Results 1 to 30 of 65
Thread: Password Generation Strategies
-
2014-05-06, 02:48 PM (ISO 8601)
- Join Date
- Feb 2014
- Location
- Looking for the Xeelee
- Gender
Password Generation Strategies
I was curious what other folks use, I just recently was reading through a wiki page I wandered across and saw someone recommend using gestures to generate passwords, but the gestures seemed like they wouldn't be easier to keep track of until it hit me that there is a very easy way to generate them.
Pick somewhere on your keyboard, and pick a word, I'll go with "Cat" in this case and start with "p", then I trace out a natural feeling capital C, lowercase a, lowercase t.
POK<>poklpl;.
Doing different words at different starting points, different overlap patterns, you can make use of capital/lowercase, numbers, and symbols.
It doesn't readily fit a dictionary attack, and you can even stagger each new letter to avoid repetition.
starting at 7 with Cat:
&^TGHiujk0opl
I'm pretty sure that is a very strong password, and though "correcthorsebatterystaple" is easy to remember, so is the action of tracing "C" "a" "t" over the keys.
Is this a thing I'm just reinventing and I missed it, or what? I've tried a few different keywords to look for it but mainly I just find stories telling people to change passwords after heartbleed and whatnot.Engraved here is a rendition of an image of the Dwarf Fortress learning curve. All craftsdwarfship is of the highest quality. It depicts an obsidian overhang which menaces with spikes of obsidian and tears. Carved on the overhang is an image of Toady One and the players. The players are curled up in a fetal position. Toady One is laughing. The players are burning.
ᴛʜɪs ɪs ɴᴏᴛ ᴀ sɪɢɴᴀᴛᴜʀᴇ.
-
2014-05-06, 03:15 PM (ISO 8601)
- Join Date
- Oct 2011
- Location
- The last place you look
- Gender
Re: Password Generation Strategies
I'd just like to announce that I've used correcthorsebatterystaple as a password before. I've changed it since then, but I still used it as a secure password I don't care about. (We had to hardcode it into a program)
Avatar by Venetian Mask. It's of an NPC from a campaign I may yet run (possibly in PbP) who became a favorite of mine while planning.
I am a 10/14/11/15/12/14 LG Clr 2
-
2014-05-06, 03:21 PM (ISO 8601)
- Join Date
- Feb 2014
- Location
- Looking for the Xeelee
- Gender
Re: Password Generation Strategies
Heh, I never tried it but I have used various strings of words before, been mixing them up with the traced letters method whenever I change them now.
Engraved here is a rendition of an image of the Dwarf Fortress learning curve. All craftsdwarfship is of the highest quality. It depicts an obsidian overhang which menaces with spikes of obsidian and tears. Carved on the overhang is an image of Toady One and the players. The players are curled up in a fetal position. Toady One is laughing. The players are burning.
ᴛʜɪs ɪs ɴᴏᴛ ᴀ sɪɢɴᴀᴛᴜʀᴇ.
-
2014-05-07, 12:03 AM (ISO 8601)
- Join Date
- Jun 2011
- Gender
Re: Password Generation Strategies
Mostly I just use KeePass to generate passwords: 20 characters of random alphanumeric + symbols is usually upwards of 100 bits of entropy, and can't be copied from one site to attack another. (I'm up to well over 400 current entries in my database, and I have no intention of remembering that many.)
However, those that I need to remember separately, such as the KeePass database itself or OS login, generally use a particular scheme, which basically comes down to a one- or two-letter prefix, one or more vaguely mnemonic words, and a monotonically increasing change counter, separated notionally by "whitespace" expressed as some sort of character sequence. So it might be w45correct45horse45battery45staple4500000101: w is the prefix, 45 the "whitespace" (ASCII '-' decimal), the mnemonic words are obvious, and 00000101 is the fifth password used for this site, in one-byte binary. (This is not actually a valid password*, but it's close enough for illustration.) Sometimes I vary this by including suffixes for the whitespace, replacing digits in the counter, or specifying case on the prefix.
So far, this has worked pretty well for about seven or eight years.
*Because my actual password generation system is not something I will ever tell anyone until I'm dead, thank you very much.Projects: Homebrew, Gentlemen's Agreement, DMPCs, Forbidden Knowledge safety, and Top Ten Worst. Also, Quotes and RACSD are good.
Anyone knows blue is for sarcas'ing in · "Take 10 SAN damage from Dark Orchid" · Use of gray may indicate nitpicking · Green is sincerity
-
2014-05-07, 02:00 AM (ISO 8601)
- Join Date
- Feb 2007
- Location
- Manchester, UK
- Gender
Re: Password Generation Strategies
My boss has a system where he uses the initial letters of the lyrics of songs he likes, with various letters changed for numbers etc. Probably as good as any!
Incidentally, with the power of modern dictionary-based password crackers married to GPU power for calculating the hashes, that XKCD password generation method is probably not as good as you'd think.
-
2014-05-07, 03:18 AM (ISO 8601)
- Join Date
- Nov 2009
- Location
- Behind you!
- Gender
Re: Password Generation Strategies
I think the point of the XKCD method is not to generate completely secure passwords, but to find a reasonably secure password and a password that you don't need to write down to remember.
Last edited by The Grue; 2014-05-07 at 03:18 AM.
-
2014-05-07, 03:19 AM (ISO 8601)
- Join Date
- Feb 2014
- Location
- Looking for the Xeelee
- Gender
Re: Password Generation Strategies
Yeah, the word string method runs the risk of fast enough cracking methods showing up eventually.
I only gave a couple of three letter tracing examples, but you can go quite a bit longer and keep them fairly easy to remember but stupid hard to crack.
Kinda like a captcha, easy for us to pick out the letters (in theory) but tying the string of digits to what someone chose to use is another matter.Engraved here is a rendition of an image of the Dwarf Fortress learning curve. All craftsdwarfship is of the highest quality. It depicts an obsidian overhang which menaces with spikes of obsidian and tears. Carved on the overhang is an image of Toady One and the players. The players are curled up in a fetal position. Toady One is laughing. The players are burning.
ᴛʜɪs ɪs ɴᴏᴛ ᴀ sɪɢɴᴀᴛᴜʀᴇ.
-
2014-05-07, 03:27 AM (ISO 8601)
- Join Date
- Aug 2008
Re: Password Generation Strategies
It compares favorably to other methods which tend to have fast enough cracking methods already available (even brute force works on shorter passwords, as there aren't actually all that many distinct symbols in use), particularly if you have a nice long number you know that you can attach it to, and even more particularly if you use technical jargon or names.
Last edited by Knaight; 2014-05-07 at 03:29 AM.
I would really like to see a game made by Obryn, Kurald Galain, and Knaight from these forums.
I'm not joking one bit. I would buy the hell out of that. -- ChubbyRain
Current Design Project: Legacy, a game of masters and apprentices for two players and a GM.
-
2014-05-07, 03:35 AM (ISO 8601)
- Join Date
- Nov 2010
Re: Password Generation Strategies
I have an 8-digit alphanumeric password with symbols that I modify on a site by site basis
say for example the password was e!CWYP0@t (it's not) then Amazon would be Ae!CWYP0@tN and ebay would be Ee!CWYP0@tY that way if the password is compromised for one site it can't be used on any others, and once the initial 8 digits are memorized then it's easily applied to every website by taking the first and last letters and putting them at the start and end.Last edited by supermonkeyjoe; 2014-05-07 at 03:38 AM.
-
2014-05-07, 05:38 AM (ISO 8601)
- Join Date
- Feb 2014
- Location
- Looking for the Xeelee
- Gender
Re: Password Generation Strategies
Regarding the number attaching, I memorized pi to 80 digits due to the irrational number song, but suffice to say I resist the urge to toss it in because even though the little "password strength" checks will show it as being strong, it's really not the best idea.
Engraved here is a rendition of an image of the Dwarf Fortress learning curve. All craftsdwarfship is of the highest quality. It depicts an obsidian overhang which menaces with spikes of obsidian and tears. Carved on the overhang is an image of Toady One and the players. The players are curled up in a fetal position. Toady One is laughing. The players are burning.
ᴛʜɪs ɪs ɴᴏᴛ ᴀ sɪɢɴᴀᴛᴜʀᴇ.
-
2014-05-07, 06:00 AM (ISO 8601)
- Join Date
- Mar 2005
- Location
- 61.2° N, 149.9° W
- Gender
Re: Password Generation Strategies
I have two strategies, one for things I have to have a decent password on and another for disposable passwords to be used on stuff I assume is public anyways.
The first I use on household routers, for setting up my in-laws computer, and other places where being hacked is a real nuisance and I don't have to change the password every two months. This method is called "A long sentence with punctuation and a date." These usually end up as 50+ character passwords that are pretty easy to remember or look rather innocuous when written down.
The second is used for my work email system or anywhere that forces number-letter-CAPS-symbol passwords but limits you to less than 30 characters, and especially when they insist that you change the password frequently. Start at the 1 key and pick a pattern, two over and two down, chess knight's move, a spiral, whatever. Then shift over one or two numbers and do the same thing holding down the shift key. When it's time to change passwords you just shift the pattern over, start at 2 instead of 1. All you need to remember is your pattern and the starting key.
-
2014-05-07, 07:55 AM (ISO 8601)
- Join Date
- Dec 2006
- Location
- Raleigh NC
- Gender
Re: Password Generation Strategies
A strategy I have used in the past is: Read a book. Take the first letter of each word in the sentence to make your password. Include the trailing punctuation and substitute numbers for letters as needed. It results in gibberish which is going to be hard to crack, but the sentence serves as a memory mneumonic to recall it.
Respectfully,
Brian P."Every lie we tell incurs a debt to the truth. Sooner or later, that debt is paid."
-Valery Legasov in Chernobyl
-
2014-05-07, 12:25 PM (ISO 8601)
- Join Date
- Nov 2012
Re: Password Generation Strategies
I've done variations on the chess move strategy and pendell's "first letter" strategy before (I typically use a poem and use the first letters of certain stresses, rather than certain words), as well as picked a random starting letter created a password based on joystick motions and button inputs from fighting game moves.
Last edited by Zrak; 2014-05-07 at 12:26 PM.
-
2014-05-07, 02:24 PM (ISO 8601)
- Join Date
- Nov 2006
- Location
- Washington, D.C.
- Gender
Re: Password Generation Strategies
I think of a sentence I associate with the website, like "I for one welcome our new Google overlords, next stop Skynet."
Then go through it, using number to letter substitutions, random caps, or punctuation as desired. So, that phrase leads to this password: "i41wonG0nsSn".
-
2014-05-07, 03:16 PM (ISO 8601)
- Join Date
- Jun 2008
Re: Password Generation Strategies
My strategy is...not one I'm going to discuss on this site.
-
2014-05-07, 04:00 PM (ISO 8601)
- Join Date
- Feb 2014
- Location
- Looking for the Xeelee
- Gender
Re: Password Generation Strategies
That's basically what I was talking about with tracing words over the keys.
Note that I'm not saying what is the EXACT method you use, just the general ways you try to balance the need for strength versus the ability to recall it.
As for the "I for one welcome..." used to generate "i41wonG0nsSn" as a password.
Tracing "Google" across the keyboard produced:
R$#WSDRytghiujkpol;.,-['\]'Engraved here is a rendition of an image of the Dwarf Fortress learning curve. All craftsdwarfship is of the highest quality. It depicts an obsidian overhang which menaces with spikes of obsidian and tears. Carved on the overhang is an image of Toady One and the players. The players are curled up in a fetal position. Toady One is laughing. The players are burning.
ᴛʜɪs ɪs ɴᴏᴛ ᴀ sɪɢɴᴀᴛᴜʀᴇ.
-
2014-05-07, 05:40 PM (ISO 8601)
- Join Date
- Nov 2009
- Location
- Behind you!
- Gender
-
2014-05-07, 06:33 PM (ISO 8601)
- Join Date
- Mar 2011
- Gender
Re: Password Generation Strategies
I use the same few crappy throwaway passwords for most sites because I don't mind too much if somebody gets access to my Facebook or FML or Photobucket. For secure stuff (email, bank) I used to use a 30-character string with a pattern to it, but that was too much hassle. Now I use names of characters that I've never put to paper fully (I don't usually introduce myself by full name at the table, so a character's surname will just stay in my head), with a few letters switched to numbers to add another layer of complexity. That's way easier to remember, can be fairly long, and basically requires a brute force attack to crack because made-up fantasy character names won't show up in a dictionary.
Jude P.
-
2014-05-07, 09:51 PM (ISO 8601)
- Join Date
- Dec 2010
- Location
- right behind you
Re: Password Generation Strategies
I use deliberately misspelled versions of fake languages from fantasy novels with letters mixed in. I have like 3 base words, that I have multiple spellings for, and like I said, i include a few numbers as well. I dont do anything very secret or important online, so I dont go too crazy, its just something that stays in my mind easily. Of course, my biggest problem is sites that remember your password for months on end, then suddenly dont for some reason. I can never remember which variant I used for that site and always have to reset the password.
"Interdum feror cupidine partium magnarum Europae vincendarum"
Translation: "Sometimes I get this urge to conquer large parts of Europe."
"If you don't get those cameras out of my face, I'm gonna go 8.6 on the Richter scale with gastric emissions that'll clear this room."
-
2014-05-08, 12:40 AM (ISO 8601)
- Join Date
- Feb 2014
- Location
- Looking for the Xeelee
- Gender
Re: Password Generation Strategies
Yeah, what is worse is when I have firefox remember a password and then at some point wound up changing it without clicking the "update password" prompt and have to figure out what went wrong.
Engraved here is a rendition of an image of the Dwarf Fortress learning curve. All craftsdwarfship is of the highest quality. It depicts an obsidian overhang which menaces with spikes of obsidian and tears. Carved on the overhang is an image of Toady One and the players. The players are curled up in a fetal position. Toady One is laughing. The players are burning.
ᴛʜɪs ɪs ɴᴏᴛ ᴀ sɪɢɴᴀᴛᴜʀᴇ.
-
2014-05-08, 10:29 AM (ISO 8601)
- Join Date
- May 2005
- Location
- control+apple+alt+8
Re: Password Generation Strategies
When it comes to passwords, I have only two rules.
1) Don't ever reuse a password for anything. This applies to variants of passwords as well. This does mean that I have well over 30 unique passwords that I use on a regular basis which would be problematic for some, but I am quite well adjusted to it.
2)Don't ever share passwords or the methods used to generate them. Especially not on the internet. =PTopSecret's First Ever Two Page Tabletop ContestIf you have any questions, want to talk about the contest entries, or you just want to hang out with cool people, visit our forums.
-
2014-05-08, 01:52 PM (ISO 8601)
- Join Date
- Aug 2008
Re: Password Generation Strategies
I would really like to see a game made by Obryn, Kurald Galain, and Knaight from these forums.
I'm not joking one bit. I would buy the hell out of that. -- ChubbyRain
Current Design Project: Legacy, a game of masters and apprentices for two players and a GM.
-
2014-05-08, 08:50 PM (ISO 8601)
- Join Date
- Feb 2014
- Location
- Looking for the Xeelee
- Gender
Re: Password Generation Strategies
See, I know that discussion of password strategies might seem like a bad idea, but I could just as easily see why not discussing them would leave one open for attacks on passwords generated by flawed or poorly excuted methods.
Engraved here is a rendition of an image of the Dwarf Fortress learning curve. All craftsdwarfship is of the highest quality. It depicts an obsidian overhang which menaces with spikes of obsidian and tears. Carved on the overhang is an image of Toady One and the players. The players are curled up in a fetal position. Toady One is laughing. The players are burning.
ᴛʜɪs ɪs ɴᴏᴛ ᴀ sɪɢɴᴀᴛᴜʀᴇ.
-
2014-05-08, 08:51 PM (ISO 8601)
- Join Date
- Mar 2011
- Gender
Re: Password Generation Strategies
I don't really see how anybody's going to crack my passwords just because I've told them that they're long made-up words that literally nobody outside of my head has ever heard. They'd end up resorting to brute force with or without that information.
Jude P.
-
2014-05-09, 06:17 AM (ISO 8601)
- Join Date
- Jun 2011
- Gender
Re: Password Generation Strategies
I'm pretty paranoid (I routinely use strong crypto in emails and IMs with anyone willing to set it up, use the aforementioned 20-character random passwords, and browse the web with NoScript and RequestPolicy up), but I think that's going a little too far. As long as you provide nowhere near enough information to automatically generate passwords you might use, you're fine.
Projects: Homebrew, Gentlemen's Agreement, DMPCs, Forbidden Knowledge safety, and Top Ten Worst. Also, Quotes and RACSD are good.
Anyone knows blue is for sarcas'ing in · "Take 10 SAN damage from Dark Orchid" · Use of gray may indicate nitpicking · Green is sincerity
-
2014-05-14, 04:09 PM (ISO 8601)
- Join Date
- Jan 2014
-
2014-05-14, 09:11 PM (ISO 8601)
- Join Date
- Apr 2010
- Location
- Night Vale
- Gender
Re: Password Generation Strategies
When I need a really secure password I figure out what the longest password allowed is and then run the following python script:
SpoilerSpoiler: The scriptCode:#Password generator import random symb=input("Are symbols allowed? (1/0) ") a=input("Maximum length of password: ") alphabet=[] digits=["0","1","2","3","4","5","6","7","8","9"] lowercase=["a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"] uppercase=["A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z"] symbols=["!","@","#","$","%","^","&","*","(",")"] alphabet= alphabet + digits + lowercase + uppercase if(symb==1): alphabet=alphabet+symbols password="" for n in range(a): password=password + alphabet[random.randint(0,len(alphabet)-1)] print password
Example:Code:>>> Are symbols allowed? (1/0) 1 Maximum length of password: 20 G554uRq79Y0B1#xk7vDY
Dictionary attacks can go die and stop wasting electricity, they ain't gonna work on my secure passwords....Avatar by TheGiant
Long-form Sig
-
2014-05-16, 12:37 PM (ISO 8601)
- Join Date
- Aug 2008
Re: Password Generation Strategies
Typing speed also comes into this. I can type extremely quickly if I know exactly what I'm typing and if it's practiced (also if it doesn't have too much in the way of odd symbols), and as such could easily get away with a whole sentence for a book. At 180 WPM (well above generic typing speed, but quite possibly below my password typing speed as those are very practiced patterns), a sentence isn't a big deal*. At 30 WPM, it's a very irritating thing, and I know people who can't type much faster than 30 WPM.
*Though I assume a relatively short sentence, and not something like one of the longer ones in A Tale of Two Cities.I would really like to see a game made by Obryn, Kurald Galain, and Knaight from these forums.
I'm not joking one bit. I would buy the hell out of that. -- ChubbyRain
Current Design Project: Legacy, a game of masters and apprentices for two players and a GM.
-
2014-05-16, 08:18 PM (ISO 8601)
- Join Date
- Feb 2014
- Location
- Looking for the Xeelee
- Gender
Re: Password Generation Strategies
The entropy largely depends on the length of the string and the possible character sets it is drawn from.
A given length with all lowercase has less than a given length with mixed case which has less than a given length with mixed case and numbers which has less than mixed case with numbers and punctuation which has less than mixed case with symbols drawn from the full ASCII character map.
That's why I suggested trying to trace words which include at least one trip across the number row with and without shift.Engraved here is a rendition of an image of the Dwarf Fortress learning curve. All craftsdwarfship is of the highest quality. It depicts an obsidian overhang which menaces with spikes of obsidian and tears. Carved on the overhang is an image of Toady One and the players. The players are curled up in a fetal position. Toady One is laughing. The players are burning.
ᴛʜɪs ɪs ɴᴏᴛ ᴀ sɪɢɴᴀᴛᴜʀᴇ.
-
2014-05-17, 05:31 AM (ISO 8601)
- Join Date
- Sep 2008
Re: Password Generation Strategies
Is it bad I just string together words (and sometimes folder names) together as my password?