[clue] Passwords

Yaverot Yaverot at computermail.net
Wed Sep 19 13:19:49 MDT 2012 

A few years ago that was fine, and may still be; but today's reality is that you have to assume that one of those passwords will get out because a service stored the password instead of storing a salted hash.  Or was able to infect the server while you did a single login and catch it "in the clear" as it passed from SSL to the hashing function.

Take two of your passwords, how long will it take for an attacker to figure out your system having access to them along with which site each applies to? If _you_ are their target then they'll try their guesses against your Yahoo, Google, Wikipedia, LinkedIn, Twitter, Facebook,PayPal, etc accounts (they can spread their attacks to avoid per-site rate limiting).

What unfortunately is needed today is a different password for each site/service/application and/or terminal. The publication of any one (or two or three) password(s) won't leak enough to be useful against other targets.  It has to deal with the need to occasionally change your password (either from policy/fiat or compromise of that "secret").  If your system is good enough to do all that, and you can do it in your head - all the more power to you.  For the rest of us mortals we either accept the risks of our lesser system (guilty myself), or use Keepass(X), Lastpass, Apple keychain, Diceware and/or write it down.

--- vtrandal at yahoo.com wrote:

From: Vincent Randal <vtrandal at yahoo.com>
To: CLUE's mailing list <clue at cluedenver.org>
Subject: Re: [clue] Passwords (was Re: Website and git.)
Date: Wed, 19 Sep 2012 11:29:26 -0700 (PDT)

I'm joining this discussion late. Not sure I understand the full import of this thread but I will say this ...

On NPR yesterday there was some talk about password management. I dealt with this problem a few years ago by permuting a couple pieces of info. I have many passwords and I remember none of them. I figure them out based on a pattern (permutation). Is this good or bad? The info used in the permutation is a private piece of info and a piece of info derived from the account I want to access. The private info and permutation is known only to me. I have tons of strong passwords.

I hope I've not derailed this thread with my comment. Carry on good people.

More information about the clue mailing list