Choosing Passwords
Jay Ashworth
jra at baylink.com
Sat Jun 9 20:28:01 UTC 2012
----- Original Message -----
> From: "Hal Murray" <hmurray at megapathdsl.net>
> Security is a tradeoff. I think there are two cases for passwords. I'll
> call them important and junk. I'm willing to store the junk ones in a file
> or piece of paper that I'm careful with. I have to memorize the important
> ones.
Well, my personal approach to this -- one which I'm well aware is disparaged
by Security Professionals -- is tiered passwords.
I have one password for 'throwaway' accounts -- drive-forum postings and
the like, another password for slightly more important accounts -- forums
in which I participate regularly and the like, a third password for actual
machine accounts, VPNs and similar things like equipment control panels, and
finally a tier for accounts that people can actually change my life or spend
my money; things like eBay, PayPal, etc -- on this tier, each password is
actually distinct.
Finally, there's a top-emergency fallback password, which I use for password
safes, which is -- as nearly as I can determine, unresearchable, even if I
told you its description.
All of these passwords are rule/pattern constructed, using either The XKCD
Rule, or one of a couple of my own construction, and each individual password
is infixed after what it applies to, so as to make the actual final passwords
*never be the same string of characters*, the infix going in a nondeterministic
place in the string.
This puts enough bits of entropy into the passwords to make them relatively
strong -- sites with strength checkers on password set tend to like them a
lot -- while keeping them all unique so they can't be cross referenced... and
making them complex enough that they cannot be dictionary cracked either.
I am, of course, a special case; I've been a system administrator for 30
years; this is my business -- I am willing to put the necessary energy into
it as part of my work. I realize that lots of people (where, by lots, I
mean several billion) aren't -- either because they don't understand why
its important, or because they don't care, or because "it's someone else's
fault when $3800 gets taken out of my bank account cause I'm a careless
slob".
TL;DR: Everyone, admin, user, or civilian, has to make their own decisions
about how much work they want to put into security -- and *we* have to
find ways to explain the choices so that Joe Q. Sixpack can understand
*why it's important to him to think about it*. That's a sales pitch;
engineers are *singularly* unsuited to it, in general.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
More information about the NANOG
mailing list