RE: [ISN] Simple passwords no longer suffice

From: InfoSec News (isn@private)
Date: Thu Jun 03 2004 - 23:29:59 PDT

  • Next message: InfoSec News: "[ISN] Yorker advises Greeks on Olympic security"

    Forwarded from: myemailaccount@private
    I consider password security to be most important. I understand
    regular users cannot think of thousands of passwords and not write
    them down. Because my memory is also not perfect I have developed the
    following password scheme:
    I memorized 8 difrent sequences of alphanumerical characters, let's
    call them SAC's. (just inventing a new abbreviation here).
    Each difrent in size and using some Uppercase letters. I give them all
    a number (so SAC1, SAC2, SAC3 etc.)
    For every account I select three of these sequances of alphanumerical
    characters, and put them in a certain order. That is my password.  I
    then write down the order in a password protected database. (with a
    simpler password, don't care that much if the database is compromised)
    So for example:
    For hotmail I might use sequance SAC4, SAC5, SAC2.
    I just add to my password database "Hotmail 452" and I know what the
    password is.
    For sequance SAC1, SAC8, SAC3 I use with my mail certificate the note
    I have written down is "mail certificate 183"
    Somewhere else I have as a reminder a list of all my SAC's but only
    with the first two characters being correct, the rest is put there as
    desinformation. So I actually look only at the first two characters
    and then remember what that SAC was again.
    So I have a list that looks like this:
    SAC# written down  - real password
    SAC1 fuh355y9wtga9 - fuh5y05edh
    SAC2 g8betb8g - g8bs=hb56hRRTYsh
    SAC3 l;kyh35h9 - l;g588bas3DR
    SAC4 aBfbvsdh4 - aBbdnitbAA$
    SAC5 GgfasdG - Gggrw422a~
    SAC6 >>GSDFGWRw444  - >>GAEB53th8g3e
    SAC7 BbgRhgw52354 - Bdghbwtrb53
    SAC8 6775u3ed5us - 67hJ^$6493
    So for example when I need my password to get into hotmail I just open
    my password database or grab my paperprint out of the list and lookup
    the hotmail account, I see "Hotmail 452". I also look up my SAC list
    up here and by looking at the first few characters I remember what
    each SAC is.
    So the password is "aBbdnitbAA$Gggrw422a~g8bs=hb56hRRTYsh" without the
    Once you have the discipline to set up something similar and stick to
    it your password security will be increadable. (and it's worth the
    look on peoples faces when they see you enter passwords of more then
    20 characters at lightning speed, try to sneak up that one =D )
    Also I try to maintain my habit to type in numbers on the number
    keypad and as I do so cover up my hand with the other hand so it
    cannot really be seen or recorded by camera's. Just as one would
    protect their pin-code. (also considering those credit thieves that
    build in camera's in ATM machines and devices that record your
    magnetic strip. Haha, have fun with my strip, but you couldn't see my
    pin code :P)
    Da paranoid android ;-)
    > -----Oorspronkelijk bericht-----
    > Van: isn-bounces@private 
    > [mailto:isn-bounces@private] Namens InfoSec News
    > Verzonden: Thursday, June 03, 2004 09:31
    > Aan: isn@private
    > Onderwerp: [ISN] Simple passwords no longer suffice 
    > ndex.html
    > June 1, 2004 
    > (AP) -- To access her bank account online, Marie Jubran opens a Web
    > browser and types in her Swedish national ID number along with a
    > four-digit password.
    > For additional security, she then pulls out a card that has 50
    > scratch-off codes. Jubran uses the codes, one by one, each time she
    > logs on or performs a transaction. Her bank, Nordea PLC,
    > automatically sends a new card when she's about to run out.
    > As more Web sites demand passwords, scammers are getting more clever
    > about stealing them. Hence the need for such "passwords-plus"
    > systems.
    > Scandinavian countries are among the leaders as many online
    > businesses abandon static passwords in favor of so-called two-factor
    > authentication.
    > "A password is a construct of the past that has run out of steam,"  
    > said Joseph Atick, chief executive of Identix Inc., a Minnesota
    > designer of fingerprint-based authentication. "The human mind-set is
    > not used to dealing with so many different passwords and so many
    > different PINs."
    > When a static password alone is required, security experts recommend
    > that users combine letters and numbers and avoid easy-to-guess
    > passwords like "1234" or a nickname.
    ISN mailing list
    Sponsored by:

    This archive was generated by hypermail 2b30 : Fri Jun 04 2004 - 01:12:50 PDT