|
I have a little black A6 notebook, one of the ubiquitous ones with hard covers and a red spine, and I am ceasing the practice of using only a few passwords, and setting a new one for each account. Then every new user-password pair is written into that book. My passwords, except on their systems, can only be found in one place, and nowhere online.
And if I buy the farm, friends and family can look up needed passwords in that book, without having to subscribe anywhere online, or know any other password. I think that book has one of the highest levels of all password storage security strategies that exist.
Oh yes, and I never say them out aloud as I write them, in case someone, somewhere, somehow, is listening in on me.
|
|
|
|
|
V. wrote: how is it comparing the old (encrypted) password to the new (encrypted) one?
It decrypts it first, encryption is two-way. So it takes "&#HDSW" from the database as your old password and decrypts it to "god_123". It then compares that to the new password you've entered.
|
|
|
|
|
LDAP stores password in history using HASH, no two way encryption there...
The only password may be stored as cleartext is the current one...
Skipper: We'll fix it.
Alex: Fix it? How you gonna fix this?
Skipper: Grit, spit and a whole lotta duct tape.
|
|
|
|
|
All of my passwords at work are stored as plain text.
... In a text file named "passwords.txt" on my desktop.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
Same with me - I have 9 pre-created passwords (we have 8 stored in history) stored as plain text...
Skipper: We'll fix it.
Alex: Fix it? How you gonna fix this?
Skipper: Grit, spit and a whole lotta duct tape.
|
|
|
|
|
Cool. I have a file with the very same name.
That's what they get for making us change passwords every 90 days, unable to reuse the last 24 passwords, and they must be sufficiently gobbledy-gook.
|
|
|
|
|
That's an idea: we should assemble a CP password.txt file, for general use in the MoronicKneeJerkPasswordPolicy domain. It would save us the trouble of creating our own.
[edit]
If you think 90 days is bad, I worked at one place that had a holiday-booking webapp where they required a new password every 30 days.
How often do you book holidays, for Arbuthnot's sake!
Essentially, every time you opened the app, you had to change your password.
[/edit]
[edit2]
Holiday = vacation, to blasted colonials.
[/edit2]
I wanna be a eunuchs developer! Pass me a bread knife!
modified 5-Oct-16 16:52pm.
|
|
|
|
|
I used to keep mine, hand-written, on a scrappy piece of paper in my desk drawer
|
|
|
|
|
You work for the government, don't you?
|
|
|
|
|
Oh, yeah. Always an adventure.
|
|
|
|
|
He hasn't said what password system this is though.
|
|
|
|
|
An encrypted password is as bad as a plaintext one.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Eddy Vluggen wrote: An encrypted password is as bad as a plaintext one. Agreed.
Also any memorized password has an inherent weakness in that it can be (and has been) memorized by a human. Passwords should be so strong that they cannot be memorized. It's possible.
|
|
|
|
|
Without memorization, you'd need to keep a clear-text version around. I don't think it is possible to extract it from my mind, so feels rather secure there.
The fact that something can be memorized does not make it a weak password.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Hyperbole is my favorite of all inventions and must be implemented at all times.
The point is that when you use a mnemonic then it is based upon words.
Words are patterns and patterns can be more easily cracked than non-patterns.
What you need is a fully randomized pattern which is strong and less crackable than a weak pattern that you've memorized. Your password itself should be a hash which is so long you cannot memorize it. (Which is hyperbole also, since Daniel Tammet memorized 22,514 digits of pi and recited them[^]).
|
|
|
|
|
raddevus wrote: What you need is a fully randomized pattern which is strong and less crackable than a weak pattern that you've memorized. Again, that idea is wrong. A non-memorizable password needs to be stored.
Yes, words are patterns, but that knowledge isn't going to help much in determining my password. I'll give you another clue; it is based on a single line of a poem, 33 characters.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Eddy Vluggen wrote: Again, that idea is wrong.
Brrrr....there's a cold wind a blowin'. "Wrong" is such a cold harsh word. It makes me feel like I might not be right.
Actually, there is a way to generate a strong password without storing it and without having the user memorize a word-based mnemonic.
And, I'm guessing that your poem is Milton's Paradise Lost, right?
Here's all of Shakespeare's sonnets first lines so I'm generating your password off of these now:
Shakespeare's Sonnets- first lines[^]
|
|
|
|
|
raddevus wrote: Actually, there is a way to generate a strong password without storing it and without having the user memorize a word-based mnemonic You got a long string that you did not memorize and did not store - in that case, I will start to doubt your ability to produce the same string again. That is something that is kinda required to be used as a password.
raddevus wrote: Here's all of Shakespeare's sonnets first lines Not a fan of Shakespeare.
So, you already know the length of the string, the pattern, and are assuming English language (yes, it is an English writer, but that does not mean the password has to be). How many possible combinations would there be?
xkcd: Password Strength[^]
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
I think this could go alongside Godwin's Law - the longer an on-line debate about passwords continues, the probability of someone linking to xkcd 936 approaches certainty.
Won't somebody think of the horses (and staples)?
|
|
|
|
|
Stewart Judson wrote: the longer an on-line debate about passwords continues, the probability of someone linking to xkcd 936 approaches certainty.
It's an absolute certainty of the most high probability.
It really is true.
|
|
|
|
|
Stewart Judson wrote: I think this could go alongside Godwin's Law A Godwin is not a valid argument, but the comic explains an argument in simple terms. So yes, it is bound to be referenced. Now, if any popular reference is a Godwin, then we might better stop using them, starting with the academics.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
I think this could go alongside Godwin's Law - the longer an on-line debate about passwords continues, the probability of someone linking to xkcd 936 approaches certainty.
...which of course increases the probability of someone linking to xkcd 261[^]
|
|
|
|
|
It should be stored as a hash, not encrypted. A hash is one way. I.e. Not able to be decrypted
|
|
|
|
|
LDAP has no password policy option for similarity, so it is probably an overlay and it may DO store the password in some comparable form...
Skipper: We'll fix it.
Alex: Fix it? How you gonna fix this?
Skipper: Grit, spit and a whole lotta duct tape.
|
|
|
|
|
To compare similarity between passwords means that the comparable form must be 1:1 with the plain text form, so basically a weak character-by-character encription. Scary.
GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X
If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver
When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
|
|
|
|