Technology stuck in my ear

[jducoeur]

I always hate mandatory expiration dates for passwords -- just in principle, I consider it a questionable policy from a security standpoint. Most people aren't good at thinking up passwords, and I suspect that they wind up with weaker passwords since they have to keep figuring out new ones.

That's become less of an issue for me in recent years, since I was introduced to a good mechanism for dealing with it: I go to my iPod, dig through my vast collection of favorite songs, choose a suitable line, and leet it a bit arbitrarily. Pure and consistent leeting doesn't help security much, since it's a straightforward transformation. *Inconsistent* leeting and abbreviation as I do it strengthens security enormously, though, since it makes the search space much larger. I'll leet some characters a bit randomly, abbreviate some words, transform some words into symbols but not others -- the result is pretty unpredictable, even to me. The result is a passphrase that's pretty easy for me to remember, but hard to predict even if you knew what song it was taken from. (Usually a pain in the ass to *type* for the first couple of weeks, due to the transforms, though -- it doesn't simply flow from my fingers since it isn't real words. Right around the time I completely get it into my fingers, it expires and I have to start over.)

There's only one problem with this approach: I have to remember the line that I chose, and I get paranoid about it. So the result is that, for the week after I choose a new password, I am *utterly* earwormed with the song I chose the line from. It's all I can do to keep from humming it constantly. Fortunately, I always choose a long I like, but it still gets pretty annoying...

Comments

[http://users.livejournal.com/_lackey_/]

so, to hack Justin's passwords, just listen to what he is humming...

[jducoeur]

Hence, "all I can do to keep myself from" -- I'm quite conscious of that risk...

[rosinavs.livejournal.com]

They are annoying. Luckily, WPI hasn't made me change mine for a while, I think their cycle is about 4 months. I'll probably be due for a new one soon, but we'll see how good their history is before I make up something entirely new.

[hugh-mannity.livejournal.com]

I do something similar for the work passwords I have control over.

I download a couple of zip files on a monthly basis that are password protected. The password doesn't change often, but it's a random machine generated alphanumeric string. There's no way I can even begin to remember it and as I only use it once a month, it's not worth the brain cells.

So I print out the email they send with the password and keep it buried in a 3 inch binder that's stuffed full of boring technical stuff that no one will ever read. If I ever need to unzip one of these files from a year or two ago, I'll need to know what the password was then. If I ever leave this job, my successor will also need to know those passwords.

[jducoeur]

For *that* sort of thing, I generally prefer to use my password vault -- if I'm going to use it that rarely, I don't so much mind having to look it up...

[hugh-mannity.livejournal.com]

Trouble is, those passwords aren't "mine" per se. They need to be available to a couple of my coworkers if there's a need to re-unzip the data and I'm not there to do it. (They let me take vacation!)

[jducoeur]

Ah. Ideally, you'd rather not be in that situation -- for example, when we were running CommYou, Aaron and I set up the master password file such that either of us could decrypt it despite having separate private keys. But that's pretty unusual...

[serakit.livejournal.com]

We used to have the mandatory expiration in high school, but it wouldn't notice if the password was just one character off from the original. Nor would it notice if you reused an older password. So everyone in the school would simply tack an S onto the end of the password one month and then remove the S from the password the next month. The annoying part was that there wasn't any way to change it from your personal computer if you didn't keep careful track of when the password was about to expire, because once it had expired you had to change it from one of the hardwired-into-the-central-server computers.

A wonderful example of what happens when the admin and the end-users are at odds with one another...

[jducoeur]

No kidding. That combination of frequent expiration but poor tracking is very nearly the *worst* possible option from a security standpoint...

[metahacker.livejournal.com]

Earworming--I hear you! I use a very similar system, and write down the inputs to the hashing mechanism (l33ting, for you) in a relatively accessible location. This usually lets me get to the password after a few tries--like you, I do some vagaries in the application of the rules).

But now I am transitioning to using a password aggregator, with its own risks and benefits.

Have I mentioned I hate passwords? :-/

[jducoeur]

Well, I do put the input to the hash into my password vault, so I can get it back if I absolutely have to. But if, eg, this is my network password, there's a real chicken-and-egg hassle to looking it up in the vault when I can't log into my computer, so I prefer to not need to use that.

As for the aggregator, I strongly commend LastPass. That's what I've been using for the past year, and I quite like it. It has the right security characteristics (rule number one: any serious password vault should say upfront "If you lose your master password, we can't send it to you"), has all the important features nicely integrated (including "hand me a new highly-random password"), and is very convenient when you are on a dozen different computers as I am. (I will admit that I have incentive to proselytize: I want the company to survive, so I want them to have lots of customers.) Password vaults are a bad idea conceptually, but this is the best implementation I've found...

[metahacker.livejournal.com]

Indeed; that's what I settled on.

The autogen passwords are useful, but I keep running into situations where I don't have access to my Vault and still need to know the password, so I'm toying with going back to the hashing method...

[jducoeur]

That doesn't happen to me often, but when it does, I generally use the Android version of LP on my phone. (Which comes with the relatively-cheap Premium subscription.)

[laurion]

Yup. For year's I've been taking a phrase from some media source, abstracting it down with abbreviations and symbolic replacements (such as the word more becoming a greater than sign), and building passwords from that. But I tend to do that only for systems and services that are not web based, because for those I can do much better with something like LastPass or 1Passwd.

[jducoeur]

Yeah, largely the same for me. The places where I need a good mnemonic are machine logins and the like -- for web services, I increasingly just let LastPass generate something strong...

[canthelpyou.livejournal.com]

I do something similar, but with lines of poetry or quotes. I take the first letter of each word, and then mix it up as you say, arbitrarily leeted.

[jducoeur]

I started out with first letter, but at this point I'm not even consistent about that -- I'll often go for a slightly shorter phrase in which one or two words are spelled out, and the others abbreviated. In practice, I find that this is usually easier to type, and arguably even more resistant to a dictionary attack...

[kls-eloise.livejournal.com]

I *loathe* the required password changes. I also loathe the amount of time it takes to generate one that the system will accept: at least eight characters, must be alpha-numeric, must have a capital letter or a special character, can't be any password you've used before, can't be within a certain number of identical characters of a password you've used before... For the average user, this is downright painful.

I'm not a betting woman, but right now I would put a significant amount of money down that at least 50% of the company has their password on a sticky note somewhere at their desk. I think the system would actually work better if we were all prompted to create an appropriately secure password, and then allowed to keep it. But I'm an end user - no one care what I think...

[jducoeur]

You're probably correct in your guess. The one login account I have that has a *truly* high-strength, totally random password is the one that doesn't expire, so it was worth the effort to memorize the nonsense...

[etherial.livejournal.com]

The Mass. DUA's website requires you to have numerals in your username. None of my regular usernames have numerals in them, so I had to come up with a completely new and different username just for them.

One of the other sites I frequent has forbidden the use of special characters in passwords, which boggles the mind even further.

[jducoeur]

The Mass. DUA's website requires you to have numerals in your username.

... okay, that has to be due to some sysadmin who took a one-day course in security and *utterly* failed to understand what was being talked about.

(Or, conceivably, some ill-considered desire to be "fair", on the theory that, if the third "Mr. M Waks" is going to have to be "mwaks3", the first such person shouldn't get an unfair advantage. That would be typical bureaucratic thinking.)

One of the other sites I frequent has forbidden the use of special characters in passwords, which boggles the mind even further.

I'd bet that their internal security sucks. The only likely reason for such a rule is that you're doing some sort of transformation or storage of the passwords, in a way that assumes alphanumerics. (Or, possibly, that their database code is bad and they are scared of someone playing SQL injection games.)

Basically, any such rule indicates that they don't have faith that the password is simply a random string that they can treat as an opaque blob -- and it makes me nervous when a site is that nervous...

[tafkad.livejournal.com]

What I do is very similar to what you describe. The one "bonus" is that by the time I'm done logging in--including twice for reasons that no one can explain--I've entered my password four or five time just to get the day started, and the new password is memorized pretty quickly.

And yeah, the song sticks in my head pretty heavily, too.

[cellio]

The phrase "increment the password" is not unheard-of in my experience. :-)

At work I have to deal with a bunch of systems with different (mutually-exclusive) rules and cycle times for passwords, so I have finally been forced to start writing down the inputs/clues (not the actual passwords, of course, just an unambiguous path). I'm not sure this is actually making my passwords stronger.

[meiczyslaw.livejournal.com]

From April of last year:

Microsoft: Changing Passwords Isn't Worth the Effort (http://www.pcmag.com/article2/0,2817,2362692,00.asp)