Choosing Passwords

Jay Ashworth jra at baylink.com
Sat Jun 9 20:28:01 UTC 2012


----- Original Message -----
> From: "Hal Murray" <hmurray at megapathdsl.net>

> Security is a tradeoff. I think there are two cases for passwords. I'll
> call them important and junk. I'm willing to store the junk ones in a file
> or piece of paper that I'm careful with. I have to memorize the important
> ones.

Well, my personal approach to this -- one which I'm well aware is disparaged 
by Security Professionals -- is tiered passwords.

I have one password for 'throwaway' accounts -- drive-forum postings and 
the like, another password for slightly more important accounts -- forums 
in which I participate regularly and the like, a third password for actual 
machine accounts, VPNs and similar things like equipment control panels, and
finally a tier for accounts that people can actually change my life or spend
my money; things like eBay, PayPal, etc -- on this tier, each password is 
actually distinct.

Finally, there's a top-emergency fallback password, which I use for password 
safes, which is -- as nearly as I can determine, unresearchable, even if I
told you its description.

All of these passwords are rule/pattern constructed, using either The XKCD
Rule, or one of a couple of my own construction, and each individual password
is infixed after what it applies to, so as to make the actual final passwords
*never be the same string of characters*, the infix going in a nondeterministic
place in the string.

This puts enough bits of entropy into the passwords to make them relatively
strong -- sites with strength checkers on password set tend to like them a 
lot -- while keeping them all unique so they can't be cross referenced... and
making them complex enough that they cannot be dictionary cracked either.

I am, of course, a special case; I've been a system administrator for 30
years; this is my business -- I am willing to put the necessary energy into
it as part of my work.  I realize that lots of people (where, by lots, I
mean several billion) aren't -- either because they don't understand why
its important, or because they don't care, or because "it's someone else's
fault when $3800 gets taken out of my bank account cause I'm a careless 
slob".

TL;DR: Everyone, admin, user, or civilian, has to make their own decisions
about how much work they want to put into security -- and *we* have to
find ways to explain the choices so that Joe Q. Sixpack can understand
*why it's important to him to think about it*.  That's a sales pitch;
engineers are *singularly* unsuited to it, in general.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274




More information about the NANOG mailing list