1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Remembering Passwords

Discussion in 'Computer Security' started by BrotherBill, Apr 24, 2008.

  1. BrotherBill

    BrotherBill Byte Poster

    228
    24
    15
    Today, I entered a site that required login, and as I started to enter my password, my mind went blank. I simply could not remember the password I had used for that account.

    What method do you use for remembering passwords and not advertise them to the world? I know everyone uses different methods, I'm open for suggestions.

    I strongly agree that you should have different passwords for each site. You wouldn't want one to be discovered and allow access to all accounts. I don't want to write them down on paper to be picked up and carried off. And I'm nervous about keeping them in a file or database on the computer in the event of a successful attack.

    Any help is appreciated,
    Bill
     
  2. ThomasMc

    ThomasMc Gigabyte Poster

    1,507
    49
    111
    Thanks to Fergal I've been on Think Geek most of the day :D what about this little gizmo

    its even got this

     
    Certifications: MCDST|FtOCC
    WIP: MCSA(70-270|70-290|70-291)
  3. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    171
    211
    I have a simple system. I have a post it notes, with the site name, and the password upside down.... what do you mean thats not secure?
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  4. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    There are several methods you can use. Here's one I developed. Start out by creating a base password. Make it something that's not brute force crackable, like a numeric string or a word. Create an acronym out of a phrase, for example. Or use your kids initials, all backwards. Or combine those with the last number of the day they were born. Anything that isn't obvious to figure out.

    Then, for each site, add a code known only to you to the start, middle, or end of that base password. It could be a single letter or a few letters... just something that you can remember from that site.

    For example, let's say I create a base password out of my kids' initials and the month of their birth (these are not my kids initials): abz07cdz12. Then, for a site like CertForums, I can take the last three characters, "ums", and add it to the middle (or start, or end) of the base password, giving me abz07umscdz12. For Microsoft, it would be abz07oftcdz12. For Amazon, it would be abz07zoncdz12. Bam, you've got a different password for each site, and you don't have to keep track of them.

    You don't have to use the name of the site. You can use anything that you can remember when you hit that site. For your bank, add the letters BA. For shopping sites, add the letters SH. For forums, add the letters FO. Or make just the 2nd letter capped, but be consistent from one password to another so you're not stuck trying to remember how you created that particular password.

    If you're hacked, change your base password and change your pattern. Simple as that.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  5. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    171
    211
    interesting method. rep given.

    Question. My old (and soon to be current again) employer has a strict password system that includes: Changing every 43 days; and not any of the previous 12 passwords. How would you apply your system to that?
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  6. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Rotate through various patterns. That's likely the only password you have that rotates that often, right? So... add the "extra characters" to the front... then middle... then back... then capped for all three... then title case (first character capped) for all three... then in reverse order... then initials of the company... then the initials of the product that you're working on for the next 43 days... you'd never have to reuse a password, if you were so limited. Luckily, you can start reusing them within 12 changes. :)
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  7. OceanPacific

    OceanPacific Byte Poster

    140
    1
    22
    I dont know, I just remember them. Honestly, I use mainly one password, but I change that one password about every 6months-1year. This may not be very secure, I dont know. I will often change passwords by one letter or by changing the digits or the case. As far as remembering them, I dont know, I just do I guess.

    Though once in a blue moon (I shouldnt have been drinking, I know,lol, BlueMoon) I will forget my password, and have to call my bank and prove im me.:)
     
    WIP: N+, A+
  8. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    BM's method works for him, but it seems pretty complicated. What I do is use the same password for any place in which nothing personally identifying is kept. It's usually a fairly simple password.

    In other sites where I need to make sure no one is going to easily guess the password I've used the year, model, color, and my nickname for some of the cars I've owned. They end up being pretty long. Usually 15 to 20 characters.

    In still other sites in which I can't use that long of a password I'll think of a phrase I associate in my mind with that site and use a combination of upper and lower case letters made up of the first letter of each word in the phrase. If the phrase is short and there are enough characters allowed I will add a significant date in history that I easily remember and somehow associate with the site.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  9. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Dude... that's the *same* method I just gave. :biggrin Take a base password (like a date or a phrase) and add something memorable from that site.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  10. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    I just use this :rolleyes:
     
    Certifications: A few
    WIP: None - f*** 'em
  11. BrotherBill

    BrotherBill Byte Poster

    228
    24
    15
    Thomas, I really like that, just so long as I remember the initial sequence. And Fergal's method might work if I could stand on my head to read the password. I currently use a method very similar to what BM and FF describe, sometimes with a mix of caps, lower case, and numbers, sometimes not.

    OceanPacific. I admire you. You are as I once was. Now if you multiply your age by three, you may get a little better feeling for what I'm saying. You gotta love it while you can, but someday, watch out, it's coming.

    Thanks Zeb, I'm assuming that Password Safe is a free download. I didn't see mention of price. Warrants a closer look.

    Thanks for the suggestions everyone. I think for the moment, I need to do a little restructuring of my passwords. I was surprised how many I had. I think I probably need to learn a little more about encryption as well. I've asked this of a couple different forums, if anyone else is interested, here's a few other password managers that I've also heard about.

    Password Corral that looks interesting enough. Sorry Freddie, Windows only.

    RoboForm can be integrated into your browser.

    KeePass Password Safe is an open source manager.

    Cheers
     
  12. sjf1978

    sjf1978 Bit Poster

    12
    0
    2
    the trouble with those methods is you've introduced a predictable element. ie if someone notices the key you are using ***oft*** perhaps they could decipher a piece of your thought process. Association could be its downfall and the rest of your string of passwords. A truely random long string like a passphrase with upper, lower, number and even better non standard acii ie ♥ if thats supported with the system of course. Alienblack249A!♥1066 . I know its easier said than done with so many passwords and pins in our lives today. To be fair its about time the IT industry got rid of the individual password as there are so many threats to defeat them. Ultimately two form authentication raises the bar with tokens and biometrics. CAPTCHA can help online wise too with drop down selection boxes ie choose 3rd letter and 4th letter of secret phrase or a java box to point at the correct location.
     
  13. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    I tend to use passphrases, as they are often much more secure than psuedo-random strings.

    Another very useful tool are password amplifiers. Input a precursor password and a salt, and out comes a high entropy string. I like it more than the password vault approach for several reasons:

    - No need to maintain and protect the vault, a very big advantage;

    - Simpler to change passwords;

    - Infinitely portable - you can recover passwords without needing to carry them with you;

    - Passwords produced are high entropy - avoids human weakness when selecting passwords

    In general I think a password amplifier/generator approach is better than password storage tools, but there is no perfect solution, just different compromises.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  14. sjf1978

    sjf1978 Bit Poster

    12
    0
    2
    Island hopping is a big problem with passwords and as you say no perfect solution with them so defence in depth is needed. I mean how many have us have worked in places where the local admin machine password is the same through due to imaging boxes. Or the use of LM hashes on the network to support older apps or just unknowingly left on? Windows boxes with the last 10 hashes cached. They can be social engineered far too easily also. Hey look under the average user's keyboard and you'll find one or bright coloured ball in the bin (not that I've ever been through the bins lol...) Yes you should have policy about not doing that but people still do it. (the old it will never happen to me)
     
  15. neilmowforth

    neilmowforth Bit Poster

    23
    0
    21
    I choose my password dependent on what the site holds. E.g. this forum, my low security generic password, e retailer sites which store my card details have a medium security password (a mixture of numbers, capitals and lower case - but still rememberable), high security sites, such as my bank & email have a higher security password (a mixture of everything which means nothing to anyone - except me).
     
    Certifications: MCSA
    WIP: MCITP:EA
  16. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    I guess I don't understand your last equating of needing as secure a password for email as for your bank login. Unless all the POP and IMAP servers you access to get your email use TLS or something like for all your email anyone can sniff your network traffic and get your email username and password. They are transmitted in clear text over the internet to almost all ISP's and IMAP email services.

    I use the least secure password I have for email accounts because of it. It's just too easy to steal.

    Now, if I'm encrypting email using PGP, or something similar, then I'll use a strong password, but email being so readily sniffed just isn't worth it. Email as about as insecure as things get....
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  17. neilmowforth

    neilmowforth Bit Poster

    23
    0
    21
    Is it, oh dear! I only use web based email if that makes a difference.

    The reason I use a secure password for it though, is if that gets hacked then you could go round all the other websites requesting an password email reminder etc.
     
    Certifications: MCSA
    WIP: MCITP:EA
  18. Arroryn
    Honorary Member

    Arroryn we're all dooooooomed

    4,009
    186
    209
    I just... remember them.

    But I have my own 'system' as most people probably do. I think it's secure, but there again, most people feel secure until they're done over :rolleyes:

    I use a different password for each social site I frequent; I also have different passwords for all of my retail accounts. They all draw on the same theme for the word, but it's a rather vague theme (books) using a vague drawout (phrases from books) that are memorable to me. To give it a possible edge on security, I reference the phrase in a language that is not meant to be the core language of the site I am on (I know doesn't matter with sniffers or whatever, but it makes me feel safe!) I then intersperse each one with numbers, upper and lower case characters, and special characters.

    Voila.

    Some sites, it takes me maybe three attempts to remember the password. But I've never locked myself out (yet). And I tend to rotate the passwords on a monthly or bi-montly basis, depending on how proactive I'm feeling.

    Of course, strong passwords are a moot point where they become so convoluted that you can't type them at a good speed. I've heard of domain admin passwords being had, just because a slowly-typing tech was being watched by a speed typist, who thought it would be a long-term good idea to have admin rights on their PC. Oooh dear.
     
    Certifications: A+, N+, MCDST, 70-410, 70-411
    WIP: Modern Languages BA
  19. ManicD

    ManicD Byte Poster

    237
    4
    34
    I have a variaty of passwords, and i randomly assign then to websites, each holds a different security level for me, and i just mentally keep track of what goes where. is not an exact science but i do seperate things like, email, bank account and forums etc.
     
    Certifications: MCSA, N+, A+(Tech), ECDL
    WIP: 70-294, 70-298
  20. mark_uol

    mark_uol Bit Poster

    24
    0
    16
    You could try the mnemonic system. Pick a well known sentence such as “Mary had a little lamb its fleece was white as snow”. Now abstract each initial character then capitalize every second one.
    MhAlLiFwWaS
    Next introduce a non-alphanumeric character “/”
    M/h/A/l/L/i/F/w/W/a/S
    Now you can safely write down Mary ½ as an aid to memory. This password is medium strength in that it is invulnerable from dictionary attacks forcing a “brute strength” attack which is costly to the attacker.
     
    Certifications: MSc IT Security UoL

Share This Page

Loading...