Coming up with a password that is very strong.

classic Classic list List threaded Threaded
62 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

tanstaafl-2
On 2/4/2019, 8:10:57 PM, Dale <[hidden email]> wrote:

> Tanstaafl wrote:
>> I've been using a little Firefox Addon called Passwordmaker for many,
>> many years, and despite all of its warts, I've been loathe to give it
>> up, even though it will never be upgraded to work as a WebExtension.
>>
>> 2 things I loved about it -
>>
>>  a) it doesn't save the password locally, only info about the
>>     site/account, and
>>  b) you can use an unlimited number of Master Passwords
>>
>> I'm looking at migrating to KeePassXC, and even though I really hate the
>> idea of saving the actual password - Passwordmaker simply generates the
>> password on the fly each time based on certain specified criteria (ie,
>> the site URL, username, password length, etc for each account - one
>> technique I adopted shortly after assisting in updating the
>> Passwordmaker website eases my mind about it...
>>
>> This is a simple technique I strongly recommend that everyone employ,
>> especially if you use a Password manager (like LastPass or KeePass)...
>>
>> It is uncrackable (well, as long as it isn't the CIA or NSA that wants
>> to crack it and they are willing to kidnap/torture you to do so).
>>
>> You sit down and come up with a ... call it a 'password modification
>> protocol' ... whereby, you always modify your generated/stored password
>> in a specific way before pressing enter.
>>
>> For example, you delete characters 3, 5 and 7, then add 2 characters to
>> the beginning and 2 to the end.
>>
>> It is very simple, and negates worrying about someone stealing your
>> password vault.

> I tried to find it just to see how it works but it isn't listed.

What... Passwordmaker (the old one I still use and why I keep an old
Firefox 56 portable version around)?

> From what you wrote, you may want to at least check into LastPass.

I did a massive amount of research (including LastPass), and settled on
KeePassXC for a good reason.

> Still, I'm sure there is a tool that will suite your needs.

? Its like you didn't really read my email. I already said, I'm
migrating to KeePassXC. But my complaint is, nothing works like
Passwordmaker (again, it doesn't store passwords, can only use one
Master Password).

> I'm not sure I understand what you mean password modification protocol. 
> It sounds like you change your master password each time you use it.

No, I'm talking about the saved (or in Passwordmakers case, generated)
password, not the Master Password.

Doing this with the Master Password wouldn't make any sense.

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Mark David Dumlao-3
In reply to this post by Jack
On Tue, Feb 5, 2019 at 3:39 AM Jack <[hidden email]> wrote:
> The problem I have with many of these suggestions is that I have
> multiple devices (two desktops, two laptops, tablet, android phone) I
> use sufficiently often that I either need to be able to remember the
> passwords or have some way of easily accessing them when I'm not
> sitting at my main desktop.  Other than using a password manager (which
> I do not currently have) how to others deal with this?
>
> Jack

Haven't posted here in a long while. I personally do not trust password managers
for (1) the same reason you gave above and (2) typically the way around it is
they store your passwords in the cloud which is all sorts of facepalm from a
security perspective.

My own solution is actually very simple. I have a "secret algorithm" that
incorporates several secrets with a predictable way to generate a site-specific
secret. The end result is a 100% predictable way to generate unique passwords
for every site that are cryptographically secure from each other (you
cannot derive
one from the other) which can be generated by any device using the appropriate
tools. There is also a protocol for password shifting in case any
single password
is revealed.

The long and short of it is that you can combine secure passwords with hashing
techniques, site-specific data, and truncation / peppering in a
predetermined way
that is easy for you to remember but guarantees that the original secret data is
irrecoverable. Then all you need is the hashing program on, say, your phone,
and you will always be able to generate the site-specific password when needed.
In effect the algorithm is your secret, the site-specific password is
just a side
effect of that secret.
--
This email is:    [ ] actionable   [x] fyi        [x] social
Response needed:  [ ] yes          [x] up to you  [ ] no
Time-sensitive:   [ ] immediate    [ ] soon       [x] none

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Neil Bothwick
On Wed, 6 Feb 2019 04:28:49 +0800, Mark David Dumlao wrote:

> My own solution is actually very simple. I have a "secret algorithm"
> that incorporates several secrets with a predictable way to generate a
> site-specific secret. The end result is a 100% predictable way to
> generate unique passwords for every site that are cryptographically
> secure from each other (you cannot derive
> one from the other) which can be generated by any device using the
> appropriate tools.

The was a tool in portage this did this. I tried it but it did not work
in the real world because you couldn't set a rule for generated passwords
that matched the requirements of all sites, for example some require a
non-alphanumeric character while other sites only allow alphanumerics.

I can remember what the tools was called, although I'm pretty sure it
was written in Python. I'd be interested to know how you get around the
conflicting restrictions as this seems a good way to do things.


--
Neil Bothwick

MIPS: Meaningless Indication of Processor Speed

attachment0 (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Dale-46
In reply to this post by tanstaafl-2
Tanstaafl wrote:

> On 2/4/2019, 8:10:57 PM, Dale <[hidden email]> wrote:
>> Tanstaafl wrote:
>>> I've been using a little Firefox Addon called Passwordmaker for many,
>>> many years, and despite all of its warts, I've been loathe to give it
>>> up, even though it will never be upgraded to work as a WebExtension.
>>>
>>> 2 things I loved about it -
>>>
>>>  a) it doesn't save the password locally, only info about the
>>>     site/account, and
>>>  b) you can use an unlimited number of Master Passwords
>>>
>>> I'm looking at migrating to KeePassXC, and even though I really hate the
>>> idea of saving the actual password - Passwordmaker simply generates the
>>> password on the fly each time based on certain specified criteria (ie,
>>> the site URL, username, password length, etc for each account - one
>>> technique I adopted shortly after assisting in updating the
>>> Passwordmaker website eases my mind about it...
>>>
>>> This is a simple technique I strongly recommend that everyone employ,
>>> especially if you use a Password manager (like LastPass or KeePass)...
>>>
>>> It is uncrackable (well, as long as it isn't the CIA or NSA that wants
>>> to crack it and they are willing to kidnap/torture you to do so).
>>>
>>> You sit down and come up with a ... call it a 'password modification
>>> protocol' ... whereby, you always modify your generated/stored password
>>> in a specific way before pressing enter.
>>>
>>> For example, you delete characters 3, 5 and 7, then add 2 characters to
>>> the beginning and 2 to the end.
>>>
>>> It is very simple, and negates worrying about someone stealing your
>>> password vault.
>> I tried to find it just to see how it works but it isn't listed.
> What... Passwordmaker (the old one I still use and why I keep an old
> Firefox 56 portable version around)?


I'm on the newer version of Firefox so it doesn't show up in my search
since it isn't compatible.  I'm pretty sure that is why it doesn't show
up for me.  If I were on the older version of Firefox, then it would
show up.  I was wanting to look at it tho.  I did find a Pro version
which is likely the same thing but for the newer versions of Firefox. 
Did you see it?  It is here:

https://addons.mozilla.org/en-US/firefox/addon/firefox-passwordmaker-pro/?src=search

I see another version as well but with very few users.  Still, if the
above is just a version for the newer Firefox, you may not have to
switch or can use both somehow.  Some other add-ons I use did similar
things.  Since some required a complete rewrite, they also changed the
name a bit too.  Thing is, some of the new versions of add-ons don't
show up in older versions of Firefox.  If you didn't see this, I hope it
helps.


>> From what you wrote, you may want to at least check into LastPass.
> I did a massive amount of research (including LastPass), and settled on
> KeePassXC for a good reason.

I've read where people use that and like it.  It just depends on what
you are looking for and expect from the tool.  If it meets your needs,
then it is a good fit for you.  I picked LastPass since it did what I
need and then some plus is free.  I also had the privilege of emailing
back and forth with one of the original owners or creators way back
then.  His name is Joe Siegrist.  My bank and credit card sites wouldn't
work at first.  I gave him a link and he made some changes so that the
next version would fill those sites.  I may switch one day, may even
switch to what you are using, but at the moment, LastPass seems to be
doing well. 


>> Still, I'm sure there is a tool that will suite your needs.
> ? Its like you didn't really read my email. I already said, I'm
> migrating to KeePassXC. But my complaint is, nothing works like
> Passwordmaker (again, it doesn't store passwords, can only use one
> Master Password).
>
>> I'm not sure I understand what you mean password modification protocol. 
>> It sounds like you change your master password each time you use it.
> No, I'm talking about the saved (or in Passwordmakers case, generated)
> password, not the Master Password.
>
> Doing this with the Master Password wouldn't make any sense.
>

If I understand you correctly, I think I have seen a site that allows
that sort of thing.  I think.  To be honest, this is why I like tools. 
I tend to let tools do the heavy lifting.  My biggest responsibility is
having a good master password.  That's what started this.  I want a good
one.  ;-)  Most of the sites I use are email or ID plus password.  A
couple have this picture and phrase thing between login and password
tho.  There is also a couple that uses that secret question thing.  Some
of those are plain annoying tho.  lol

Given how things are nowadays, I suspect we will always be in a constant
race to try and stay ahead of hackers and such.  Every time we change to
try and beat them, they will find new tools, faster hardware etc to beat
us.  The biggest thing, our tools or us have to keep up.  I really need
to keep up with the newer stuff better but to be honest, time just isn't
that available to me right now. 

I wonder what hackers will come up with next.

Dale

:-)  :-) 

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Mark David Dumlao-3
In reply to this post by Neil Bothwick
On Wed, Feb 6, 2019 at 5:18 AM Neil Bothwick <[hidden email]> wrote:

>
> On Wed, 6 Feb 2019 04:28:49 +0800, Mark David Dumlao wrote:
>
> > My own solution is actually very simple. I have a "secret algorithm"
> > that incorporates several secrets with a predictable way to generate a
> > site-specific secret. The end result is a 100% predictable way to
> > generate unique passwords for every site that are cryptographically
> > secure from each other (you cannot derive
> > one from the other) which can be generated by any device using the
> > appropriate tools.
>
> The was a tool in portage this did this. I tried it but it did not work
> in the real world because you couldn't set a rule for generated passwords
> that matched the requirements of all sites, for example some require a
> non-alphanumeric character while other sites only allow alphanumerics.
>
> I can remember what the tools was called, although I'm pretty sure it
> was written in Python. I'd be interested to know how you get around the
> conflicting restrictions as this seems a good way to do things.
>

Well the original idea is to reduce dependency on specific tools, such
that the algorithm is the secret, and the passwords are just
byproducts of the secret. You will still need tools to do any hashing,
but those are generic tools you can acquire anywhere.

So for example, the "password123" equivalent secret algorithm might be:
1) global pepper: "password"
3) site-specific pepper: pepper plus number = vowels in domain name
2) site-specific ID: pepper dot domain name dot username
4) hashing algorithm: md5sum + base64, take first 8

Example application: [hidden email]
1) site-specific pepper: pepper3 (3 vowels in domain name: google)
2) site-specific ID: pepper3.google.madumlao
3) site-specific hash: (2) -> md5sum -> base64 -> first8 -> NGI3MTQz
4) combined with global pepper: password.NGI3MTQz
5) hashed with global pepper: (4) -> md5sum -> base64 -> first8 -> MWJjZjg2
password: MWJjZjg2

Example application: [hidden email]
1) site-specific pepper: pepper3 (3 vowels in domain name: yahoo)
2) site-specific ID: pepper3.yahoo.madumlao
3) site-specific hash: (2) -> md5sum -> base64 -> first8 -> ZDQzZGM5
4) combined with global pepper: password.ZDQzZGM5
5) hashed with global pepper: (4) -> md5sum -> base64 -> first8 -> ZjUwMTI2
password: ZjUwMTI2

The procedure takes up a little more headspace than 1 password, but
definitely less headspace than a dozen cryptographically secure
passwords. You can change the hashing algorithm, peppering rule, ID
rule, number of characters, etc to your tastes. You can add iteration
rules for the nth password change anywhere in the procedure, and add
constraint rules for sites that have certain password limitations (the
caveat is that you have to remember which sites have password changes
and constraints). For me really all that matters is that the building
blocks are widely available and the end result incorporates data loss
that makes it impossible to recover the original secrets.

"Obviously" do not use this algorithm as-is. The algorithm, not the
password, is the secret, so using this algorithm as is is the
equivalent of using any example of a crypto secure password (correct
horse battery stapler) as a password.
--
This email is:    [ ] actionable   [x] fyi        [ ] social
Response needed:  [ ] yes          [x] up to you  [ ] no
Time-sensitive:   [ ] immediate    [ ] soon       [x] none

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

tanstaafl-2
In reply to this post by Dale-46
On 2/5/2019, 6:50:29 PM, Dale <[hidden email]> wrote:
> Tanstaafl wrote:
>> On 2/4/2019, 8:10:57 PM, Dale <[hidden email]> wrote:

> I'm on the newer version of Firefox so it doesn't show up in my search
> since it isn't compatible.

Correct - maybe you missed my comment that I'm having to keep an old
Portable version of 56 in order to continue being able to use it.

I have a copy I downloaded long ago from AMO, see attached. But it won't
install in newer versions. I'm using a Portable version of 56.

> I did find a Pro version which is likely the same thing but for the
> newer versions of Firefox.
> Did you see it?  It is here:
>
> https://addons.mozilla.org/en-US/firefox/addon/firefox-passwordmaker-pro/?src=search

I'm aware of it, but no, it isn't even close to the same thing. It
simply was created to be able to ready Passwordmaker's data file (RDF file).

> I picked LastPass since it did what I need and then some plus is
> free.

Yes, but one of my main criteria was it has to be open source. LastPass
isn't open source.

>>> I'm not sure I understand what you mean password modification protocol. 
>>> It sounds like you change your master password each time you use it.

>> No, I'm talking about the saved (or in Passwordmakers case, generated)
>> password, not the Master Password.
>>
>> Doing this with the Master Password wouldn't make any sense.

> If I understand you correctly, I think I have seen a site that allows
> that sort of thing.  I think.

?? It doesn't have anything to do with a site. This works anywhere.

You simply let your Password Manager fill in the fields, then click
inside the password field and make your modifications before pressing Enter.

> My biggest responsibility is having a good master password.

Mine is good, but that is another benefit of my method - it doesn't have
to be super duper strong, because even if someone gets ahold of your
Password Manager and breaks into it and can see all of your passwords,
it won't do them any good, because they don't have the contents of your
brain to know what modifications to do to the password.

passwordmaker-1.7.8.xpi (368K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Kai Peter
In reply to this post by Neil Bothwick
On 2019-02-05 22:17, Neil Bothwick wrote:

> On Wed, 6 Feb 2019 04:28:49 +0800, Mark David Dumlao wrote:
>
>> My own solution is actually very simple. I have a "secret algorithm"
>> that incorporates several secrets with a predictable way to generate a
>> site-specific secret. The end result is a 100% predictable way to
>> generate unique passwords for every site that are cryptographically
>> secure from each other (you cannot derive
>> one from the other) which can be generated by any device using the
>> appropriate tools.
>
> The was a tool in portage this did this. I tried it but it did not work
> in the real world because you couldn't set a rule for generated
> passwords
> that matched the requirements of all sites, for example some require a
> non-alphanumeric character while other sites only allow alphanumerics.
>
> I can remember what the tools was called, although I'm pretty sure it
> was written in Python. I'd be interested to know how you get around the
> conflicting restrictions as this seems a good way to do things.

By using an existing tool you have to live with its restrictions always.
But who says that it could not be done? At least Mark's solution will
(maybe) not work for everybody (yet), but he did think about an issue
and found a way/solution which sounds really reasonable.

--
Sent with eQmail-1.11 beta - a fork of djb's famous qmail

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Neil Bothwick
On Fri, 08 Feb 2019 15:26:22 +0100, Kai Peter wrote:

> > The was a tool in portage this did this. I tried it but it did not
> > work in the real world because you couldn't set a rule for generated
> > passwords
> > that matched the requirements of all sites, for example some require a
> > non-alphanumeric character while other sites only allow alphanumerics.
> >
> > I can remember what the tools was called, although I'm pretty sure it
> > was written in Python. I'd be interested to know how you get around
> > the conflicting restrictions as this seems a good way to do things.  
>
> By using an existing tool you have to live with its restrictions
> always. But who says that it could not be done?
It wasn't so much a restriction in the tool as the sites, which have
conflicting requirements for passwords - especially the ones that have a
MAXIMUM password length.


--
Neil Bothwick

Despite the cost of living, have you noticed how it remains so popular?

attachment0 (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Dale-46
Neil Bothwick wrote:

> On Fri, 08 Feb 2019 15:26:22 +0100, Kai Peter wrote:
>
>>> The was a tool in portage this did this. I tried it but it did not
>>> work in the real world because you couldn't set a rule for generated
>>> passwords
>>> that matched the requirements of all sites, for example some require a
>>> non-alphanumeric character while other sites only allow alphanumerics.
>>>
>>> I can remember what the tools was called, although I'm pretty sure it
>>> was written in Python. I'd be interested to know how you get around
>>> the conflicting restrictions as this seems a good way to do things.  
>> By using an existing tool you have to live with its restrictions
>> always. But who says that it could not be done?
> It wasn't so much a restriction in the tool as the sites, which have
> conflicting requirements for passwords - especially the ones that have a
> MAXIMUM password length.
>
>

This is something I've ran into on several occasions using LastPass'
generation tool.  Some sites allow the symbols, letters above the number
keys, but don't allow one or more specific ones.  A couple examples, the
"!" key is a common one not allowed.  Others that are sometimes excluded
are the "$" and "*" symbols.  So I end up telling LastPass to generate
passwords until it gets one without any of those characters or I turn
off the symbols all together.  Of course, turning those off makes a
password easier to crack/hack. 

I did run up on one site recently that allowed any character, all
symbols included, and could be as long as 60 characters.  I think spaces
was the only thing on the keyboard not allowed.  Thing is, it wouldn't
accept anything longer than 28 or so for me.  I started out at 40 and
kept dropping down a few digits until I hit the one it would accept.  If
it had accepted a random password that long with symbols included, I
would think hackers would have to attack something besides the
password.  That is one long password.  I've seen paragraphs shorter than
that.  According to a couple of the test sites, it would take trillions
of years to crack a 40 digit password much less 60.  Pretty hard thing
to get past.  What surprises me, a couple sites that I would like to
have longer passwords on, won't accept anything longer than a couple
dozen characters.  I wish all financial sites would take 60 or so like
the other one I use.  I'm not sure why they limit it to that number. 
Common software limit maybe? 

This is one thing about having so many different password tools and each
person picking what they like.  It makes it harder to figure out how
passwords are generated and tracked.  Each tool has its own methods. 
It's sort of like the password strength sites.  I didn't rely on one
site.  I used several plus some common sense as well.  If all sites
think a password will take thousands of years or more to crack, it is
likely a good password.  Then apply some common sense to confirm it of
course.  I ended up with a password that was easier to type and very
strong, even stronger than what I started with.  The odds of someone
just guessing it is virtually zero.  The things it is based on is not
something anyone other than me would likely consider for creating a
password.  It's not pets, family names, date of births or anything like
that.  Heck, even if someone was sitting in my chair, they would be
clueless.  Even people who know me best would never be able to figure
out what it is based on much less how I put it in the password or which
ones.  Thing is, I think I'll be able to remember it easy enough. 

I suspect that anyone trying to hack us Linux users, users of this list
especially, would have a rough road ahead of them.  Based on replies
here, some have some pretty good methods of coming up with a password. 
Let us hope none of us dies instantly and takes the passwords with us. 
o_O  I put mine in a fire safe.  Just in case.

Dale

:-)  :-) 

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Neil Bothwick
On Fri, 8 Feb 2019 18:19:26 -0600, Dale wrote:

> I suspect that anyone trying to hack us Linux users, users of this list
> especially, would have a rough road ahead of them.  Based on replies
> here, some have some pretty good methods of coming up with a password. 
> Let us hope none of us dies instantly and takes the passwords with us. 
> o_O  I put mine in a fire safe.  Just in case.

Does LastPass have an export option? With KeePassXC, I can export all my
passwords to a CSV file that I save to a USB stick I keep in my safe.


--
Neil Bothwick

Downloading - A quick way of catching a virus from anywhere in the world.

attachment0 (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Dale-46
Neil Bothwick wrote:

> On Fri, 8 Feb 2019 18:19:26 -0600, Dale wrote:
>
>> I suspect that anyone trying to hack us Linux users, users of this list
>> especially, would have a rough road ahead of them.  Based on replies
>> here, some have some pretty good methods of coming up with a password. 
>> Let us hope none of us dies instantly and takes the passwords with us. 
>> o_O  I put mine in a fire safe.  Just in case.
> Does LastPass have an export option? With KeePassXC, I can export all my
> passwords to a CSV file that I save to a USB stick I keep in my safe.
>
>


Yes it does.  I export mine when I do major changes, usually when I do
financial sites.  It exports it as plain text.  I then copy and paste it
into a text file and encrypt it with KGpg.  At that point, you still
need the password to decrypt it, and I guess this computer tho it may be
doable on another system with the keys.  As I mentioned before, there's
a lot I don't know about this encryption stuff still. 

I may get me a tiny USB stick and put the master password, keys and such
on it.  I'm sure you know more about this than I do, what all do I need
in case it has to be done on another system?  In other words, what all
would I need to copy over to the USB stick? 

It seems you just put yours on a stick as plain text.  If you trust your
safe, that should be fine.  Since I have mine on my system, I encrypt
it.  It may be easier to do it your way tho.  At least easier for
whoever comes after me. 

Dale

:-)  :-)

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Alec Ten Harmsel
On Sat, Feb 09, 2019 at 04:42:42AM -0600, Dale wrote:
>
> It seems you just put yours on a stick as plain text.  If you trust your
> safe, that should be fine.  Since I have mine on my system, I encrypt
> it.  It may be easier to do it your way tho.  At least easier for
> whoever comes after me. 

I do the same thing, except mine are printed off and in the safe. IMO it
boils down to what you're trying to defend against; if someone cracks
your safe passwords are probably the last thing to worry about. I'd
imagine by getting into someone's safe you could get enough documents
(birth certificates, passports, etc.) to be able to get through to
customer service and change passwords anyways.

Of course all my passwords that are stored on my computer are encrypted
since only I need to use those :D

Alec

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Andrew Savchenko
In reply to this post by Dale-46
On Sun, 3 Feb 2019 23:47:35 -0600 Dale wrote:

> Howdy,
>
> Some may recall me mentioning using LastPass to manage my passwords. 
> Obviously, it can generate very strong passwords that are different for
> each site.  It can also remember them as well which makes things more
> secure than using just a few passwords for all sites.  One for things
> like financial sites, maybe a less secure one for some site you still
> want reasonably secure and a even weaker one for sites you don't care
> about hacking, and hackers likely won't either.  I know some people who
> do this even today.  Heck, ages ago, I was one of them.  Things change
> tho.  Some passwords can be hacked in seconds by a desktop computer,
> including my own if I had the software and knowledge to do it. 
>
> The one thing about most all password managers, they have a master
> password.  That one password unlocks the rest.  Trick is, having that
> one be a good one that is easy to remember, type on a keyboard and be
> secure, virtually unhackable but also unforgettable.  I've had what used
> to be a strong password for a while.  Thing is, with today's computing
> power, it really isn't anymore.  While no one could just guess it, it
> could be cracked/hacked I'm sure.  I need to come up with a new one that
> meets the requirements I just mentioned.  Strong, easy to remember, easy
> to type but won't forget.  I've read that using maiden names, years of
> birth or whole dates of birth, actual names, pet's name, words in a
> dictionary and a whole list of other things makes it easier, especially
> if you post a lot on social media, for hackers to use against you.  I'm
> trying to avoid that sort of thing obviously and have a couple ideas but
> am curious as to what method others use, without exposing to much detail
> since this is public. 
>
> How do you, especially those who admin systems that are always being
> hacked at, generate strong passwords that meet the above?  I've googled
> and found some ideas but if I use the same method, well, how many others
> are using that same method, if you know what I mean.  ;-)  Just looking
> for ideas. 
1) Install app-admin/apg.
2) apg -a1 -m40

Best regards,
Andrew Savchenko

attachment0 (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Dale-46
Andrew Savchenko wrote:

> On Sun, 3 Feb 2019 23:47:35 -0600 Dale wrote:
>> Howdy,
>>
>> Some may recall me mentioning using LastPass to manage my passwords. 
>> Obviously, it can generate very strong passwords that are different for
>> each site.  It can also remember them as well which makes things more
>> secure than using just a few passwords for all sites.  One for things
>> like financial sites, maybe a less secure one for some site you still
>> want reasonably secure and a even weaker one for sites you don't care
>> about hacking, and hackers likely won't either.  I know some people who
>> do this even today.  Heck, ages ago, I was one of them.  Things change
>> tho.  Some passwords can be hacked in seconds by a desktop computer,
>> including my own if I had the software and knowledge to do it. 
>>
>> The one thing about most all password managers, they have a master
>> password.  That one password unlocks the rest.  Trick is, having that
>> one be a good one that is easy to remember, type on a keyboard and be
>> secure, virtually unhackable but also unforgettable.  I've had what used
>> to be a strong password for a while.  Thing is, with today's computing
>> power, it really isn't anymore.  While no one could just guess it, it
>> could be cracked/hacked I'm sure.  I need to come up with a new one that
>> meets the requirements I just mentioned.  Strong, easy to remember, easy
>> to type but won't forget.  I've read that using maiden names, years of
>> birth or whole dates of birth, actual names, pet's name, words in a
>> dictionary and a whole list of other things makes it easier, especially
>> if you post a lot on social media, for hackers to use against you.  I'm
>> trying to avoid that sort of thing obviously and have a couple ideas but
>> am curious as to what method others use, without exposing to much detail
>> since this is public. 
>>
>> How do you, especially those who admin systems that are always being
>> hacked at, generate strong passwords that meet the above?  I've googled
>> and found some ideas but if I use the same method, well, how many others
>> are using that same method, if you know what I mean.  ;-)  Just looking
>> for ideas. 
> 1) Install app-admin/apg.
> 2) apg -a1 -m40
>
> Best regards,
> Andrew Savchenko


My password manager does that already.  The password I was trying to
come up with was the master password which I must easily remember, be
secure and be easy to type.  The other passwords I let the password
manager generate and remember as well.  I don't type those so they can
be anything. 

Goes to show tho, there is yet another tool to come up with passwords. 
lol 

Dale

:-)  :-) 


Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Andrew Savchenko
On Sun, 10 Feb 2019 10:27:32 -0600 Dale wrote:

> Andrew Savchenko wrote:
> > On Sun, 3 Feb 2019 23:47:35 -0600 Dale wrote:
> >> Howdy,
> >>
> >> Some may recall me mentioning using LastPass to manage my passwords. 
> >> Obviously, it can generate very strong passwords that are different for
> >> each site.  It can also remember them as well which makes things more
> >> secure than using just a few passwords for all sites.  One for things
> >> like financial sites, maybe a less secure one for some site you still
> >> want reasonably secure and a even weaker one for sites you don't care
> >> about hacking, and hackers likely won't either.  I know some people who
> >> do this even today.  Heck, ages ago, I was one of them.  Things change
> >> tho.  Some passwords can be hacked in seconds by a desktop computer,
> >> including my own if I had the software and knowledge to do it. 
> >>
> >> The one thing about most all password managers, they have a master
> >> password.  That one password unlocks the rest.  Trick is, having that
> >> one be a good one that is easy to remember, type on a keyboard and be
> >> secure, virtually unhackable but also unforgettable.  I've had what used
> >> to be a strong password for a while.  Thing is, with today's computing
> >> power, it really isn't anymore.  While no one could just guess it, it
> >> could be cracked/hacked I'm sure.  I need to come up with a new one that
> >> meets the requirements I just mentioned.  Strong, easy to remember, easy
> >> to type but won't forget.  I've read that using maiden names, years of
> >> birth or whole dates of birth, actual names, pet's name, words in a
> >> dictionary and a whole list of other things makes it easier, especially
> >> if you post a lot on social media, for hackers to use against you.  I'm
> >> trying to avoid that sort of thing obviously and have a couple ideas but
> >> am curious as to what method others use, without exposing to much detail
> >> since this is public. 
> >>
> >> How do you, especially those who admin systems that are always being
> >> hacked at, generate strong passwords that meet the above?  I've googled
> >> and found some ideas but if I use the same method, well, how many others
> >> are using that same method, if you know what I mean.  ;-)  Just looking
> >> for ideas. 
> > 1) Install app-admin/apg.
> > 2) apg -a1 -m40
> >
> > Best regards,
> > Andrew Savchenko
>
>
> My password manager does that already.  The password I was trying to
> come up with was the master password which I must easily remember, be
> secure and be easy to type.  The other passwords I let the password
> manager generate and remember as well.  I don't type those so they can
> be anything. 
The line above is approximately the same how I got one of my master
passwords. It is not that hard to remember 30-40 random chars.
Just try typing them several hundred times. I'm serious.

> Goes to show tho, there is yet another tool to come up with passwords. 
> lol 
>
> Dale
>
> :-)  :-) 
>
>


Best regards,
Andrew Savchenko

attachment0 (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Mark David Dumlao-3
On Mon, Feb 11, 2019 at 1:00 AM Andrew Savchenko <[hidden email]> wrote:

>
> On Sun, 10 Feb 2019 10:27:32 -0600 Dale wrote:
> > My password manager does that already.  The password I was trying to
> > come up with was the master password which I must easily remember, be
> > secure and be easy to type.  The other passwords I let the password
> > manager generate and remember as well.  I don't type those so they can
> > be anything.
>
> The line above is approximately the same how I got one of my master
> passwords. It is not that hard to remember 30-40 random chars.
> Just try typing them several hundred times. I'm serious.

That's one of the problems of secure password generation is that human
memory is used backwards. Things become encoded permanently in our
memory after the fact that we've repeated them several times, but most
password generation utilities require you to have perfect memory
first, THEN use repetition to enforce it.

Both a managed password / algorithmic approach gets this more
humanely. You need to first have a reliable way to generate the
pssword, and if you typie it enough times, your brain will commit it
to memory.

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Dale-46
Mark David Dumlao wrote:

> On Mon, Feb 11, 2019 at 1:00 AM Andrew Savchenko <[hidden email]> wrote:
>> On Sun, 10 Feb 2019 10:27:32 -0600 Dale wrote:
>>> My password manager does that already.  The password I was trying to
>>> come up with was the master password which I must easily remember, be
>>> secure and be easy to type.  The other passwords I let the password
>>> manager generate and remember as well.  I don't type those so they can
>>> be anything.
>> The line above is approximately the same how I got one of my master
>> passwords. It is not that hard to remember 30-40 random chars.
>> Just try typing them several hundred times. I'm serious.
> That's one of the problems of secure password generation is that human
> memory is used backwards. Things become encoded permanently in our
> memory after the fact that we've repeated them several times, but most
> password generation utilities require you to have perfect memory
> first, THEN use repetition to enforce it.
>
> Both a managed password / algorithmic approach gets this more
> humanely. You need to first have a reliable way to generate the
> pssword, and if you typie it enough times, your brain will commit it
> to memory.
>
>


My biggest thing was to find a way to come up with it.  Most use some
famous quote or song and then each first letter or something with a few
numbers and symbols thrown in.  Thing is, I don't really have any of
those.  So, what I did, I based it on model numbers of some things I
like.  I threw in a few symbols as well just to make it harder. 

I might add, I used three password strength sites to sort of give me a
idea on strength.  I tried different methods to shorten the thing and
make it easier to type as well.  I actually ended up with a slightly
shorter password but one that the meters said would be harder to crack. 
I might add, the difference was large.  The original was something along
the lines of thousands of years.  The end result that was easier to type
and slightly shorter was millions of years.  I was able to put in more
symbols.  Those things help toughen up a password pretty quick.

What I find so interesting about this, everyone seems to have a slightly
or even very different way of doing this.  Even if a person is reading
this list and taking notes, I wish them luck trying to guess our
passwords.  Given the variety of methods used, I don't see how any tool
could be built that would guess any of our passwords in a short time
frame either.  Now if everyone else would put some effort into this
instead of using "passw0rd" or something as silly as that, the internet
would be a much safer place. 

I also ran up on some sites that discussed passwords that people
commonly used and some are just laughable but so bad one should cry. 
Some people are just plain idiots.  I might add, some sites restrict
passwords in ways that keeps a person from generating a really good
password too.  Some need to get with the current threat models instead
of living in the past when security wasn't such a issue. 

Interesting thread.

Dale

:-)  :-) 

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Rich Freeman
In reply to this post by Kai Peter
On Fri, Feb 8, 2019 at 9:26 AM Kai Peter <[hidden email]> wrote:

>
> On 2019-02-05 22:17, Neil Bothwick wrote:
> > On Wed, 6 Feb 2019 04:28:49 +0800, Mark David Dumlao wrote:
> >
> >> My own solution is actually very simple. I have a "secret algorithm"
> >> that incorporates several secrets with a predictable way to generate a
> >> site-specific secret. The end result is a 100% predictable way to
> >> generate unique passwords for every site that are cryptographically
> >> secure from each other (you cannot derive
> >> one from the other) which can be generated by any device using the
> >> appropriate tools.
> >
> > The was a tool in portage this did this. I tried it but it did not work
> > in the real world because you couldn't set a rule for generated
> > passwords
> > that matched the requirements of all sites, for example some require a
> > non-alphanumeric character while other sites only allow alphanumerics.
> >
> > I can remember what the tools was called, although I'm pretty sure it
> > was written in Python. I'd be interested to know how you get around the
> > conflicting restrictions as this seems a good way to do things.
>
> By using an existing tool you have to live with its restrictions always.
> But who says that it could not be done? At least Mark's solution will
> (maybe) not work for everybody (yet), but he did think about an issue
> and found a way/solution which sounds really reasonable.
>

I just stumbled on lesspass which seems to be such a tool for
algorithmic password generation (lesspass.com).

Some thoughts regarding this approach:

1. Remembering the right "site name" for every site might be tricky -
sites change names/URLs and you won't have any database to search.
2.  The solution does allow incremental counters for sites, but of
course that is basically state and it looks like they have a way to
sync this somewhere, but of course that means having a cloud sync
infrastructure and that info could get compromised (doesn't include
the passwords themselves).
3.  Master password complexity probably matters more than for
something like Lastpass/KeepassX.  With traditional password managers
you need the database plus you need to crack the master password (or
get it some other way).  With a purely algorithmic approach you can
probably guess at all the parameters other than the master password,
so anybody can try to crack you without stealing any data at all,
assuming they think you're using the algorithm.  It sounds like the
hashing system they're using is considered secure, but it is obviously
only as good as the master password.
4.  I'm not sure how straightforward it would be to change
passwords/etc.  If you have 100 sites, you'd have to remember what
password you used for what site, or change them all at once.  Again,
the stateless approach has its downsides as passwords are not
stateless from the standpoint of the remote sites.

The big upside to stateless is that if you never increment passwords
then as long as you remember your master password you always have
access to your password everywhere, with nothing to back up.

If you do increment passwords, well, now you just introduced state
back in, and the "stateless" solution isn't really so.

Password incrementing is an issue for any algorithmic solution - you
need to be able to remember which password version is in use on what
site.

--
Rich

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Mark David Dumlao-3
On Thu, Feb 14, 2019 at 12:32 AM Rich Freeman <[hidden email]> wrote:

> > > On Wed, 6 Feb 2019 04:28:49 +0800, Mark David Dumlao wrote:
> > >
> > >> My own solution is actually very simple. I have a "secret algorithm"
> > >> that incorporates several secrets with a predictable way to generate a
> > >> site-specific secret. The end result is a 100% predictable way to
> > >> generate unique passwords for every site that are cryptographically
> > >> secure from each other (you cannot derive
> > >> one from the other) which can be generated by any device using the
> > >> appropriate tools.
> I just stumbled on lesspass which seems to be such a tool for
> algorithmic password generation (lesspass.com).

Great tool. Good to know there are those that think alike. One
important point though is that in my "version", the user has to
completely know a secure algorithm (which is where all the security
comes from), with a managed tool this is only feasible for technical
users (or at least technical past a certain level). A version of
lesspass that allows users to view and customize the secret-generation
algorithm would be much more secure.

Or another way to put it might be: if an attacker knows that you're
using lesspass, then the only encryption they have to break is that on
your master password, so your security is only as strong as your
master password. On the other hand, if an attacker knows that I am
using an algorithm-generating technique, they need to break both the
master secret AND the algorithm, which could have vastly more entropy
than the master secret itself.

>
> Some thoughts regarding this approach:
>
> 1. Remembering the right "site name" for every site might be tricky -
> sites change names/URLs and you won't have any database to search.

In my personal practice, not a problem. In practice you always
remember the old site name for any common enough site. If you don't,
you reset the password to the new site name.

> 2.  The solution does allow incremental counters for sites, but of
> course that is basically state and it looks like they have a way to
> sync this somewhere, but of course that means having a cloud sync
> infrastructure and that info could get compromised (doesn't include
> the passwords themselves).

Also not an issue for me in practice. In practice you also remembr
which sites forced you to change passwords, since they're pretty much
the only ones in that class.

> 3.  Master password complexity probably matters more than for
> something like Lastpass/KeepassX.  With traditional password managers
> you need the database plus you need to crack the master password (or
> get it some other way).  With a purely algorithmic approach you can
> probably guess at all the parameters other than the master password,
> so anybody can try to crack you without stealing any data at all,

This is an issue for lesspass, because the only secret is the master
password. This is not an issue for algorithmic approaches in general,
because the algorithm is part of the secret. Every which way that you
choose to encode the intermediary steps in my example above is also
part of the secret, because none of those can be guessed from the
resulting password.

As an example, encoding "[hidden email]" as the site-specific
identifier would give a completely different password than
"gmail:madumlao" or "madumlao@gmail" or "madumlao+gmail", etc. And
that hasn't yet counted any peppering which influences intermediary
hashes.

That being said, any system that depends on a master password had
better be goddamned secure. In fact, my email account - which is a
resetting point for basically all services - is exempt from my
password algorithm and uses some ridiculously long secret. Likewise,
your keepass / lesspass secrets should probably be some insane
paranoid level secret that themselves don't come from keepass /
lesspass and their alternatives.

> 4.  I'm not sure how straightforward it would be to change
> passwords/etc.  If you have 100 sites, you'd have to remember what
> password you used for what site, or change them all at once.  Again,
> the stateless approach has its downsides as passwords are not
> stateless from the standpoint of the remote sites.

Actually the generation approach is massively simpler since the
passwords themselves don't matter. If you don't like your secret, are
not sure which iteration a site is, are not sure if a site used an old
or new secret, etc, you can trigger a password reset on most services
and force it to use the current generated password. You can update any
passwords on an as-needed basis to always use the current generated
iteration.

> If you do increment passwords, well, now you just introduced state
> back in, and the "stateless" solution isn't really so.
>
> Password incrementing is an issue for any algorithmic solution - you
> need to be able to remember which password version is in use on what
> site.

If you're talking about remembering the iteration counter for a
particular site, well, yes you have to store state somewhere. But
consider:
1 very strong secret + remember that these 3 or 4 sites are on iteration X

is a LOT less headspace than
4+ independent strong secrets

and I'm pretty sure most people have logins on more than 4 sites.

If literally the only state you need to know about a site is the Nth
iteration, I wouldn't mind cloud providers knowing that because they
can't do anything about that number.

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Rich Freeman
On Wed, Feb 13, 2019 at 12:12 PM Mark David Dumlao <[hidden email]> wrote:

>
> On Thu, Feb 14, 2019 at 12:32 AM Rich Freeman <[hidden email]> wrote:
> > I just stumbled on lesspass which seems to be such a tool for
> > algorithmic password generation (lesspass.com).
>
> Great tool. Good to know there are those that think alike. One
> important point though is that in my "version", the user has to
> completely know a secure algorithm (which is where all the security
> comes from), with a managed tool this is only feasible for technical
> users (or at least technical past a certain level). A version of
> lesspass that allows users to view and customize the secret-generation
> algorithm would be much more secure.

Maybe.  Here is the problem with this:

If you just give the user a choice of one of several secure algorithms
to use, then basically all you're doing is adding a few more bits of
entropy to the mix.  You also have to deal with vulnerabilities in any
algorithm your software uses, and not just the one you picked.

If you instead let the user code their own algorithm, then while this
increases complexity, it also makes it easy for users to shoot
themselves in the feet with an insecure algorithm.

I think it would make more sense for users to focus on more robust
master keys than to rely on security by obscurity with an algorithm
that doesn't benefit from peer review.


> > 2.  The solution does allow incremental counters for sites, but of
> > course that is basically state and it looks like they have a way to
> > sync this somewhere, but of course that means having a cloud sync
> > infrastructure and that info could get compromised (doesn't include
> > the passwords themselves).
>
> Also not an issue for me in practice. In practice you also remembr
> which sites forced you to change passwords, since they're pretty much
> the only ones in that class.

Sure, assuming you don't regularly change your passwords everywhere.
I'm not sure that this is as important with manager-generated
passwords, but it is a consideration.

> Likewise,
> your keepass / lesspass secrets should probably be some insane
> paranoid level secret that themselves don't come from keepass /
> lesspass and their alternatives.

While any master password should be secure, the algorithmic approaches
suffer more, IMO.  With something like Keepass or Lastpass you need
both the database and the master password to do an attack.  Now, with
lastpass anybody with the master password can obtain the database from
the cloud, but they're going to throttle attacks or lock the account
after so many failures, and you have nothing to crack offline.
Lastpass would be vulnerable to intruders stealing the database of
course, which then reduces the difficulty of an attack to the same as
something like Lesspass.

>
> > 4.  I'm not sure how straightforward it would be to change
> > passwords/etc.  If you have 100 sites, you'd have to remember what
> > password you used for what site, or change them all at once.  Again,
> > the stateless approach has its downsides as passwords are not
> > stateless from the standpoint of the remote sites.
>
> Actually the generation approach is massively simpler since the
> passwords themselves don't matter. If you don't like your secret, are
> not sure which iteration a site is, are not sure if a site used an old
> or new secret, etc, you can trigger a password reset on most services
> and force it to use the current generated password. You can update any
> passwords on an as-needed basis to always use the current generated
> iteration.

The problem with "as-needed" is that you have to remember which
accounts use which master password.  That sounds simple until you have
100 different accounts.  My password manager has a huge number of
accounts in it.  Granted, some of those are more disposable than
others, but keep in mind that everything from the local burger chain
to your bank has a password these days.  Either that, or it supports
something even worse like Facebook authentication.  I'm all for SSO,
but not ones locked into a single provider, and especially not
Facebook.


> > Password incrementing is an issue for any algorithmic solution - you
> > need to be able to remember which password version is in use on what
> > site.
>
> If you're talking about remembering the iteration counter for a
> particular site, well, yes you have to store state somewhere. But
> consider:
> 1 very strong secret + remember that these 3 or 4 sites are on iteration X
>
> is a LOT less headspace than
> 4+ independent strong secrets

Sure, but I'm mostly comparing altorithmic password managers to
database-based ones.  In neither case are you remembering hundreds of
passwords.

>
> and I'm pretty sure most people have logins on more than 4 sites.
>
> If literally the only state you need to know about a site is the Nth
> iteration, I wouldn't mind cloud providers knowing that because they
> can't do anything about that number.
>

It still means having a need to sync state, that was my main point.
If it were truly stateless you wouldn't need any kind of cloud sync at
all, and I think most would agree that would be an objective benefit.
However, here we still have the need to maintain a cloud account, have
devices that sync to it, and a need to keep that data backed up less
that cloud provider shut down without warning.

I think we're mostly on the same page though.

--
Rich

1234