passwords maddening - as I do.

Password Managers are the only way a normal human could ever remember the many passwords they must possess (as you mention) - but then there is where your vulnerability lies. In the 'program' itself. Your method removes that inherent flaw.

I use a different method which I will not reveal, in the off chance that this whole string was an attempt to social engineer it out of me.

m

(for m0zart)

Avatar
Ethan Ace
Mar 10, 2014

That's a really weird checker. It doesn't count all special characters as special characters, for one. It also gives no indication of what 100% actually means. Why do I care if it's 1 or 100 if it tells me nothing about what standards it's basing this on?

Second, while I would never try to stop you from using random 9-character ASCII strings, try to get your parents or grandparents to remember one of those. Hell, try to get most people to remember one of those. This is why I think we need to back off the random string movement and move to easier to remember phrases. Even my mom, who couldn't remember "special2" as her old work password, can remember the phrase she picked for Gmail.

There are smarter people than me that can explain password entropy and the balance of memory/human error vs. security, but those are my general thoughts.

The one thing I do like in this thread is the idea of the prefix and/or suffix. It's another thing that's easy to remember, since it's based on the site you're on, and adding another character or four to the string adds a lot more time to anyone trying to crack a hash.

UE
Undisclosed End User #1
Mar 10, 2014

Who do you perceive the threat to be? I think your approach is likely to be effective against random attacks in isolation. The risk might be, for whatever reason, suppose two or more passwords are compromised by the same entity? Will they have what they need to understand all of your passwords?

Still, for most applications such as IPVM, the risk might be acceptable. For special applications such as banking, you might wish to use a different approach.

Personally I use two different transforms appropriate to the degree of protection required. My lowest ones can be broken with as few as two compromised passwords. My most critical ones that could cause me great damage if compromised (there are only a few of these) are unique, non-transformable, and must be memorized.

Also, password gatekeepers sometimes make demands that are incompatible with the transform. For example, length limitiations, special characters not allowed, etc. Does that bring you back to the password vault?

So, ... if you see even goofier posts than normal here on IPVM, I've probably been owned by the two-exemplar-crackable-transformed-password.

Best of luck with yours!

RW
Rukmini Wilson
Mar 10, 2014

The risk might be, for whatever reason, suppose two or more passwords are compromised by the same entity?

Possibly yes, its hard for me to evaluate how hard it would be if say ipvm had the jqmarTyism0zartwn password and the one for gmail hnmarTyism0zartjl. Probably not too hard, but that was just illustrative, I had also considered ones where every other letter is transformed and encoding the length of the site name like th, fo, fi,si.

Thats why I think its important to come up with your own transform that is tricky enough and likely to be unique. Its seems counter-intuitive but if you or I were to write a web server from scratch, at first it would have a million security holes, but yet in the 'wild' it might fare better than most because those holes would be unknown and idosyncratic and not worth it to take the time to discover them, just like MacOS went untouched fir so many years.

Personally I use two different transforms appropriate to the degree of protection required.

Are the transforms you use site specific or global?

As for limitations yes thats concievably a problem tho I try to make my passphrase use all the standard reqs ahead of time.

Also domain names change or redirect...

UE
Undisclosed End User #1
Mar 10, 2014

The transforms incorporate variables that are specific to each site.

In retrospect it has been probably been foolish of me to explain anything about the nature of my passwords under disclosed identity. John, would you mind anonymizing these two posts?

Thanks!

Avatar
Ari Erenthal
Mar 10, 2014
Chesapeake & Midlantic

I tried making my passwords as difficult as possible, and got locked out of all my digital and online accounts. Now I just have seven or eight different long passwords, assigned randomly to online account access, and changed frequently.

My main protection against indentity theft, however, remains my terrible, horrible, awful credit rating. I wish I was kidding.

Avatar
Marty Major
Mar 10, 2014
Teledyne FLIR

                                                                  

Avatar
Tyler Graham
Mar 10, 2014

http://xkcd.com/936/

HL
Horace Lasell
Mar 11, 2014

Nice. The only trouble is, why do some applications limit you to 8, or 12, or 14 characters? In this day of streaming video, it's not like password storage or processing has any meaningful cost, but as you pointed out, short password constraints do bear a pretty significant cost.

RW
Rukmini Wilson
Apr 24, 2014

Begin Password Rant

Forgot password? Forgot password?

Why does it always say that? I'm not sure I have ever actually forgotten a password? I have forgotten which one I have used innumerable times. Usually because of some password restriction preventing me from using my ex-default password; my equivalent of 'hoochiemama'. So here are three suggestions for those software titans, who should quickly embrace my proposals and fast-track them into production.

After I have screwed up once please:

1. Show me a key of what the requirements are for a valid password, i.e., one number, one cap, and one beer, and not just the current ones, but the ones in effect when I chose it) (And no it won't help the hackers, they are the ones who know it already)

2. Let me ask a question or two. Like: is it the one than ends in z? (Advanced algorithims could play hot or cold. :)

3. Change forgot password to: Please let me help you recall your choice. (just cuz)

And no I don't think answering a question about a single letter will significantly affect security, since it would send a hint given e-mail and still lock you out after too many misses.

What am I overlooking or would this help only me?

End Password Rant

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions