通过

I h8 passw3rdz

  • 项目

I'm sick of passwords.

I want to be secure:

  • Never reuse a password, month-to-month or site-to-site
  • Use a secure, reliable random password generator
  • Change all my passwords each month
  • Don’t write them down on a post-it note on my monitor

I want it hassle-free, so I could:

  • Use the same password.
  • Never change it
  • Make it the name of my pet/son/wife/mistress

Some sites place restrictions on passwords, in an attempt to make them more secure. If I’m doing a good job of selecting my password, then any restriction is a reduction in entropy in my password, actually making it less secure.

I’ve seen restrictions on the max length of the password, which is just the worst.

I want it something that helps me with my MS corpnet password, my bank’s web site, my Everquest message boards, my ATM PIN, etc.

I need something that identifies me uniquely, and securely. I also want my privacy, so I don’t want two providers to be able to figure out that my identity with one is the same as with the other.

I want computers to help me with this problem. What can be done?

Smart cards: By providing 2-layer security (the card + a pass code), it’s more secure because it’s harder to compromise both at the same time. Fails the privacy test, as I have one smart card for all providers.

Send them all to my hotmail account: Any time I have a web browser, I have my passwords. But it’s not secure.

Write them down on a piece of paper: Compromised if stolen; lost if washed in the laundry; annoying to type them in, useless if I forget it in my other pair of pants.

Carry a pocket PC: I don’t want to carry another piece of equipment that I must maintain, recharge, repair, replace, etc.

I think the PGP Passphrase FAQ is a good read.

Comments

  • Anonymous
    April 27, 2004
    The comment has been removed
  • Anonymous
    April 27, 2004
    The comment has been removed
  • Anonymous
    April 27, 2004
    The comment has been removed
  • Anonymous
    April 27, 2004
    Check out AI RoboForm, it's a password keeper/generator/form filler that integrated with IE and keeps all of the data in an encrypted file, but best of all it is designed so that the encrypted file can be kept on a USB key. This way you get the benefit of two factor authentication, but it's still quite convenient. Also, at the moment you can get a second license for $8 so you can use it at home too. You can also print the list of usernames and passwords so you can keep a hardcopy somewhere safe.

    I'm not associated with the company, i've just been using the free version and have been pretty happy with it.
  • Anonymous
    April 27, 2004
    These are all interesting ideas, thanks for taking the time to offer them up.
  • Anonymous
    April 27, 2004
    Here's my current scheme, FWIW. To generate passwords I think of a memorable sentence and then use the first letter of each word as the password. The end result is usually a pretty random password that is almost always immune to a dictionary attack.

    I then write down one unique word of the sentence on an easily accessible plaintext password list to act as a memory trigger. Quite often though I find I remember the sentence without having to look up the trigger (it helps if the account name is related to the topic of the sentence somehow). The really cool part of this scheme is that I know that even if my plaintext list gets stolen or compromised my passwords are safe as the attacker only has one letter of each password.

    As a backup I also keep a list of sentences in a secure inaccessible location. This list only contains the sentences not the accounts they are associated with as an additional security precaution.

    Andrew.
  • Anonymous
    April 27, 2004
    Not bad, Andrew.

    One of the attributes of any good password scheme is that you can explain it to someone without compromising its security.
  • Anonymous
    April 27, 2004
    I use Andrew's scheme for passwords too. OTOH, I agree with you that identity is something that is intrinsic to us, and it is insulting that computers still require us to use such poor proxies for our selves. I ranted about this awhile ago: http://www.netcrucible.com/blog/PermaLink.aspx?guid=547db2e8-f394-4734-8be0-006d2805c7d3.
  • Anonymous
    April 27, 2004
    Try PasswordSafe (http://passwordsafe.sourceforge.net) - encrypted db for storing strong password (it is originally created by Bruce Schneier's Counterpane Labs)
  • Anonymous
    April 27, 2004
    I havn't tried either RoboForm or the new open source PasswordSafe, and both are free, but I would still like to recommend Password Agent (http://www.moonsoftware.com/pwagent.asp) which has a $20 price tag. It is certainly much better than the original PasswordSafe. By the way, I'm in no way affilliated with Moon Software, but I certainly like their product.