Slashdot Mirror
How do you Remember Your Passwords?
Aaron asks: "Like most people reading this, I have more than a few computer accounts. Password maintenance (e.g., changing them regularly, thinking of ones that are hard to crack but possible to recall, remembering what this week's password is on account foo) is nontrivial. What strategies for managing passwords do you have?"
Mnemonics and password schemes are tricks a few people use, but I'm sure some of you out there have better ways. Would any of you care to share?
Nutty though this may sound, a piece of paper is strangely immune to all forms of hacking. Just don't let anyone else see it.
Keep all mine in scribble.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
Write them down for the first week. Use the new passwords frequently, even if you don't have to use those accounts often, try to use them often for about a week. After that if you are any good at a number-letter password combo they should be engrained until the next time. It has always worked for me. Oh and don't forget to flush the passwords once you're done. Hate to see someone dumpster diving and finding a password or two.
Good is never enough, when you dream of being great!
Coped this off my friend Ke6n:
Use patterns from the home row keys. Squares, diagonals, horizontal and vertical lines, left to right, right to left, and each hand.
They're generally non-dictionary letters, big, and easy to memorize, left-straight.
But they require you to use roughly the same keyboard.
-- Ender, Duke of URL
i keep a deliminated text file with all my personal passwords (several workstations and websites), servers, virtual server telnet accounts, and ftp accounts on it. the file is always PGP encrypted with max bit encryption available. what would i do if i forgot my password file password??????
by the way, the file is on an magnetic-optical and called "judy.jpg" (just an example), not on my hd, just in case.
Real men don't need signitures!!!
I personally prefer car reg numbers as they are hard to quess (random letters and numbers) but they mean something to me.
I've driven loads of different cars and therefore I have lots to choose from. Rotate weekly - add an underscore or two - reverse them for extra effect.
Still, the easiest one to remember is of course " ".
It might be an idea to create a text file with your accounts and the corresponding passwords and then encrypt everything with PGP. Thus you only need to remember one password.
The problem is that if you forget this password your other passwords are lost too...
i take a line from a song or a movie and use the first letters...then i twist that around by capitalizing certain letters or sticking in a punctuation mark in between, just to add an aire of randomness to it.
"But remember, most lynch mobs aren't this nice." (H.Simpson)
-- Joe
- Secret! - which is basically a password protected set of memo pages, but it also can do TAN and single use passwords.
- SecureMemo - Similar to Secret! but each memo is encrypted seperately. I was already using Secret! when some of these types of things came out.
- Strip - My current favorite. This is a password protected application that is designed for managing password info. It is a database of records with Username, Password, and Description fields. It can generate a random password of a requested length, and you can use it to send an account to another user (great for a sysadmin when creating people's accounts). Only big negative I've seen is that the password length has a length limit, so storing ssh and pgp passphrases may not fit.
All three of these store their data encrypted both on the pilot and on the backups. You could do something similar with a PGP or otherwise encrypted file on your computer, but I prefer the redundancy of having the data in two places. PalmPilot and backup machine (plus backups of the backup machine....and yet I remember each one. Why? Because
.... :)
when I forget.. the first thing I ask myself...
"If I were to pick this password, which, surpise, I did... What would it be? Hrmm..."
And I usually get it after a couple tries.
-Matthew
Technetos, Inc.
I remember my password, RHF4345_enternow_123, by repeating it loudly and writing it everywhere. My clients can feel safe knowing their personal information is secure with me.
I use my wife's first name for all my accounts. For those sites that does not accept "Amanda" as a password, I use the names of my kids ("Allan" and "Ann"), and also write the password down on a yellow label stuck to my monitor (together with the site/account name of course), as well as in a file named PASSWORDS in my home directory. Just in case the label fall off.
This has worked well until now, I have never had to ask the admins to remind me what my password is.
Nothing says that easy to memorize has to mean easy to guess.
Take a common household phrase..
ash nazg gimbatul
..apply 31337 to it..
@Sh N@5g G!Mb@tU1
..now table it...
@ShN
@5gG
!Mb@
tU1
..and unwind that.
@@!tS5MUhgb1NG@
...that's something that can be memorized in source form as long as the 31337 rules are consistent and the table is near-orthagonal. It can be regenerated on a scrap of paper or, with a smudged-off-afterward marker, on a countertop.
I type some number enriched ascii jumbled text from something I have laying on the desk that can be remembered and type it in qwerty on a dvorak keyboard. I can type my password out, but if you ask me what it is, I wouldn't know unless I actualy typed it. Its like a secret decoder ring...
My password is "password".
I use this on a couple of machines (198.137.240.91 and 198.137.240.92), and it seems to work pretty well.
BTW, I haven't told you my login name
Tatoos on my forearm.
When I'm singing a ballad and a pair of underwear lands on my head, I hate that. It really kills the mood.
-Tom Jones
The one from the movie SpaceBalls:
12345
I think that he has a point truthfully...
Anyone remember spaceballs?
I tell you, qwerty or 12345 would not be the first ones i would try to break a password with. Maybe I'm just rambling but oh well...
icq:=22921393;
As ya can tell im a terrible speller.. actually it comes to me advantage in a small way when it comes to passwords. %95 of the time i misspell words the same way. a misspelled password evades dictionary checks. on top of that i tend to use the same character replacements (! instead of i, 0 instead of o, etc etc). so i usually end up pickin a word that reminds me of the login and bang - i remember the password (%95 if the time heheh)
One of the things I have noticed is that humans as a whole tend to remember pictures and symbols far more easily than alphanumeric information. (Simple fact - we have evolved that way). ;-) ). After several years it became hard to achieve unique ones that everybody involved could easily remember. Hence our switch to visual methods.
As one of the system administrators for a medium sized ISP, we are faced with the problem of regulary rotating certain account passwords (I think you can guess which ones
Simple Example:-
Imagine a large smiley face situated on your keyboard (as in certain keys were colored differently to make up the face)
Nasty ASCII Art Bit:-
1234567890-=
qwertyuiop[]
asdfghjkl;'#
zxcvbnm,./
Normal Keyboard layout
1234*6*890-=
qwertyuiop[]
as*f*h*kl;'
\zxc**nm,./
Stars show keys used to draw smiley face
Ok, so I have made a pretty lame job of that, but notice that I have used 5 & 7 to make up the eyes, g for the nose and dvbj for the mouth. That gives us a password of 57gdvbj. Once we have that, we can add features to make it more secure, a Capital G for the nose for example, or using punctuation % and & to give the face "eyebrows".
Personally I find this method a useful way of coming up with passwords that are only suseptable to brute force attacks, whilst maintaining a visual link so that our primate brains can have a stab at remembering them. Other pictures that can be used are symbols, flags, large letters, the list is pretty long.
Good Idea/Bad Idea?
Dave.
ive found that my memory is just more tuned to remembering numbers, mathimatical formulas, and strings of characters in general than other things like events, people, and conversations. it seems like once ive used a password (or ip address, account number, etc) a few times, i will continue to remember it, as long as i recall it every so often.
i used to be a network admin at an isp. we had one master sheet of paper with all the passwords for servers and NAS's (totalling around 25) that we would keep locked in a safe. i would only have to pull it out when i wanted to get on a box that i hadnt used more than once or twice. i guess my memory is just better at storing arbitrary strings up to around 10 characters.
whats annoying is that usually i can remember whether ive heard a person's name before but i have a very hard time associating their face with the name. i also have a difficult time rememberng all the things im supposed to do during my day. my finance on the other hand can remember conversations from years ago word for word but has to check with me when someone asks for our zip code. i wonder if theres some sort of male/female thing going on...
anyway, one way to make passwords easier is to take a random 4-6 letter word and to convert it to "l33t-speak", and then optionally tack on a random number or non-alphanumeric or two. for example, take the word "fault", change it to "F@u|t", and add a 0 to get "0F@u|t". granted it may not be perfect, but it may be easier to remember than random characters and a bit more secure than just dictionary words. another trick we used at the isp was to make them loosly based on vulgarities--after a while it was almost a contest to see who could thing of the best(or worst depending on your perspective).
still another alternative can be found on freshmeat. theres is at least one program out there that will keep a list of passwords for you. i think theyre stored encrypted, and you only have to remember the one password to open the list.
"gpasman" and "kpasman" are two examples...
--Siva
Keyboard not found.
Keyboard not found.
Press F1 to continue.
Example: You take the word slashdot, and move you hand over one space and type slashdot. It's hard to do in the beginning, but it get easier.
d;sdjfpy would be the password, except I switch the symbols to something on the top row. It looks like randomness when it really isn't.
Of course, for access I actually care about, I use something completely different, which is just random numbers and symbols mixed with 3 letter words.
Managing them is easy, since I have basically 10 main passwords for web sites. If I feel like it I rotate them around, and then just try to remember which had which. But I'm not randomly guessing my password anymore.
"I disapprove of what you say, but I will defend to the death your right to say it" - F. Voltaire.
For admin level passwords I first create a "random" alphanumeric password and then create a mnemonic phrase using method I got from one of those "How to improve your memory" books I read long ago. To remember numbers you can use sounds.
1 T or D sound.
2 N
3 M
4 R
5 L
6 Soft G or ch
7 Hard G or K
8 F
9 P or B
10 S
It took a while to get comfortable with it but it was long ago and the pain is forgotten. The mnemonic for my (now closed) bank account from 15 years ago is "mouse cheese malls" which translates to 3060350. Double letters which make a single sound count are a single number. For letters, I use words. There doesn't seem to be a problem remembering which words are for numbers and which are for letters.
When I have to assign medium level passwords to others, I give them a phrase and they use the first letter of each word sometimes followed by a number. i.e. Why did the chicken cross the road...wdtcctr22.
www.normsoft.com. The author is responsive to new feature requests and fixes bugs like a demon. Well worth the US$13!
For admin accounts (except for some reason, I've never subjected a root account to this), and some websites, I often base passwords on lines of songs I like. For instance, the first letters of each word; if there aren't enough letters, punctuation, and/or the artists initials help. And often, instead of using the real line, I substitude one or more words. ;-)
Sybase SA accounts are a lot easier. Sybase gives you up to 30 characters, so no 8 character limit. My favourite tactic there are plays on names related to the town I was born; given the fact that all Sybase servers I've worked with were behind firewalls in environments noone else was coming from the same country I was born in, that was pretty safe.
Root passwords are a different matter. Except for personal boxes, root passwords are often shared between people, so deciding on them is a different manner; you can't just use your favourite strategy.
And sometimes, you don't really care. For instance, slashdot mails your password, and your password goes in plain text to slashdot when you log in. Not that I could really care if someone used my password - slashdot is pretty close to the end when it comes to important things. For such passwords, I just keep them in a file, and cut-and-paste, although my current slashdot password has a certain rythm that makes it easy to remember.
Oh, one word of advice. Don't suggest in a (root) password things that aren't true. In a previous workplace, we had 2 sun E3000's next to each other, sharing a console using a switchbox. One weekend, I came in to chance the tape drive of one of the machines. The root password of the machine suggested it was the machine to the left. I logged in and halted the system. Then I turned the key of the left machine, and wondered why the screen didn't go blank. When my pager went of 30s later to notify me which machine was down I realized what I had done.....
-- Abigail
I run makepasswd like this
makepasswd --count=60 --maxchars=8 --minchars=8 --string=qwertyuiopasdfghjklzxcvbnm1234567890
That generates passwords with only lower case and numbers (I have found when remembering in upwards of 20-30 passwords, it's easiest to stick to one case). After I generate my new password lists I normally transfer them to my Pilot in a memo, and lock that memo down under the private area (I rarely use it, but it's always nice to have).
It's not a horribly complex system, but by using makepasswd you have no tendencies to lean twoards ceratin patterns, and you can generate hundreds of passwords very quickly.
Another word of the wise- keep an archive of all of your old system passwords, even after you have changed them. I have often found some part of a system or a rarely-used piece of equipment (Switch, Router, etc.) that has been forgotten in a password roll and is set to some old password. Having a list of them somewhere makes trying the old combinations VERY easy. (I once knew a guy who forgot the password to his 3Com Switch 1000, and he rendered the management portion of the switch useless)
-R
Pick a phase you remember by heart. For example:
"Yippy-ky-yay MuthaF**er" from Die Hard[1|2|3]
(I've deliberately chosen to use a weak example)
Now, use the first letter of each word. YKYMF.
You want to make it harder, scramble the capitalization: YkyMF
Maybe add punctuation: YkyMF!
Pick a theme with several such phrases, and there you go: easy to remember, hard to guess passwords.
www.eFax.com are spammers
I tend to use passwords based on songs. One of my favorites was JSfm#!^ which was based on the Grateful Dead song Jack Straw. The first line of the song is "Jack Straw from Witchita (sp) shot his buddy down" The are the characters (on my keyboard) on top of which is Witchita's telephone area code.
I don't know what kind of material you are dealing with highly secure government or buisness info should be kept on something outside of your computer. I like the first post that says a piece of paper it is what I use for stuff that is important. I also have a floppy with a word doc. that has my normal pass stuff on it. However I am also extremly lazy and will admit I use a program called gator for my basic stuff. If I were to be quized on my passwords without access to my disk I would probably fail.
I like using patterns on the numeric keypad. Only problem, Linux likes to turn off num lock every chance it gets (you hear that Linus, forget about USB for a second and FIX THIS! :)
Finkployd
The first 3 letters of my auto manufacturer,
followed by the last 4 numbers of the V.I.N.,
followed by my first, middle and last initials.
I use three stratagys...
One is to use old commands used on old computers for low priority accounts (stuff I don't really care about)
I use a combonation of favoret numbers (such as some of the numbers of my birthday or old vic20 poke codes) and again old commands or the cryptic names of hardware I have on my desk [not my main computer but my old XTs monitor things like that]
I'll also just not bother and have the computer remeber my passwords for me. or save them in a password file..
I've been moving more and more to the password file.. saving them on a backup flopy and keeping the flopy in a safe place.
This seems to work very well.
cross fingers...
I prefer to let the computer automaticly enter passwords for me. This is how I usually rembered my passwords for BBSes I call during the 1980s and early 1990s...
when the terminal program didn't support it I'd make a macro for each BBS.. when the terminal didn't support macors I wrote the passwords down.. I hated writing anything down but thats life
I try to make my passwords as hard to remeber as posable now a days...
I don't actually exist.
All my passwords consist of random, but readable, strings of characters that alternate each hand on the keyboard. That way I can type them a) quickly, and b) with a sort of rythmn in my hands and fingers.
Initially I remember the way these fake words "sound" (I also keep them written down for a while) but after a couple of weeks my hands remember them better than my mind.
Firstly, I take names/place names from the Star Wars Trilogy (no chance of any of them being dictionary words), then I pepper 'em with some random numbers and caps. Also, I've found Lewis Carroll poems have some great nonsensical words to use.
However, past this system, I usually use iterations of a same general password for a single puprpose: I use one set for my internet passwords (NY Times registration, Hotmail account, etc. ALl the unimportant stuff). Another set for my university account and account on my own machine. Lastly, my root password is different than all of them...
I wish I had a kryptonite cross, because then you could keep Dracula and Superman away.
Hmm. I keep mine on a Scramdisk (a free virtual disk encryptor available from Here. I also encrypt the data with PGP every so often and email it home, so I have a backup if I lose the scramdisk or forget IT's password
--
-=DaveHowe=-
-=DaveHowe=-
- For ssh, I use the encrypted key authentification method. That way I can choose hideous passwords for my machines, make a keyfile, and then never worry about the password again. Plus, I know I'm secure unless someone sits down at my box and 1) breaks my keylock and 2) unlocks my screensaver.
- For many other things, I keep them in an encrypted PalmIII program I made. It uses crude writing-recognition to authenticate -- I know no one can duplicate that.
- For all my physical logins (ie, my home machine), I have threefold security: 1) a username 2) a password and 3) a program in my PalmIII that I have to cradle the Palm and hit the hotsynch button, and the Palm sends a password file as part of the synch.
- As far as my passwords go, I try to forget the letters and numbers on the keyboard, and do it by sight. Trying to memorized random strings of numbers and letters is tough for me -- but memorizing a sequence of hand-movements is easy.
Thats just how I do it... has worked well so far! jasonI put all my passwords in my HP100LX palmtop's database application. Of course the database is password protected. So -- I have to remember this one password to get me access to my hundred other passwords.
Every time I have to choose a new password, I use whatever comes to my mind at the moment, usually being careful not to choose words that can be found in a dictionary. After that, I rely in muscular memory, I mean, if I used it a couple of times then I don't have to think in it to write it, just let my fingers go.
Not so long ago I discovered I don't have two password starting with the same letter, so, I'm able to write down the first letter of each password and that's enough to recall it later. Now, I enforce this property on purpose.
But you have to be physically there
:)
.... You're in, but your initial config might be all skiwompus!
Reboot the box then
LILO: linux -s
# passwd whatever
# shutdown -r now
Now you have root back and change whatever the hell you want
Or in the Case of RAS equipment
do a NINDY by plugging the jumpers on the mobo
Upload a new TAOS/COMOS using a serial connection with 1K/XModem transfer
halfway through upload yank the jumpers
Reboot twice
OK OK all kidding aside. personally I do PGP encrypted files of router/RAS configs as well as passwd files stored offsite in 2 vaults. One at home, one in another office.
Hey it was either that or tattoo the passwds on my cat, and let the fur grow back!!
*JUST KIDDING PETA PEOPLES*
-- Life: Hate the Game... Love the cereal
Until some time ago, I used the same password as the username. Not kidding. I got a few visits that way, people mailing me from my own account saying "Cool! Hey, your foo script didn't work like it should, I fixed it for you", and the like. People who want to do bad things seems to be lame enough never to just knock on the door and try the handle.
I'd like to still have the same scheme on some systems, but people in general are paranoid enough so that I choose strong passwords so that they will still be friends with me. I must say though that I find it much easier to restore a backup every once in a long while, than to use all the paranoid security that people force upon me. I even secured my own computer and removed the guest/guest, system/manager and login/password accounts, which had been there for, well, forever really.
So either way; how do I remember the passwords these days? Well, it's not only passwords, it's bank account codes and other codes too that goes with all plastic cards you get. I'm sorry to say that there really isn't any great trick to it. The mind can easily store atleast 20-30 more secure passwords (and probably even more), even if you change them regularly. To memorize a new password, I write it down on a piece of paper and try to attach images of the characters to the paper in my mind. If you attach graphical images, sometimes even smell perhaps, you will most probably remember it far longer than you need to.
I have about 50 different things I keep
passwords on. So I keep them on my PalmPilot.
I just add each account as a contact in
my phone list, and mark the contact as private.
Each contact has a separate memo attached which
holds the account name and password (and other relevant info).
All of the password contacts live under a list name (coincidently)
'Passwords'.
So, all I have to remember is the PalmPilot Security password
to get to gain access to all
of the other passwords. The trouble with this
scheme is that sometimes I forget to turn
Security password back on.....
Why would I do that? My password is completely secure! I even use it on my luggage!
123456
Whoa! How did that slide in there!
Chas - The one, the only.
THANK GOD!!!
Chas - The one, the only.
THANK GOD!!!
Password and remembering them have been very easy for me ..
:)
Well the process that I have used is as follows :
If I have a standing GF when I change the password, I would keep my password as "iluvxyz", and if I have just broken up with a GF i would have my password as "fuckuxyz"..
Isn't that cool. Maybe it will be cooler if I also add that I have never had a GF !
Manifest
... "follow me" the wise man said, but he walked behind
Contrary to my previous, humorous post, I store my passwords in a plain text file, zipped with a password on the zipfile, then PGP-encrypted and stored on a CD.
The passphrase is something I'm almost unlikely to forget. But just in case, I keep a copy of the passphrase and the zip password in a locked strongbox in my room.
For additional physical security, I also own a set of swords.....
Chas - The one, the only.
THANK GOD!!!
Chas - The one, the only.
THANK GOD!!!
I just thought of this whilst reading all the posts.. :) because of the registers requiring multiple fingerings....
for keyboardists, try the opening few measures of the theme of a composition, (hmm.Bach's Preludes would be a little too repetative though..) imagining the comp keyboard as a musical keyboard. Yeah Yeah I know, the keys are entirely wrong, BUT,If you know the piece, your fingers should remember at LEAST the theme, and hit the same area everytime..
I started testing this theory with not only keyboard themes, but also guitar licks... BTW, Chords don't work:), violin solos, bass lines.
Trombonists,flautists, and other brass and woodwinds would tend to have problems. Especially trombonists
I dunno, maybe I just need more coffee
and more testing.... please let me know what you think
-- Life: Hate the Game... Love the cereal
Best way I've found is to just wham your keyboard. Of course don't just hit the alpha part. Hit everything. Get the resultant string, and remove characters here and there to get the length you want. Tada!
Write it down. Stick it onto your eyeball. Read it and recall it for an hour, or more if needed. Log on to the account every minute. Burn the paper.
There. Of course trouble comes with many different accounts with different passwords.
I used to do the single password thing. I took a word and shifted it and then scrambled it... I've also used a make-shift cipher wheel. The best thing to do is open a text file and then bang on the keyboard with both hands (lightly, of course...don't want to break anything). Make sure you hit the shift key while you do it, and make sure you get close to all the keys... then...well, you pick a string from the mess. Random as it gets....
:)
j&^UFVotygOU^ryf*$RF9ogLMg9*%&Tk
and there you have a password, you just have to memorize it
I only use about 5 passwords ever
;-P
a) two for my home machines (root/normal user)
b) one for work
c) a couple for web login accounts
As i change jobs I do change my work password. Only my web login passwords are likely to fail a standard dictionary attack.
I find about 5 words which have been garbled is about the limit my brain can store.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
I store them in a text file :-) the catch is, I encrypt the file with PGP. Any time I decrypt it for reference I am careful not to leave the unencrypted file around, too.
My password generating tactic is to use the first letters of a phrase that is meaningful to me. Let's say I like Vengaboys, especially their catchy line "Boom boom boom boom I want you in my room", which generates the password "bbbbiwyimr". Or "4biwyimr" if you have to have numbers in your password.
Note 1: don't use phrases that are meaningful to you but to many other people too. Crackers have them in their dictionaries. So don't use "to be or not to be", nor "there ain't no such thing as a free lunch"; I had the latter actually guessed by the dictionary cracker run by my sysadmin once. Don't use common proverbs etc.
Note 2: as an additional criterion I apply the speed of typing the password on a keyboard. Believe me, I guessed many passwords looking at people's hands and would not rather have it done to me.
Proposal: ... varn ( H(var1, var2... varn) ) to produce a unique password for every site. (I usually use something like (myname, domain name)
Biological retrival of "random" paswords is a comlicated task, when new passwords are added to our collection every day. A "secure" method of password generation is required to 1) eliminate the need to store a pasword at an insecure location and 2) be able to retive the password if the storage location is not accessible. Therefore I use a hashing function, H that takes arguments var1, var2
Justification:
I don't think I'll forget my name, or the site that's asking for the password. So as long as you can remember a scheme like initials+1st 5 letters of domain name, you'll be ok.
Analysis of running time:
The hashing can be done in 0(1) time (constant time). Furthermore hash collisions are not important and do not affect performance of generating and retreiving H(var1, var2,...,varn).
Furthermore the algorithm is scalable.
Modifications to H():
Everyone can just have a particular modification to the generic hash function. For instance use "1LFMdoamin.com"
Weaknesses:
Unfortuneately, if someone figures out H() you are escrewed. The solution is to use an array of hashing functions (26) and select a hash routine according to some criteria. i.e., use the 1st letter of domain name, c to select H[c](). Be sure to not make the modification(s) on the hashing algorithm easily observible and guessible. That should create seamingly randomness to anyone who gets a pasword or two. They might figureout the H() for particular c, but as long as they don't get more than 1 password with a particular c, they should not realize that they know H[c]().
Final Comments:
passwords ahould be made of "random" characters from S where S is set of all valid characters. However has bioligical organisms, we cannot be expected to remember a growing number of unique passwords. Therefore a hashing function on string literals (dynamic or static) can provide a not-so-easily-guessable but easy-to-remember-password-scheme that is "reasonably" secure.
Followup:
For really important passwords though, I ditch the whole scheme all together, and use something random - I can remember a few of those.
My password for slashdot is random, btw.
I have a piece of paper with several phrases on it. I just have a formula I memorize for generating a password (mixed capitalization, punctuation, and alphanumerics) from the phrase. If you were to find the paper, you couldn't distinguish it from a grocery list or a "favorite quotes" list in my pocket and it would do you little good without the formula.
My way of creating and remembering passwords is
to take a word I know, or phrase, or whatever,
and transpose it on my keyboard -- move all the
letters one or two letters left, right up or
down. Usually I shift one or two characters
and one control character. Ususually, after the
second or third time I type it, I don't have to
look at the keyboard, either. =)
The net result of this is uniformly
line-noise-type passwords.
-- I wanna decide who lives and who dies - Crow T. Robot, MST3K
I just tell my wife all of my passwords. Women are WONDERFUL at remembering non-trivial things like this.
;)
The oil light on the other hand...
woof!
Well, many people say I'm lucky to have a photographic memory, and in many ways I am, including my method of password storage. I have 50 different passworded accounts (ok, 47), and each has a minimum of 8 (some places dont let you put any more) alphanumeric passwords which I generate using truly random numbers (radioactive decay), see http://www.fourmilab.ch/hotbits/ My pgp passphrase is 53 chars and contains all special characters as well as caps, lowercase, and numbers. But, it's not truly random, but a combination of my other passwords. I find this helps people a lot when they ask me how to choose new passwords. Combine some old ones! Most people cant store them all in their memory, tho, so I point them to Counterpane's passwordSafe. there's a link on their site, http://www.counterpane.com hope this helped. JacobB
Here's my method, a specific mnemonic technique. Start by picking some specific event or time in your life that's easy for you to recall but is not an obvious one to someone other than yourself. For example "in 1996 when I traveled to Vermont to celebrate Thanksgiving with my best friend Bob," or "when I used to play Shadowrun with John and Paul in college," or "when I first started working for Peter and I had to fix up that unbelievably crappy Perl code the last programmer, Matt, put together." Make a point of choosing a specific event (a particular thanksgiving) not a generic or repeating one (any thanksgiving). Also don't pick something obvious (your wedding) or something someone could easily get information on (if you have a web page about your trip to Mexico, don't use that).
Now take the date, place, activity, and people involved in your chosen event/time-span. For example:
Pick out specific fragments of those to use in your password:
Glue your fragments together with non alpha-numerics:
After typing it a few times, you should be able to get it just by remembering "Thanksgiving at Bob's, 1996."
Of course you still have to remember which password goes with which account. If you find this to be the tricky part, you could probably deal with it by writing down just enough information to get you to remember, like "11-96". Unless someone can guess the event (thanksgiving) and knows the details (at Bob's place in Vermont), they can't even get near your password, and even with all that information the number of permutations makes a brute force approach prohibitive.
CVS is teh suck. Use Vesta instead.
...try Strip
Funny that you ask :) Because just today I had to guess my password account. When I create a new password, I usually take the first word which comes into my mind and cripple it using upper and lower case, numbers and little cyrilic ... Then I write it down into an encrypted file.
:( ). Of course I remembered the word but not the permutations I did with it... Now I have it again :) after trying almost all of 2**6 combinations that seemed possible to me :)
But two day ago I had to change my password on a very ancient and dumb terminal and I couldn't save it (even vi didn't display correctly
One of the techniques I use is something I'd call cypher words. I will use a base word and use proximate vertical keyboard locations for the password.
Look at the keyboard (US in this case), and consider vertical groupings of letters:
qaz
wsx
edc
rfvtgb
yhnujm
ik
olp
That's 7 groupings, covering four fingers on the left hand and three on the right.
Now pick an easily remembered password, for this example, "password".
Cypher scheme? First two letters are both in the top row. Second two letters are in the middle row. Third, bottom row for the left hand, top for the right hand. Fourth, middle row for both hands.
Hand pattern? Top, top. Middle, middle. Bottom, top. Middle, middle.
So, how does it work?
password becomes pqssxofd. I type it out in a text editor a half dozen times to ensure that I can reliably and repeatably produce the pattern. I also look at it to ensure it has not produced something easily open to brute force attack. Then I delete the text file and I'm done.
This gives me strong passwords/passphrases that are not subject to attack, I use "simple" passwords/passphrases, and I don't forget the seed words.
One final curious thing about this is that I actually don't know what any of my passwords/passphrases are. They are secure, even from me. ;-)
Graham
Graham
Linux - Fast Pane Relief
Idea 1, SSH: I don't allow telnet to any machine I admin, just SSH. I've wanted to generate RSA keys for every host, and then burn them onto a CD. Use the same password to protect every key. Then, you'd have to have both my password and the CD to hack my boxes. This, of course, requires both SSH and a CDROM drive on any client machine that you access from. It doesn't work just for general passwords.
Idea 2, iButton: Maybe a different system would, however. It involves those funky iButtons. These are little watch battery sized devices which store some fixed amount of data (different sizes up to about 64k), and can be addressed by a simple serial interface. You touch the iButton to a small contact (called a "Blue Dot") which plugs into a serial port, and software downloads the data. Store the authentication data (RSA key or just a plaintext password) in the iButton, maybe all encrypted with a single password. Then when authenticating, touch the iButton to the contact, and type in the (single) password to decrypt. The software could figure out which account was being accessed, and use the appropriate key. I think the software bits here wouldn't be too hard (I only see software on iButton's site for Windoze machines, is this being remedied?). Of course, this would require a iButton contact on any client machine that you access from; or it would require you to carry the contact thingy around and plug it into a serial port (pain in the ass).
I've often wondered how well this would work in an environment with lots of people. Could you reasonably expect people to hold onto an iButton or a CD? Maybe the iButton, if it attached to their keys? Is this too Draconian?
Thoughts?
-c
"If you are an idealist it doesn't matter what you do or what goes on around you, because it isn't real anyway."-R.P.W.
I actually have two schemes. The first is just to come up with a password that forms some sort of shape... then I just type the shape. (Yes, yes a lot of people do this). Although I find that this is most useful for telephone based passwords, its easier to type shapes when pecking IMHO.
Anyways, the other scheme that I use is that I come up with a fixed 4 character string of random symbols and numbers (like 1!.] or something like that) and then for each of my accounts I assign a four letter word (pick your favorite!). Then for the password I reverse the word and interleave it with the random string, so if you picked the word "this" for a particular account the password would be '1s!i.h]t'. So I remember one random string and then I just have a bunch of four letter words to associate with each account.
-- Point? None! Cob.
I usually think of a simple to remember password, and mess with it a bit (bu11Y4u, whatever), or come up with something more random if the account is important, then scramble it by typing it in dvorak on a qwerty keyboard, then doing the translation...
ie (bu11Y4u = nf11T4f, etc.)
it becomes fairly unreadable, but I suppose if you had a dictionary cracker that did dvorak conversion, it would be easier to crack, but hey, that's what backups are for...
WWJD? JWRTFM!!!
Back when I was heavily into BBSing, I somehow remembered every phone number and password for each system in my head. To this day I still don't know how I managed it. As for coming up with passwords? No definite method.
I use password safe at work. Bruce "Applied Cryptography" Schneier came up with it. It works like all the others I guess and it uses a blowfish somehow!
But I am losing the Win95 machine I use at work (yea!) so I need one that will work on an iMac. Ideas anyone?
Linux is only free if your time has no value. Windows is only free if you threaten to use Linux.
One method I have used to make easy to remember but difficult to guess passwords is to use the number associated with the letters of the alphabet of someone's name or any word for that matter.
For example "Mr" would be 13 18 or 1318.
Even if you knew my method it would take a while to guess which combination of numbers corresponded to a letter.
Check out AbiWord.
Unless you work/live in an environment in which you can't trust your co-workers/family, just write your passwords down and keep them in any convenient place. If someone breaks into your home/office, probably the last thing you'd be concerned about is someone having stolen your passwords. You'll be able to remember them easily, and someone attacking your system remotely certainly won't be able to see a piece of paper sitting on your desk (barring some sort of bizarre webcam setup...).
I have six passwords that I have memorized. They are each long, complex and difficult to crack. I rotate through them, and change all of my frequently-used account passwords at the same time. That way, I try the current password first, and if it doesn't work (because I forgot to change this account, for example), I know I'll get it in five more tries.
-jeff
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
Remembering a few medium length, random alphanumeric passwords is easy. The trick is corellating 'em to sites. I have 6 passwords which I've memorized. Each begins with a number, from 1 to 6. When I go to a site, I use a stochastic option selector (read: dice) to decide which passord to use. Then, I have a file in my home directory like this:
slashdot 3
somenews 1
crash 6
chromium 1
I also have a printout somewhere, but it gets outdated pretty quickly.
This also simplifies password changing; every two months or so, I'll add one to each number (should make a script to do this, but lazy) and go around to the sites and change 'em.
The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
Here's what you do.. I've included the steps :) (If I haven't gotten the linux commands QUITE right, dont flame me.. I've tried getting linux installed about a bazillion times, but X doesn't support my Creative Labs Voodoo BlasterBanshee yet... if you have a solution, dont hesitate to email me :)
/mnt/temp1" /dev/fda0 /mnt/temp1" /mnt/temp1" /// >> pass.txt" (Replace the 's with actuall stuff ;) /dev/fda0"
:)
1) Put a blank, formatted disk in your floppy drive.
2) type "md
3) type "mount
4) type "cd
5) type "echo
6) type "unmount
7) remove the disk from the drive
There.. CitizenC's magical password-keeping strategy.. lets see pesky rooters get at an unmounted disk!
,-----.----...---..--..-....-
' CitizenC
' "Bug? That's Not A Bug, That's A Feature!"
`-----.----...---..--..-....-
5) type "echo (login)/(pass)/(account)/(description) >> pass.txt" (Replace the ()'s with actual stuff ;)
,-----.----...---..--..-....-
' CitizenC
' "Bug? That's Not A Bug, That's A Feature!"
`-----.----...---..--..-....-
Ok, instead of actualy retypeing, or trying to cut, and paste with lynx, just use this url.
The Password
Thanks!
http://www.xpurple.com
Ok, instead of actualy retypeing, or trying to cut, and paste with lynx, just use this url.
The Password Thanks!http://www.xpurple.com
I take the first letters of each word of a proverb ... hmmm ... for example ... "Total world domination" (I know: That's no real proverb ;-) ) and add some numbers (let's say: 666).
Twd666 (In this case it's a little short)
Excellent Windows utility to keep all passwords... http://www.counterpane.com/passsafe.html
I hate sites and services that limit the length of the password I can use. It's like saying "There are better locks out there, but you can't use them."
If you use a sentence or sequence of words strung together, it makes it fairly hard to guess randomly (Use Bartlett's instead of dictionary for cracking?), but I suspect that most people could remember "hereslooking@youkid99000" eaiser than they could remember "hl@yk99k", even though the security levels are comparable. (Is that true?)
I just use an obscure latin phrase that I memorized for a fraternity ritual, and my ATM card pin number. It's XX chars long, but very easy for me to remember.
-cwk.
I play the keyboard like it's a piano (usually the old OctaMED keymap, or an offset from it) This has two advantages :
:-)
i) it uses "music" memory - notice how easily humans tend to remember songs.
ii) I don't always even know what letters my password is mde up of, so sodium pentathol aided quetioning will be harder.
I tend to use old passwords generated by ISPs I have used. At least in the past, they have created passwords that are completely random collections of numbers and letters. I also use phonetic spellings for passwords at work. Either way, I don't write them down and I rotate them fairly frequently. I have a pool of about 5 seemingly nonsensical passwords that I use for everything.
Chris
... then you can create passwords "that are hard to crack but possible to recall."
Take the first line or two of a song or poem you like and use the first letter of each word to build a password.
For example, take the first two lines of Poe's The Raven:
The first letters of each word give you the seemingly random password ouamwwipwaw. It's easy to remember, easy to type (just recite or sing in your head as you type), but won't be found in any dictionary.
Systems that require non-alpha characters will barf on it, but you can just add a digit or two at the end to fix that.
as many have already said, the trick to remember a password is to find a reference or a "source path" to it which can be remembered more readily. but then there's the problem of how to find out which reference that is...
references and paths to a password work because the human mind excells at finding references, and at remembering paths. what always seems to work for me is the repeat the password or whatever I wish to remember in my head, and the reverse process will take place. your mind will get busy generating references from that password. and some of those references away from it, will also easily lead back. and ofcourse the same applies to any paths your mind may come up with.
)O(
the Gods have a sense of humour,
Never underestimate the power of stupidity
To err is human, to moo bovine
One password scheme I've read about on Usenet a long time ago was called Shocking Nonsense. The idea is to come up with a phrase that is shocking, vile and disgusting, and at the same time total nonsense. The combination of shocking and nonsense will guarantee that you'll remember it.
Example: "Rape 256 nemotode worms with a trash can lid." Take the first letters and numbers and you have a password: "R256NWwaTCL".
Shocking and nonsensical, you'll never forget it.
Meldroc, Waster of Electrons
Notes
The following may sound rather difficult or obscure, but I have found with practice that it is a quite reasonable way to generate personal passwords when I have access to a large number of accounts that need separate passwords. I have the following goals:
- Every one of my passwords should be different. Access to one machine should not give an intruder access to others.
- Knowledge of one or two passwords should not allow guessing of the others. Remember, you do not know whether or not your friend's copy of ssh has been compromized and is sending your plaintext password somewhere in the Andes.
- The amount of stuff I have to remember should be linear in the number of accounts I possess. Eight accounts should require no more memory on my part than three.
The following outlines (only vaguely) the sort of technique I use. I hope it helps others consider how to construct their own passwords.A Sample Algorithm
My technique is to use properties of the system host name and domain as indices into quotes that I have memorized, then used properties of the indexed elements to form the password. If I can remember the quote and the algorithm, then I can get into any of my accounts even if I have not used them for a long time.
For example, take the following snippet of poetry (which I find easier to memorize than prose):
Now define two ways of turning words into password fragments:- (#1) The letter alphabetically before the first letter of the word, followed by a digit which is the length of the word minus one. (the=s2, neuter=m5, I=h9)
- (#2) The letter alphabetically after the last letter of the word, followed by a digit which is ten minus the length of the word. (the=f7, neuter=o4, I=j9)
And now we can define our password algorithm:- Length of machine name -> selects nth word of poem -> through hash #1
- Length of domain name -> selects nth word from third line of poem -> through hash #2
- First letter of host name -> selects nth (n=distance from left side of keyboard of letter) word from fifth line of poem -> through hash #1
So when logging into frodo.shire the password would be s1z8v6.Dangers
The above algorithm is obviously rather weak. The following thoughts should help you develop your own, better algorithm.
Obviously you should choose an algorithm which makes sense to you and you can remember and implement accurately in your head without scrap paper. This may be difficult at the first try, and it is important to keep in mind that you will not get much practice using the algorithm - you will use it three or four times to log on to each machine you use regularly, then you will start remembering the password out of habit and not use the procedure any more. So you had better make sure you will be able to call the procedure up later when you need to generate a password you have not used for a long time. Keep the following in mind:
- Key off of host properties that vary considerably between the machines you use. Using host name length is useless if all of the hosts you log in to have names of the same length. Using domain name is useless if all the hosts are in the same domain. You can obviously use other properties, including the name of your account (if that varies between the machines, or you are in charge of several accounts - like your own and the root account), the organization or purpose of the host, and properties like operating system or your opinion of the machine ("fast", "stupid", "slow").
- Choose an algorithm that produces fairly random characters. The above algorithm is quite bad because it will tend to use common letters rather than uncommon ones, for instance. In your real algorithm also try to work some punctuation in.
- Make sure you know the quote! Remember the point of the quote is to produce a unique map between facts (letters and lengths) and other letters and lengths that have (apparently) nothing to do with them. In this sense the quote works like a one-time hash - knowing one part of the mapping will not in general help an intruder know another since the words in the quote are not produced algorithmically, but are simply given.
Anyway, I hope this technique is useful to other people with the same needs I have in the area of password choice.Carry your passwords in your wallet, on a piece of paper.
I think that random people on the internet are a far greater threat than the people who have access to my wallet. I generate random passwords and I carry 2 of them with me: one for my account on one of my machines, and another as the password for the encrypted file on that machine that has all of my other passwords. This piece of paper doesn't list the machine or give any hints about what the words are. I have another copy in a desk drawer at home.
If I lose the paper for any reason, I use my backup copy (if I need it) and change all of my passwords immediately.
I think that this is far better than coming up with passwords that are easy to remember and using them for months before changing them.
Forward, retransmit, or republish anything I say here. Just don't misquote me.
S133739 would be sleeper, etc.
I use my passwords by priority, they are kind of recycled.
My most recent (and hardest) password is for root on my box. Second is for user accounts and maybe a organizational password. Third is my ISP and crap like hotmail. 4th is all the other junk that I never go to but sign up for anyways.
I wrote a small program called genpwd that will simply output a randomly generated 8x8 block of characters (upper, lower, numeric, symbols) that I can use for password selection. An example:
dCPt|vHz
*E6o TzT
kB\19F^3
u>49V&t-
ch{H{mVw
02n0.f7/
2fO3b3SL
+>*?4NEj
This allows me to select a row, column, diagnol, or some random pattern for my password. Once I've chosen my block and password, I print out the block onto a small piece of paper that I carry with me at all times. If anyone happens to find it, they won't know where to start to guess my password.
I use phrases to generate my passwords. A recent one was lnihags - Last Night I Had A Great Stout gererated after tasting wonderful stout at a new brewpub. reasonably random, and someone would have to know how I would express whatever piqued my interest at the time I needed a new password.
Other examples are:
tst:vda - the summer triangle: vega, deneb, altair for the bright guide stars of summer
bfsdpe - Beijing Food, Scorpion, Duck, Pig's Ears (scorpion tastes like popato chips, Pig's ears like pepper bacon)
fmtrc2k - Fucking Mazda Trasmission Repair Cost $2,000
There's more to it than this.
When I'm putting a password on something I'm not going to use every day, or at least not often enough that I'll remember it, I generally use CD catalog numbers.
You know, the string of numbers and letters on the label. This has saved my butt many, many times.
I may forget the exact string of letters, numbers, and non-alpha-numerics. But I always, always remember which CD.
If I'm home, I can pull it off the shelf. That's easy enough. But here's the cool part.
If you're away from home, any record store can look it up for you. This has saved me from having to hack into my own systems many times. And when you call a record store at 11:00 in the morning and say "I have a strange request", the lone person managing an empty store in off business hours is generally eager to help, too.
I don't care if they know the password - they don't know who i am or what i'm unlocking.
Sure, you could come to my house and take down a list of my entire cd collection, but it would take you a while. I have a lot of music, and i also mix upper and lower case on the letters.
Of course, if you have a small music collection, or predictable tastes, maybe it's not such a good idea. Personally, 70% of my cds were special-order.
This is just like television, only you can see much further.
I simply open up notepad, pound out some random stuff, and pick 8 characters out of it. I then retype it a few times, and start to use it. Typicially I write down the password on a postit to hold onto for the first week I use it. After that it's in memory. (And in a password protected file on my Palm V / Palm Desktop software just in case.
-----
Sounds extreme, but if you're serious about passwords, you need to create one that you won't be able to easily remember. At work I've got several servers and various admin passwords to keep track of, so I write them in a small notebook which I then place in a lock-box. I've got one of two keys to the lock-box, and my boss has the other key.
Read the EFF's Fair Use FAQ
-r
Its plain text! You can open it on ANY box! just haul the disk around with you!
,-----.----...---..--..-....-
' CitizenC
' "Bug? That's Not A Bug, That's A Feature!"
`-----.----...---..--..-....-
In the previous password poll on slashdot I revealsed that I 'leet my passwords (password -> p4ssw0rd). This is hard to crack and easy to remember. The only thing left now, is to associate all the many passwords with the accounts they belong to. Unfortunately I do this by simply making passwords from services they are associated with (e.g., randomportal.com -> r4nd0mp0rt4l). I guess that's a weak link in my scheme...although the only way to break it would be to actually know my scheme...which I guess I've just given to every slashdotter :\
It's 10 PM. Do you know if you're un-American?
I personally find that the best balance between security and remebering a password is to take the first letter of each word in a phrase. E.g.:
tbontbhao: To be or not to be, (from) Hamlet, Act 1
Of course, you can alternate upper and lower case, use digits, etc. to increase the security:
2bOn2BhA1: To be or not to be, Hamlet, Act 1
The good thing about Shakespeare as a source for lines is that there are thousands of them, so even if someone knows your method, it doesn't really help, and many of the lines are very easy to remember.
I have used, for example, the first letter of the first name of my immediate family, alternating the caps according to gender, sorted on age. Or, sometimes, I will use the third letter of each name, arranging them in alphabetical order on first letter, or on age, or even on gender/age. It usually generates good, easily rememberable passwords, and someone else would have to know both your method and whole immediate family to guess correctly. If I feel the need to throw a number or symbol in the mix, I put it either after the parents' names or at the midpoint.
Works for me.
-- Count Spatula: The Culinary Vampire "...because my cooking sucks."
I find that there have been enough people and things in my life associable with certain dates that i can cobble together mathematically random passwords that are memorable.
F'rinstnce:
A married couple who became close friends. I use their nicknames, init caps, separated by a special character or two and prefixed, or postfixed, with the month/year I first met them. The nicknames tend to avoid dictionary cracking, the non-alphanum characters throw something into the mix and the date adds the numeric difficulty. Yet it is easy for me to remember because it is meaningful to me.
So, take a pet's name, add to it the year you got it and/or your age at the time, also it's favorite treat linked with some special character.
BlackMax72-12&Snausages
Effectively random.
And you can keep an unencrypted file, or just a notebook, that says Server#1 - BlackMax. Yet it will be unlikely that anyone viewing it will be able to crack your password in any short order.
Codes are always more secure than ciphers.
The closer you are to the code, the happier you are. - Ancient Geek Proverb
old credit card numbers. I remember about 30 of them. Also, random selections from pi out to about the 58th digit.
Where are my GPFs? I WANT MY GPFS!!
MacOS has a nifty answer to this problem: the Keychain. It's a feature built into the system that allows you to store your passwords in a single file, which is then encrypted using a 56-bit cypher (not the strongest, but then again, I don't expect to be raided by the NSA anytime soon. :) ). When a program that supports the Keychain requests a password, they Keychain pops up a dialog box requesting you to type in your master password. Optionally, it will then remind you which program is asking for access to your passwords, just in case you didn't notice which one had, to prevent Trojan Horse requests and such.
It's extremely convenient, but only a few programs support it right now. More are being updated for compatibility as we speak, but it's great for keeping track of your passwords using one master key.
-- $SIGNATURE
If you haven't thought of a password scheme for yourself, here's an example idea. I (don't) use something along the following lines:
For example (truly not my scheme) let's say the base word is "cheeze", and the algorithm is to alphanumerically add (with modulus) the name of the site, postpending the number of letters in the site name. "cheeze" encoded with "slashdot" is:
cheese
+ slashd
--------
= vtfxai8
The scheme may not be terribly secure, but someone who steals your password to slashdot isn't going to automatically know how you came up with it.
Disclaimer: I sure ain't a see-curity pro-feshinul. This advice could be really dumb.
for non mission critical passwords i use "the" for mission critical, i use the serial number off the back of a floppy disk. of course I keep the disk and label it something to remind me that it is a password, but other than that it is the most secure way I can think of to generate new passwords.
del c:\micros~1\*.*
Granted, this works only if you know somewhat obscure, i.e. non-latin language. Russian, for instance, works very well. You take a fairly simple phrase in this language and type it on a Qwerty (or Dvorak -- does not really matter) keyboard, using native language keyboard layout. Say, if you were to use word "Linux" (Russian would be something like "Linaks"), then a Qwerty keyboard would yield: "Kbyfrc" ("Txfupj" for Dvorak), which, I guess, is cryptic enough for not-too-sensetive stuff.
--AP
Heh... whenever my friends start up a Quake server that they don't want the rest of the LAN getting in to, they set the password to 1234.
:)
Although if I remeber, we told it to someone who we didn't want playing later, so we had to change it to 2345.
The Happy Blues Man
The Happy Blues Man
I accept on blind faith that Cincinatti exists.
This is the best one I've found so far..
:o)
When creating a password, I take the first word(s) that pops into my head, and then spoonerize it..
(for those of you who have forgotten third grade english, a spoonerism is a play on words, where syllables are swapped.. for example "start the car" would become "cart the star." "slashdot" could become "dlatsosh", "datslosh")
Then, all I have to do is remember what I was thinking of when I created the account (pretty simple - if it's non-critical, I just use the name of the site.)
Oh, for those of you who think I just told you my slashdot password, this is the place I didn't do this
I keep all my passwords in my head, so I try to make them as easy to remember as possible but still somewhat secure.
For general everyday logins, websites etc I use a two word scheme bound by a character or number. I.e. perl@Palace Kane*epics pyle&hume etc.
I even wrote up a simple little perl script to generate them for me.
So far the passwords have withstood various tools like lopthcrack etc without being comprimised.
I ussually sit around for about 10 minutes trying
to think of a sequence that is:
1. VERY fast to type
2. Has a lowercase letter, capital letter, number, and misc. character.
It takes a while. I can't type too many things too
fast, and I'm a bit paranoid about shoulder-surfers, so it ussually takes me a while
to come up with a password I can type in under a second.
one way i found is to use cheat codes from a game, intermingled with non-alphanumeric keys... A post here mentioned converting it to 3l337-speak, which could also be a good idea. it'll still be relatively easy to remember...
another method i use helps me remember it, and also helps me be lazy: I have one of the old AnyKey keyboards from gateway- the ones that are programmable.
i've programmed in some of my 8+ character passwords to type themselves in if you press a 3-key combo on my keyboard. not at all very likely to be found accidentally, and very secure... unless someone hacks my keyboard... and if you spend your time hacking keyboards... well... you have less of a life than I do.
-- My Sig is a P228.
All you have to do is write your password backwards on your forhead. Since it's backwards, nobody will be able to figure it out. They'll try it, but they'll be wrong because they won't have reversed it. Then all you need to do is look in a mirror. Pure genious.
--
RumorsDaily
I reduce the number of passwords by using the same password for accounts of the same security level, e.g. a short one for the library, /. and user prefs... a better one for email, web accounts, etc. and a paranoic for each crypted partition, each admin account, bank account...
I tend to rotate them, ie root password->user password->insecure password->trash can.
If I get a new password , I immediately "rehearse" by typing it several times ( or logging in and out ), until it's "burnt into" my fingers. Once it's "burnt in", my fingers remember it even if I don't.
My passwords have a theme. Currently, I'm using radio station call letters and their fequency with a ~ built in. 944~wkjr may be line noise to a cracker but you probably hear it on the radio every day. The ~ forces crackers to use a pretty broad character set during a brute force attack.
That which does not kill me only makes me whinier
I also use Strip. It's a lifesaver for remembering the 30+ passwords I've got to keep. Otherwise I'd be stuck in the old synch password game.....
Password for one system expires, pick new password, then go change 10-15 other passwords at the same time. Forget to change one, then need to use that machine, lock your account trying to remember the password you used 3 cycles ago.....
It was a real pain. Strip is easy and secure.
jeff_C
..now I just gotta find a girl named 3jrr031 and make her mine.
I pick some word that I can easily remember, like my name or something. Then I use a 2 line perl script to DES encrypt it, using that same word as the seed. Then I memorize the result (well, the first 8 characters anyway). Then, anytime I forget my password, I just run "pcrypt ", and I've got my password. Of course, this only works if you can log in and run the script somewhere, which means I don't recommend this method to people with only one account. It's a little wacky for some folks, but it's the best way I've found to use passwords like bo1Qz2Hf. I've thought about always using my name as the word to be encrypted and the hostname as the seed, thus having different passwords on each system which I can easily generate from a single word, but maybe that's going too far.
Neither does the rest of us or we would'nt be making these comments.
I usually think of a phrase someone said and take either the first or last letters of each word.
Sherm
I started using the last 4 characters of a domain name, reversing that, and appending my usual password:
:-)
slashdot.org --> hdot --> todh
usual passwd --> yo69MO
becomes todhyo69MO (Not really my slashdot password
This (or any other consistent scheme) can be very effective and relatively uncrackable - as long as you don't tell anyone your scheme.
Faed
--
- Secret!
- Strip
I'm pretty sure that the SecureMemo is by CertiCom.In the olden days before Macs did multitasking, there were things called desk accessories. They were located in the Apple menu and could be run in the memory space of other applications-- a sort of poor man's multitasking. As you might imagine, this became kludgy and unneccesary once we got full-fledged multitasking in system 7, (yeah, I know, we still don't have "real" multitasking.) so DA's are not used much now. People will still sometimes refer to any small app that resides in the Apple menu as a DA, even though you can put anything you like there now.
I usually create passwords that I can easily remember, but a cracking program would not guess. I do this by combining letters with numbers, where the numbers are relevent. Something like 411info, or info411 would be easy to remember, but a cracking program usually goes for a dictionary of words and sometimes attaches numbers like 123 or similar.
_joshua_
Choose some random number of consecutive PI digits starting at some random place in PI. At the end of every week, repeat process.
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
You can get it here.
It's not awesome by any means, but it serves my purposes just fine. The source is included, so you can make it way cooler if you want.
(BTW, it's a java program, so you'll need to get the runtimes for it, IBM released them for Linux, so you have no excuses now).
Jay,
Let your hands drop on the keyboard (once or twice) and look at what comes out. Tweak the "password candidate" a little so its a little better (l33t or some such), and then start using it.
I usually also keep a piece of paper with the new password for 2 or 3 days, trying to login as often as possible in order to memorize it faster (practice!).
http://arcanum.apple.com/
:)
Apple has a nice system they had with PowerMail ages ago and that they resurected with MacOS 9: keychains.
Basically a keychain is an encrypted file that hold keys, like username/password pairs. If a keychain is open apps can query it on a per need basis (and yes the OS ask for confirmation that app X is allowed to use the keychain each time the app try to.)
It's pretty neat.
Just add some password generator to that and you actually only need to know the password to the keychain (better not lose or compromise that one tho
I wish there was the same kind of system for Linux and PalmOS and that I could synchronize keychains between the various platforms. Would be handy for all the junks passwords.
Just my $0.02
Janus
Okay, my scheme is simple, but effective... I just use things that people wouldn't guess, but make them long enough so that you couldn't brute-force them easily.
Example: qrweoupiyt
Ten characters long and impossible to guess. Not the most secure, but oh well. Add a number or some punctuation on there (qrweoupiyt5! or qrwe72oupi#yt) just to make brute-forcers have to use everything.
My problem is sites that assign passwords. Ive been assigned passwords like 'smellycamel' (which I changed), or even 348751 (which I couldn't change). Great, a site with only 1M combinations of passwords per account. That has barely more protection than a 'strong' password 3 characters long! Come on!
Another problem is Microsoft. When I log into their site for whatever reason (download, MSDN, etc), I have to play a guessing game. One of my usernames for one of the services is something like 3216921, the other two, for different things, are 'sentry21'.
Okay, so I have three accounts. I do remember what the password for my numerical account is, so that's no problem. Then I go to my two 'sentry21' accounts. One has an MS generated password (secureish, like L8sj4Ke), the other is the password of my choosing. Not only do I have to get them to e-mail my password, which I don't know, I have to get them to e-mail me my username! One day, when I was feeling lazy, my inbox ended up with like five e-mails from Microsoft with usernames and passwords.
I swear, it's insane. Use MSDN and Hotmail, and then whenever you try and get into the MSDN site, someone cracks your hotmail and where are we now?
Hmm... I wonder what my PGP password is...
~Sentry21~
I usually open a biology or chemistry text, and find a class of molecules or group of animals. I then map a chemical name, such as an amino acid, or a taxinomic name, such as the genus or species, to each of the accounts I have access to. I then basterdize the crap out of the name with mixed caps, and non-alphanumerics. I use a different groups of names for root passwords than I do for regular accounts. This way, no one knows where the heck I get my password, nor how I basterdize then.
...Linux!
I seem to be quite effective, and as a result I can quickly learn and remember chemical and taxinomic names and their spellings. Given the volume of chemical names and biological terms out there I don't see myself running out anytime soon.
what Fun!
--
"You never know when some crazed rodent with cold feet might be running loose in your pants."
-Calvin
the ph33r term that 31337 h4x0r d00dz use for really k3wl h4x0rs. 31337=Elite in english.
First ask yourself two questions:
1. is the information your password is protecting really important?
2. do you really think anyone is bored enough to actually want to break into whatever it is you are protecting? Hackers/crackers have alot of work to do and I'm not so sure that your shell account is a priority.
3. is the information you're protecting on your computer?
If all three answers are false (and this is the case 90% of the time, e.g. hotmail account or countless other web accounts) then make your life easier by keeping this trivial password, along with all the other trivial passwords, in a plaintext file in a convenient place for you to look up.
If your account/information is on a remote computer then keeping your passwords in plaintext on your home computer will not compromise your security unless someone decides to rummage through your home computer (not very likely if this hacker is sitting 1000 miles away and attacking the server. How would he know to find your computer?).
If, against all odds, you find that the information is important (secret diary? Swiss bank account? Nude photos of your neighbor and his dog?) invent a password that is easy to remember (try any random jumble of letters and stick in some vowels, for example: ynbsk --> YaniBusek) and use your memory (the gooey kind in between your ears).
I have this 14-letter (yes, it was originally for NT) password which is entirely random, including the amount of punctuation stuffed into it.
Now, this isn't the case anymore, but when I finally burned the piece of paper it was written on, I had the exact keystrokes tucked away somewhere in my head, but the actual password itself wasn't there. I could think "type the password" and quickly spin it off but I could not remember the password.
I've had to tell a few other people, and I always had to type it out into Notepad just to remember it, but I have it completely memorized now (along with 6 or 7 other 8-letter passwords).
he solution is to use tools that interoperate and enable you to manage multiple accounts, security, identity and authentication informations.
Novell provides Single Sign On to login to accounts on different systems and applications through the network. Another solution-enabler, for the Internet, is Digitalme. It stores your online identity information and helps you manage your accounts (the e-card is a particularly pretty thingy IMHO). LDAP is another element of the puzzle, and Novell Directory Services knits them all together.
And I almost forgot to mention; a year ago I tried some Java beans and VB ActiveX controls that connected to NDS, and I could, therefore, create NDS-aware applications. You could, for example, make a simple application that would tell you the number of servers and users in a certain organisational unit. OK, and I am pretty nostalgic because I'm working on totally different projects now, so I kinda miss the neat Novell technology....
Sigged!
Scads of titles can be converted in this way. Robert A. Heinlein's 'The Number of the Beast' converts nicely to 'RaH#B'; intersperse a quick 666 to get '6RaH6#B6' etc. etc. ad nauseum. As one can tell, these look awfully like random keyboard pounding, but are much easier to remember. If someone really tries though, one could make a password-cracker specifically for this algorithm, but it would take some serious effort to do.
--
"The longer I have been an atheist, the more amazed I am that I ever believed Christian notions." --Dan Barker, "Losing Faith in Faith"
First, I used to take a common phrase and append
:(
a site-specific phrase. Then, I started keeping
passwords in an encrypted file, so I could do
more random passwords. Then, one weekend, I got
bored, so I wrote a little c command line and gtk
interface prog to keep (username, site, password)
sets encrypted.
The concept of just remembering passwords doesn't
work for me
Personally, I don't see the need to change them very often. I don't let people see them while I'm typing them (touchtyping has many advantages :) and I usually ssh to other systems. The only ones I don't ssh to are the ones I don't care about anyway (such as slashdot and the various MUCKs I'm on), and for those I just use a common word.
---
"'Is not a quine' is not a quine" is a quine.
"'Is not a quine' is not a quine" is a quine.
Quine "quine?
Some people might get paranoid at the thought of all their passwords being contained in one file. Gpasman at least uses a publicly known algorithm to encrypt the data, instead of just using a secret formula like most of the Windows programs do.
Here are two other methods of hashing an easily-remembered password into a hard-to-guess password (I use some or all of these -- script kiddies, just guess which;-)
The advantages of hashing the password from an easy word are: the "seed" word can be written anywhere in safety (even on the server case!) and dictionary-based password-guessers will fail, as the number of likely hashing functions is very large.
1) Add an alphabetic offset to an easily-remembered word e.g., "smith" + 1 = "tnjui"; the offset can be 1 letter, 1 keyboard row/column, or a sequence as 1, 2, 3....
2) Choose a lousy potboiler novel you read in high school (do NOT use current popular books or books you have traceably bought or borrowed from the library -- Big Brother may be watching!). Combine two character or place names by concatenating or interleaving them. Here again, the result is easily remembered (you can write the book title on the server case with relative safety), but essentially unguessable AS LONG AS YOU HASH IT in some undisclosed way. Even a cracker who knows you will find the knowledge of little use...
Then too, there's the method I currently use...;-)
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
Just a comment on the @ symbols -- HP-UX hates these. You can't effectively use #s and @s on HP-UX, and if you do, you might get locked out of your account. This is because HP-UX will treat @ as a character that means "backspace everything off of the login/password prompt", and # as a "backspace" key. So that password in your example would have been blank in HP-UX. =)
All of my passwords are completely random strings. I'm a touch typist, so I learn how my most commonly used passwords feel. Then I throw away the paper they're written on.
Well maybe variations on it! like repeating it or capitalising a bit or adding a number if the account cries otherwise
Unsafe. Yeah.
Any problems yet. No.
Bwah ha haaaaaa.
+----------------- | What is the question!
confuse yourself and you've confused others.
so pick a password that will even take you a week or so to remember. write it down on a small piece of paper and carry it with you till you remember the password.
using this simp technique, every one of my account passwords looks like complete random garble, yet i remember everyone.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
Password Safe from Counterpane systems,
and passwords from "common" phrases. "A Screaming Comes Across the Sky..." Becomes ascats. And then you add non alphas to the mix. Yay.
-nme!
(aside from *Gravity's Rainbow* being a good source of passwords that'll keep kiddies at bay)
I'd suggest deriving passwords from Things You Know About Yourself That You're Not Likely To Tell Anyone Else -- examples (mostly utterly hypothetical): your favorite song is "Sundown" by Gordon Lightfoot; you voted for Lyndon LaRouche; you have diaper rash from sitting at your terminal for x-squared years; you have a years-long crush on Janeane Garofalo -- so you can remember them easily, but guesswork won't likely crack 'em.
If you need a couple numbers in there, the circumference of your penis is a good place to start (about 44% of the time).
Then again, my root password is "etoot," so ignoring my advice might be a good idea.
Your mouth is like Columbus Day.
Since i don't loke too much passwords to remember, i have a three-password system. I distinguish between my (a) my root accounts, (b) accounts, where i have a "save" connection and (c) accounts, where the passwords is going as plaintext over the net (POP3, telnet, ...).
Works well, i change all of them nonetheless every month or so.
My "strong" passwords (the ones I care about, root, etc.) are usually acronyms of famous sayings or song titles, garbled to my liking. The not-so-strong passwords are usually composed from IBM acronyms related to MainFrames, and believe me, they are in the plenty. It is rumored that IBM has registered trademarks on all 3-letter acronyms, so I just take two and add a digit. The really weak passwords are usually related to web sites, and it is some variation on the site name or address.
Keep one file on a PGP disk (or just PGP encrypt an individual ascii file) never change this password. Enter all passwords & accounts into this file....
for the web stuff, unless it's an e-commerce site I enter my card PERMANENTLY into (so I can one-click shop on Amazon, for instance), I just use one login and password. I find that cypherpunks/cypherpunks works for almost everything.
DO NOT DISTURB THE SE
As those above me have commented, it means "elite". It refers to a style of writing that "elite hacker doods" (31337 h4x0r d00dz ) use, in which they replace letters with numbers and a few other things.
When I ended up in a position where I had to apply passwords to important systems, it came apparent to me that I am going to have to find some way of thinking up a non-sensical password, that is not easy to crack, but yet, is easy to remember.
However, when it comes to passwords for box's that I do not use for soem time, I am still at a loss as to how I am going to remember them. I think the only thing I am going to be able to do, is some thing like the PalmPilot. We shall have to see.
But an example of out of date passwords is...
h3ll5ang3l5
r3dh0tbab35
01nkf3t15h (don't ask me where I thought of that, I was really strugling at this point, had to think of about ten at one time when I implemented some services)
j3llyb3lly
j3llyw3lly
None of these make much sence, and sertanly are not common words or phrases, so I could not see a cracker getting them (but then I could be wrong).
And they are all reletivly easy to remember, as they are all words.
However for a the really seure passwords, it has to be a random string of caracters that are pronouncable, and then just add numbers and replace letters. One you remember the sound you are sorted.
Doug.
If I remember correctly, ZDNet offers a free piece of software for solving just this problem. I'll go see if I can dig up the URL...
Can your IM do this?
Here's the URL:
m l
http://www.zdnet.com/swlib/hotfiles/password.ht
Can your IM do this?
I use my favorite quotes from the Simpsons, which some how I can never forget.. if you and your friends have Simpson quote battles.... then this may be a good idea for you too =]
so like...
"The googles.... they do nothing!" -Wolfcastle
"TgTdN80" - cause I usually mix case and add on some numbers for good measure
Also... I've found using certain sequences in Pi working really well
so like..... 3.1415926535897 (for brevities sake)... you could use 926535897, and maybe add a letter or two to keep the brute force crackers workin' hard...
-Ecc
See the Jargon File
I must admit, I've had the same password for the majority of my accounts for a few years, although, I do have different password levels. I have one for general access, one for "personal access", and one for "su" access. I presume these passwords are not easy to guess, as I use non-English words, with a splattering of numbers, characters and caps.
:)
I do like what we used to do to our VMS users that refused to use "good" passwords. We would set the system to issue auto-generated 32 character passwords with an expire time of 23 hours. Being god was good
Phear The Phat Penguin
I find strings of random characters that I can type really really fast. For instance:
:)
jfoels -- each key is on opp. side of keyboard.
How do I remember it? muscle memory. I know this probably isn't the greatest way, but it works. I HONESTLY couldn't recite my ATM code for the first month or two that I had it, but I could type the code in really fast because my fingers remembered how to do it.. How's *that* for secure?!
-Mike
---------------------------------------
first: take a phrase, say:
"I love Meg"
This is one that I can fondly remember.
second: mispell things:
"ey lav Meg"
third: truncate, abbreviate and shorten: "eylavm"
fourth: mess with the caps and characters: "eyLaVM"
There, you have a rather strong password, and all you need to remember is that you love Meg (which I do, I stopped using the password because I had to tell her what I'd done... ;).
Any way, it is a pretty simple hash, and you can use phrases as long as you like, anywhere from 2 words on up. All it needs to be is something you can remember.
For those stupid numbers (social security, bank accounts, etc), I have a little business card in my wallet which I write them on. Now, the first nine characters of every number is formatted to look like an ssn, and then when I have shorter numbers to remember, I tack them onto the end, so they don't really follow any format a person could recongnize. I can pick out which numbers are what, but that's because I know where I wrote them.
I hope that helps, but I also know that I have a pretty impressive long term memory, so what seems simple to me...
Jeff
IMHO, the best way to remember lots of passwords
is to synchronize them. First, you select a
hard to guess value. Select 2 or 3 if you
access some systems that you are afraid might
be compromised (e.g., local servers vs. public
WWW sites). Then, apply that password to every
account you have. voila - you don't have to
remember a million passwords.
with this in mind, we make / sell a commercial
package for synchronizing passwords:
http://www.psynch.com
-- Idan
Better password spectator mode too (needpass 3), or someone can login as spectator, run "users", type "user x", where x is your username, and get the password...
Better yet, reduce the number of passwords that you have to remember.
I've found that about 85% or more of the passwords I need to remember are login passwords. So, in an effort to cut that down, I began using the RSA authentication available with Secure Shell. This lets me use the same password (passphrase, actually) to access all of them, while also allowing me a very quick and easy way of changing my password, and the increased security that comes with requiring my private ssh identity along with my password.
Topher
Generally, when the service asks me to alter the password, I change one or several position of the password (most often enough to fool the password change check-if-not-too-similar algorithm) in a way that is obvious to me, but not to anyone else, since there is no natural pattern involved.
Even if some passwords more or less by accident may look like a correct word in one or several well-known languages, most dont - not in english, french, german or my naitive (swedish) language. The reason is that I try to mis-spell or alter spelling of words into something completely unrecognizeable.
I change my major account passwds weekly; one week I needed to know the seven wonders of the world, so for the first week I used
gwcgptoz3wow
(Great Wall of China, Great Pyramid, Temple Of Zeus, 3 Wonders Of the World)
then I had to know a torsion formula for engineering:
theta_PLoverAE (theta = PL/AE)
onward to a new friend I met and whose birthday I needed to remember:
erica16june79
That way, after logging into my account for a week, I know my password and a useful fact. When I realize that I no longer recite the mnemonic to myself each time I login, I know it's time to change over.
--Jurph
I'd hate to think that you'd have to find yourself needing to change the password because you gave it away on Slashdot.
take a random alpha code like "kynk" (no vowels mind you). then add in vowels to make it "keynok" then add some numbers to it "keynok894" i find that to be rather secure, also by making it pronounceable it makes it much easier to remember.
.sig
matisse:~$ cat
Basically, I choose a phrase or common theme (like a musical group I like, etc) and then take the first letter or two of each word, then 37337-1z3 it. This can generate nice long passwords if you need them, for instance, my PGP key is encrypted with an 18 character long phrase based on a musical group, using such obscure things that it would be rather hard for someone to guess.
Also, using psuedo-perl code generates instant line noise passwords, and as long as you're up on your perl, everything is easy to remember. For instance (this one is easy, but you get the idea):
my=~s/$p4ss/@w0rd/g;
It doesn't make sense, but that's ok.
I have my passwords tattooed on my forehead. Before you go saying that's a stupid idea, let me explain. I have them written backwards, so that other people can't read them. Then, when I sit in front of the computer, I can read them in my reflection in the monitor.
Almost sounds like it could be true, doesn't it?
I generally use different password for each website, system, and device I have access to. I manage this by segmenting the password for each
into 2 chunks. The first is a 2 letter abbreviation of the site/computer/etc. So yahoo, for example, would be 'yh'. To this I'll then append a standardized sequence of 4 semi-random numbers, say S7m3. The password for yahoo would then be yhS7m3. Furthermore, I'll use a different semi-random sequence for each of three zones:
1. Public, untrusted websites
2. Private, trusted 3rd party systems
3. Personal workstation and systems
This seems to be pretty secure, and allows me to easily come up with the password for a given system knowing its abbreviation and zone...
I keep my passwords to things on my Palm Pilot. Not the most secure method, granted, but it's secure from being h4x0r3d and it's easily accessible.
-- K
Sounds like something I do, except I have 4 levels, with the top (hardest to break I hope!) being foe my ISP, online banking, down to some BS websites that ask for it.
This is exactly what I do, but also throwing in a few numbers and punctuation marks where they make sense.
They don't have to be overly complicated. Some of my favorites have been to take short sayings from games I'm playing (Zub_Zug from WCII, for example), and combinations of abbreviations of games I'm paying. Take the game Thief (I played this some time ago). Shorten the entire title to TtDP (Thief, the Dark Project), and append another game's title: TtDP_98_MaMIV (Theif, 1998, Might and Magic 6).
-Doug
Winners tell stories while losers yell deal.
My preferred way to remember passwords is through their use. For all my important passwords, I just randomly type letters and numbers until I have 8 to 12 characters, then capitalize some of the letters. Just jot down the password on a piece of paper that you'll keep with you., and keep it until you remember the password without help (takes me maybe a week). Burn the paper afterwards.
This ensures that you have a password no one can guess, and that would only be cracked through brute force after a few days/weeks of work (unless you don't burn the paper and someone finds it, that is). I also noticed that with this method, I tend to remember passwords a lot longer than if the password was somehow related to the machine I use it to login to. I still remember my first password made that way, from about 5 years ago for my first ISP (it was "fOe9Gm3C", but I never used it again).
Firstly keep the number to a minimum - for minimum password length of 8 characters 8 passwords is about the maximum users can cope with using this system. Users are required to think of a quotation, poem, a passage from a play, etc. which they ALREADY remember. Security administrators produce a card for each 'work-group', one per user. The card has the letters of the alphabet printed in any order, even random, in one column or line and a random selection of keyboard characters in a parallel line or column. Cards are replaced at 6 month intervals with a new combination of characters. The user simply spells out the remembered 'key' to themselves, one letter at a time, with the card to hand, looks at the alphabetic column/line and selects the corresponding code character for entry. When the card is kept 'private' this method of remembering passwords is far more resistant to cryptographic techniques than the machine on which it is being used. The habit of some users sticking the card on their VDU/terminal - "in case I loose it" should be discouraged - this makes the system vulnerable to cryptographic techniques. Loosing a card is no big deal anyway, as co-workers in the same 'group' have an identical card which may be borrowed to log in. Lost cards should of course initiate the replacement of all cards for the 'work-group'.
Me too. All of my zones have random alphanumeric passwords, but I only have 2 sites including my ISP where I use Zone 1 passwords, down to probably about 50 where I use my Zone 3 password
I do pretty much the same thing, I use a random character generator to kick out a few passwords, pick the hardest one for stuff that matters.. Boxes only I have root on, etc. Then I use the next hardest one for boxes someone may need root on at some point, then I use the next for personal accounts I care about, then i use the name of the week with a number or two thrown in for sites I could care less about. Once every couple of months I kick out some new passwords and change them all and voala. I have also figured out with the random garbage my passwords are, if someone needs root and I give it to them, they don't remember it the next day and have to ask again.
Just three more hours seapeople and you can finally take me away from this crappy God Damned planet full of hippies
I got one of those timex watches that has some nifty memory for phone numbers... hmm thats where all of my wierd unmemorizeble passwords go untill I use them so much that they type themselves. I never take the watch off so it gets all sort of combinations on it also. It does require you to input the info into the comp before it is transfered to the phone directory on the watch. However I can store ten entries by changing the string of the different alarms(yes it has ten programable alarms). Never have to memorize anything again. Reading the name off of the watch... Timex Data-Link Ironman Triathlon. $60 some time ago... extra... does numbers letters and some symbols... getting off topic ah what the heck I swim with it also. Can't loose it like a note on paper... I recomend it... Anyone else use one ?
I use a small database that is encryped. The program works similarly to "Password Pal" that is use on windows. This allows me to easily move from system to system and still have my 30+ passwords. For the windows systems that I am forced to work upon I do use password pal with is a free software package ( or was, it may be shareware now)
And in the end, the love you take is equal to the love you make
Well, I need to keep track of 28 different passwords for various machines, so my practice is to keep this info contained in a file on an electronic organiser (that has yet another password!) I have never shared the organiser password with anyone, nor do I allow anyone to handle the thing, so that is the one password that I never change. Any time I update a password elsewhere I update the organiser, and I am good to go. I realise there must be more secure methods, but what the hell, it works for me.
Kez
problem with that is you have to write them
down for a bit to remember.
So, that asks the question, where do you write
the passwords? The one place only YOU would
look... that's right, on the underside of your
balls! Take a small mirror (usually a
girlfriend's compact works well
the password down in reverse. Every time you
have to look up the password, unzip, insert the
mirror, and look for yourself! Unless you
have issues with your wife, mistress, or
favorite paid escort, your data is secure
--
Insanity Takes Its Toll. Please Have Exact Change
Care about electronic freedom? Consider donating to the EFF!
This is a little embarrasing to say but I've been keeping a passwd.wps file on my winblows box. :-) No has access to the box but myself but I just now deleted anyway since I only have two passwords to remember currently.
Well, i had the same problem, so i was thinking what about the func crypt() it does give u the same string if the same SALT and TEST is given,
so i made this really cool proggy:
The GateKeeper
Salt (0-99): 9
Test (0-8): mipass
the password is: C996nht8lq
So, the thing here, is that u just REMEMBER ONE number for all the PASSWORD, and u dont have to remember the pass for foo like "C996nht8lq" BUT,
like "mipass" see my point? later
Bruj0. any other ideas plz send to bruj0@phreaker.net
http://securityportal.com.ar
Hi!
I take info about the box, say the hostname is
apple and the owner / sysadmin of the box's name is Peter, I'll use something like
"peter box" or "applebox -> peter" Of course the idea is to use short names so you can throw as many stuff in between the first 8 characters (which is what matters)
I also usually take usefull numbers e.g. my PIN numbers, ID number, Student number, etc. shuffle them and use them as well and I replace some of the letters with obvious stuff, e.g.
"5p0e1t3r" See, I mixed peter with 5013 which comes from my ID number, no I replace the E's with 3's and make the first and last letter capitals. Also if there we're spaces left, I would've added punct's (e.g. ^&*)*(, etc.) It's always easy to remember if you can visualize it and if it's symmetrical e.g.
")**(" or "%%HAHA%% (:"
I find it very useful to always use the info about the box on which the password is and the account as a starting point and I tend to standarize on which way I do substitutions and keep the subset small. That way, I never forget the passwords and even if I do, I can guess it with minimal effort.
Hope this helps...
I have eight passwords that I change every four weeks. I use George Carlan's "the 7 words you can't say on television" plus one of my own, and I rotate them.
I have a big bag full of two cents and I'm coming your way.
I encrypt my passwords (multi-pass twofish, blowfish and rc6) in a self-developed proggie (dozeCrypt)
I keep a text file around that contains vague descriptions of all my passwords. Things I can remember them from that wouldn't be very usefull to anyone else, like "a *judicious* injection of ____ ; a mountain" Unfortunately, I don't have a PDA, so I often don't have access to that file... so for some of my less important accounts I share passwords and/or use simple permutations to make things easier to remember. Unsecure, but for a hotmail account who cares?
I use a similar method, except I take the algorithm farther.
:)
I have several of these vanity-plate type phrases, in a variety of languages. So, if all else fails, I can just try each of them in succession.
But that doesn't always work, since I not only have two handfuls of passwords, but two handfuls of UID's. So I make sure that each password has a unique character or series of characters that is non-alphabetic, and I keep a file hidden away that contains a list of the machine name, my UID, and the single non-numeric character in the appropriate password (for each account).
I don't bother to encrypt the file because I find it unlikely that someone could guess the phrase from looking at a series of non-alphabetic characters, let alone tell the difference between machine names and user names and passwords. Basically, it's encrypted by my own logic and personal knowledge. If I really wanted to encrypt it, I could turn the list into a story. . .
Yup, that's kinda what I do. I have a couple of important passwords (work, Linux boxen at home, etc.) that are unique. But most of the passwords I use are just throw away. I use them to download trial software or read news articles. Fluff.
Later...
KangarooBox - We make IT simple!
I used to have about three or four 'favourite' passwords that I'd use and rotate about accounts, slightly modifying it each use. Now I have a Palm Pilot running Cryptinfo, I can make up totally varied passwords any time, as I know they are securely stored. My favourites are now used to secure Cryptinfo. As my Palm rarely ever leaves my side, I can feel safe about my password repository, and know that all my accounts are using original passwords. Oh, and if you ever get the chance to change a friends password, change it to 'obvious'. Hours of fun can be had. 'Come on, what's my password?' 'Look, I told you it's obvious...!'
I used to use very simple passwords like my name followed by a number and I would change that number. Problem was I became predictable with the choice of numbers. So I had to come up with a new strategy...
For those of you who know LaTeX and some physics, $y=\over{1}{2}gt^2$ makes a nice password.
Here's a little trick that will allow you to store all your
passwords in a plain text file, or a piece of paper. For
the sake of the explaination, assume passwords consists of
numbers (but it generalizes to any alphabet). Start with a
table like below:
X|0 1 2 3 4 5 6 7 8 9
-+-------------------
0|0 1 2 3 4 5 6 7 8 9
1|1 2 3 4 5 6 7 8 9 0
2|2 3 4 5 6 7 8 9 0 1
3|3 4 5 6 7 8 9 0 1 0
4|4 5 6 7 8 9 0 1 2 3
5|5 6 7 8 9 0 1 2 3 4
6|6 7 8 9 0 1 2 3 4 5
7|7 8 9 0 1 2 3 4 5 6
8|8 9 0 1 2 3 4 5 6 7
9|9 0 1 2 3 4 5 6 7 8
Pick a secret key, as long as your password(s). This is the
only key you need to remember and keep a secret. Say, your
secret key is "14769134". Now you have a new password, say
"34987629". Encrypt this using the key on a digit by digit
bases, by using both digits as an index in the table, and
writing down the value. So, 1+3 -> 4, 4+4 -> 8, 7+9 -> 6,
etc. Or:
Password: 34987629
Key: 14769134
-------- +
Encrypted: 48646753
Write down "48646753" on a piece of paper and stick it on your
monitor.
Decryption is as follows: this goes on a digit by digit bases
as well. The first digit of the key is `1', the first digit of
the encrypted password is `4'. Look in the column marked `1',
drop till you hit `4', then go left. This gives `3'. Etc, or:
Encrypted: 48646753
Key: 14769134
-------- -
34987629
Alternatively, find the inverse of the key ("96341976") and use
the encryption algorithm to decrypt it.
You can encrypt as many passwords you want this way, all encrypted
using the same key. This remarkable simple algorithm can easily done
by hand; print out the conversation table and encrypted passwords,
decrypt letter by letter, and type the decrypted letters in as you
decrypt them.
If the passwords are picked randomly over the set of all possible
passwords, and no password has been comprimised, there's no way of
cracking this encryption scheme, as any possible possible password
will have a unique key that decrypts the encrypted password to that
possible password.
Of course, once a single password gets comprimised, the key is trivially
found, and all other passwords will fall as well.
-- Abigail
(*grumble* Slashdot screwed up the formatting. If only they would allow the PRE element....)
I pick a password so obscure and meaningless that it cant help but be remembered.
One that I dont use anymore is "cr02a". I saw it on my hard drive once and the name was so meaningless (I means cursor resource: version 2, file a) that my brain just couldnt help but remember it.
Ok fine, so it's not flawless, but I've never forgotten one using this method. The first time I used this was when I saw an obscure encryption in a book I dont know the name of and didnt even mean to open. It was so odd, I made myself memorize it. I didnt really know why, but within weeks I was using it as a password. That didnt last long, because I later used it as a folder name for a web page after I couldnt come up with a name for my page, but still. It works. I like it. And no one else knows what I'm talking about.
-- 'The' Lord and Master Bitman On High, Master Of All
I have a strangely sharp memory for retaining strange 3l33t-sp33k jargon. As expletives, my friends and I often use odd made-up geek words...
"Flarn! I forgot my passwd."
"Frig foo fleen!"
"Spootmonkeys!"
"Gtkwidgets, would you get that away from me..."
...and the like. The next step, then, is convert a random geek babble into 31337-hax0rese.
Lame examples:
GtKw1dg3t, sp00tm0nk3y5
But, any idiot can decipher 31337-speak, so separate the word sp00t and m0nk3y5 and intersperse the characters: ms0pn0k03ty5
Now you have a random mess of geek-babble, easy to remember if your brain is a random mess like mine.
Angry IT woman in big clompy boots. And talking lint!.
Also, if I ever lose an arm I'm locked out of all my accounts...
/.
I usually use the front of my cranium to bash passwords into the keyboard. I figure, if I lose the front of my brain, I can do without being able to login to
I own lots of electronics (computers, TVs, stereos, pro audio, videogames, pinball machines, etc.)
There are endless combinations and possibilities, and if you forget the #, you just walk into the gameroom and read the # off the back of the game !
Unless someone knows exactly what equipment you have, and has the serial numbers of that equipment, it is likely to be highly secure.
I use entirely random means of generating passwords. Computer programs generate most of my passwords; Diceware works well for passphrases, and a modified form can be used for simple passwords as well. During the time it takes for me to memorize the passwords, I place them in a PGP-encrypted file on a floppy; after they're safely locked away in my mind, I burn the disk, grind the ashes up, and throw them into running water. Although I'm not sure exactly how secure it is, Password Safe on Windows is good for managing low-security website logins.
But if I didn't use entirely random schemes, I wouldn't be telling anybody. Why are so many people here giving away their schemes?
Sure, I may be paranoid; if the scheme is good, describing it only reduces its efficacy, and not many crackers will take the time and energy to analyze a scheme of that sort to attack one person. But then again...
-- Rene
The ultimate security - I just REMEMBER them.
:-) Sort-of like license plates.
I try to make sentences with characters, like OU812.
Some of them can get pretty dirty, hehehe.
The Divine Creatrix in a Mortal Shell that stays Crunchy in Milk
The House Between - Original Sci-Fi Series
Ok here's what I do:
I use a set of names that have meaning to me, and intersperse them with alphanumerics. I then rotate all passwords through this system so that all of them are on the same system. In order to keep my life simple, I also keep one single, simple password for all of those things that need a password, but aren't really life or death.
I don't think that the explanation above made a hell of a lot of sense so here is an example. I was a real Francis Ford Coppola (FFC) run a while back, so all my passwords dealt with him, his work, or his personal life.
Whenever I needed a password, I would take something FFC related, such as Apocolypse Now, and "password-ize it". Apocolypse Now would become a8pocolyps8en8o8w. Probably not susceptible to dictionary cracks, but it does follow a pattern that has meaning to me. All I have to remember is the "key" (not a totally accurate term, but you know what I mean: Francis Ford Coppola), the pattern (where I insert the alphanumerics), and the correct alphas (8).
At worst, using this system, I have had to hit one of the big movie sites to look of FFC's filmography and then cycle through the list of movies.
If I thought I needed something really obscure (i.e. for anything work or finance related), I might take someone who worked on the film, such as the editor, and work their role and name into the password.
The trickiest part is remembering everything that I have a password to, and figuring out when I signed up for it so that I know which system I was using at the time. This is why I try to update everything at once in a single, super boring password update fest...
The topic that I honestly haven't seen covered very much that is probably just as important is the remembering of usernames. As more and more people come online, it is harder and harder to get be the first person to sign up for a service using your 'nick. I try to keep a couple, and then hope that I can get one of those to work.
Anyone found anything better?
Obviously this is somewhat subject to a dictionary cracker but the spellings are usually based on phonetics so precise translations are tricky in non-roman languages. With slight modifications you can assure the words wouldn't show in a dictionary attack.
In my case I was learning Japanese
The word for boy is pronounced otoko-no-ko I didn't use the hyphens if they were part of the word but I suppose that would help the quality. This happens to be something of a compound word but you can experiment in your language.
The result will not produce root qualiity passwords -- they'll be all alpha, but the products can easily be long if you use a sentence ( watashi-wa-gishi-desu - I'm an engineer ) making cracking that much harder.
Add some spice here and there ( begin and end with important dates ) and pow! Fairly strong, easily remembered passwords.
Try it with perl or C!
If you're a movie buff, just take a line from one of your favorite movies, like, say Pulp Fiction. "Royale With Cheese" Then, you can just jam the words together. Maybe insert some special chars in front, in the middle, or at the end.
Examples:
"Royale*With*Cheese" or just "1Royale"
"Pig%Filthy"
"African&Swallow" (Holy Grail)
OR, for those of you who are Brazil (the movie) fans, use the elevator password: "ereiamjh"!
(jeremiah scrambled)
Anyway, otherwise, you could use things like book titles or your favorite cars. Not too hard at all.
T
~~~~~~~~~~~~~~~~~~
Tom McKearney
---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.
I got this from a guy who has been doing mainframe security for 16 years.
OK, decide on a really, really uncrackable prefix, like $9_vI4! or something that is SOOOOO not a dictionary word.
Then, every time you make a password, prefix (or suffix) this SAME set of characters to a word or other password (for the really paraoid, use something just as esoteric as the prefix. for simplicy, use a word) and WIRTE DOWN this word.
Now, memorize the prefix/suffix and make sure that you know the current password.
For example, in week one I have a password of:
$9_vI4!engel
and have 'engel' on a piece of paper on my desk (and memorized $9_vI4!)
the second week i change the passwd to:
$9_vI4!marx
and I have 'marx' written on a piece of paper on my desk.
Now, anyone who sees the paper will still not be able to get into the account becuase they don't know the prefix/suffix. BUT you use the prefix/suffix so much you aren't going to forget it, so that is safe, too.
There is no such thing as an easily-memorizable password that is secure, but this is about as secure as it gets without getting rid of 'memorizability'.
CryptInfo may be a great bit of software, but what use is that if you can't trust it since the code isn't open?
This isn't to impune its author in any way: the software could have been compromised without his knowledge, or else his family might be held under risk of murder unless he distributes a non-obvious backdoor.
Cryptographic software has to be open-sourced, full stop. No exception.
Strip is GPL'd, so even if it were god-awful (which it is isn't), at least one can trust it.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
I haven't got any grand insights into generating passwords, but I have a system I like for tracking them. It's a little like the "zones" idea someones else mentioned.
For the most critical things (bank, broker, root on anything important) I have a different password for each one. I come up with passwords using any of usual "easy to remember, hard to guess" schemes. I change passwords every two months for these.
But, having gone to the effort of memorizing the passwords, I don't want to throw that work away. So once I'm not using a password for anything critically important, I push it down the stack for use on less-important accounts.
Repeat as far down as one cares to go.
does anyone know of a UNIX command line filter that can convert plaintext to 3l337 text? There are some cool things one could do with that.
Actually, what I would really like is a proxy server that "Eleetizes" all communication going through it, while keeping links and such intact. That could be fun.
I could easily write the former myself if it does not exist, but I don't know how to write a proxy server...
--
grappler
Vidi, Vici, Veni
Very simple, find a dead mathametician and what formula he came up with.
Here is an example:
Gassian did work on matrix's (many dimentions and how to inverse them)
So we have "Gassian and Matrix and Inverse)
so we get:
3xGassian3!
or in english: !3x3 Gassian
get it 3x3 matrix (! inversed) and the name.
tada, a password that is quite secure.
-Lord Shadow
The homunculous inside my head likes the idea of open source -- especially when crypto's involved. However, Strip wasn't around when I needed to put all of my passwords in one place and of what was available, CryptInfo was the way to go. It was either this, weak passwords or -- shudder -- PostIt notes.
<just kidding>And what are you doing using a Pilot anyway? The OS isn't GPL'd!</just kidding>
if the system allows an unlimited number of authentication requests to be made without imposing a delay between requests, or if you have the hashed/encrypted string to match against, then yes.
--Siva
Keyboard not found.
Keyboard not found.
Press F1 to continue.
Just make it a cgi script that takes an url as a parameter, as in:
h ttp://slashdot.org
http://yourbox.com/cgi-bin/make-leet.pl?target=
or something similar. Just have the script grab the page in question, leet'ize it, and print it back out. Not too hard. A while back I wrote something like that to remove relocate urls from places like excite.
This sig is false.
If I must use a password, my favorite way to make one up is to use a generator which produces pronounceable nonsense. The one I currently use can be found at:
w
/usr/dict/words, produces a tree of trigram probabilities, and does a number of random walks of that tree. The only thing you sortof have to watch out for is the tendency to alternate vowels and consonants.
http://www.multicians.org/thvv/tvvtools.html#gp
Its output looks like:
rdervent
agissoak
irogabra
crungled
tranderf
sonapoki
cildebum
nareamew
pheateek
sitorack
It reads in
As is, the generated words are fair (only about 30 bits of entropy). Spice with numbers and punctuation, and that's about as secure as you can get using human-memorable passwords.
--
Don't question authority -- they don't know either.
...household phrase?
:-)
It'd probably work well as a password without all the excess hash-functions
It looks like a reference to Tolkien, so, without further adieu...
Here's my not current password suggestion... Use the Vax password setting program that chooses from random phonemes, such as co-di-th-me-ow-roh. Run it several times, since the default is to provide only three phonemes. You now have a pronouncable, pseudorandom, fairly random password, with a little more randomness than random text from a book.
Ignore that, and go to the lava-lamp random bits website. grab some hexadecimal bits, toss the high-order(eighth) bit, toss illegal characters, convert to ascii, and use them for your password. Choose bits from somewhere in the middle, as anyone can see the current random bits.
There you go... One of the world's most expensive password generation routines. (6 lava-lamps, digital camera, SGI O2 as server, world-wide network reccomended.)
You know what? People of the future will look back on Sysadmins and other people that use a billion passwords and wrack their brains at how much thought and energy went into security.
...
It's obvious that once biometrics becomes mainstream, passwords will be out the window. Soon the definition of a "secure" password will be a combination fingerprint, voice and retinal scan. The benefits will be so great, that mass production will bring the prices down to reasonable levels. Who knows, we may even be able to open our front door or start our car just by saying a single word. Sweet, if you ask me.
So forget passwords! They'll be gone in 10 years max. I'm just surprised more people aren't pumping money into this
----- rL