How to avoid reusing passwords?
Results 1 to 15 of 15

Thread: How to avoid reusing passwords?

  1. #1
    Senior Member
    Join Date
    Apr 2003
    Location
    Silver Lake
    Posts
    4,874

    How to avoid reusing passwords?

    I saw this interesting article that suggests General Petraeus' problems may have been compounded by password reuse. Being increasingly security-conscious, I was wondering if folks around here might share some tips for avoiding password re-use. I use a handful of passwords: a throw-away for forums and other stuff that is not particularly sensitive, another for slightly more secure needs, and a really complicated one that I use for accounts where I spend money. The idea of having a different password for every on-line account I have sounds like a real pain in the ass in terms of memorizing them all -- obviously this isn't really feasible. The alternative is to write them all down on paper somewhere OR store them all in a browser or other app.

    Thoughts?
    IMPORTANT: STOP using the mysql extension. Use mysqli or pdo instead.
    World War One happened 100 years ago. Visit Old Grey Horror for the agony and irony.

  2. #2
    Senior Member Derokorian's Avatar
    Join Date
    Apr 2011
    Location
    Denver
    Posts
    1,783
    What I do is have 3 passwords of varying length and complexity. One is simple, lowercase word with a number. One with multiple words, camel cased with a number and symbol. Finally one which is 20 characters long with 2 symbols, 4 numbers and varying case. I use them much the same as you, don't care if its hacked, hope it doesn't get hacked but not worried, and please god don't hack this account. My next step is to prepend and append some information for the service based on it. So for example, I may use the simple password here with forum prepended and maybe builder appended. This gives me only 3 passwords to remember (which I change the base passwords once or twice a year) but still leaves me with a unique password for everything I login to.
    Sadly, nobody codes for anyone on this forum. People taste your dishes and tell you what is missing, but they don't cook for you. ~anoopmail
    I'd rather be a comma, then a full stop.
    User Authentication in PHP with MySQLi - Don't forget to mark threads resolved - MySQL(i) warning

  3. #3
    Pna lbh ernq guvf¿
    Join Date
    Jul 2004
    Location
    Kansas City area
    Posts
    19,428
    Quote Originally Posted by Derokorian View Post
    My next step is to prepend and append some information for the service based on it.
    Mostly +1 to your entire post (seems our password behaviors are quite similar), but especially to this tidbit. I use the same base password for my online banking, credit cards, 401k, stocks, etc. etc. - but I've either prepended or appended the root word or acronym/abbreviation, occasionally using a symbol replacement for a letter.

    Makes the same base password be "salted" to change the hash throughout the sites, so I figure that's enough. If someone actually managed to hack one of those institutions and either brute force or decipher the hashed/encrypted version of my password back into its original form, and then recognized my scheme (or read this post?...), and finally managed to guess what new identifier(s) I used for other websites... well, at that point they've blown my mind and are welcome to plunder what little riches I have. Hats off to you, mate.

  4. #4
    Senior Member
    Join Date
    Apr 2003
    Location
    Silver Lake
    Posts
    4,874
    That prepending/appending trick based on context does seem useful, but I think Kerckhoff would disapprove. Additionally, what about password reset/reminder mechanisms? I expect we all use one email account (or at least few accounts) and were one to gain access to said account, cracking the others is just a few clicks away. It seems we need to consider more than just avoiding duplicate passwords (or their hashes) but must also consider the intertwined relationship of the accounts -- with an email account typically being a cornerstone of the whole security structure.

    Furthermore, I've noticed that certain sites force both uppercase and lowercase letters, numbers, and punctuation in passwords. A few limit the number of letters you can specify for a password.

    I wonder if we might distill this down to some memorizable heuristic process. Weedpacket said he was working on a password entropy calculator which could be useful if he would be kind enough to offer it.
    IMPORTANT: STOP using the mysql extension. Use mysqli or pdo instead.
    World War One happened 100 years ago. Visit Old Grey Horror for the agony and irony.

  5. #5
    High Energy Magic Dept. NogDog's Avatar
    Join Date
    Aug 2006
    Location
    Ankh-Morpork
    Posts
    13,943
    Password Strength

    (xkcd web page)
    Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be." ~ from Nation, by Terry Pratchett

    "But the main reason that any programmer learning any new language thinks the new language is SO much better than the old one is because he’s a better programmer now!" ~ http://www.oreillynet.com/ruby/blog/...ck_to_p_1.html


    eBookworm.us

  6. #6
    Senior Member
    Join Date
    Apr 2003
    Location
    Silver Lake
    Posts
    4,874
    I had seen that, NogDog, and took it to heart. I love XKCD. Unfortunately, many sites require you to supply numbers, mixed case, and punctuation -- and the issue of sharing passwords is still a problem. Even if you use Randall Munroe's suggestion, you might still be hard-pressed to remember even just a handful of passwords unless you use each of them frequently.

    It seems to me that keeping N separate tiers is a reasonable approach and provides a fundamental advantage in that it firewalls separate accounts from each other to some degree, limiting one's risk. The higher the value of N, the less likely it is that one account getting compromised will lead to another account also being compromised. Perhaps someone could take a guess at expressing our risk as a function of N?

    Derokorian's approach of adding additional words depending on context seems to add a little security with relatively little memorization cost, but I wonder how much security? I expect the additional security is significant as long as the plaintext passwords are never stored, emailed, or revealed. As soon as a human being has seen two variations of a given password, a pattern might be detectable.

    Aside from the passwords themselves, many accounts are linked or offer password reset options. E.g., you can reset your bank password by having an email sent to your email acccount. And that email account might have a backup email address in case you needed a password reminder/reset for it as well. The whole advantage of having separate passwords for separate accounts would be nullified unless you took care to segregate your accounts into non-connected groups.

    I wonder if someone has concocted some kind of equation to evaluate security risk for accounts. Maybe something like the Drake Equation ?
    IMPORTANT: STOP using the mysql extension. Use mysqli or pdo instead.
    World War One happened 100 years ago. Visit Old Grey Horror for the agony and irony.

  7. #7
    High Energy Magic Dept. NogDog's Avatar
    Join Date
    Aug 2006
    Location
    Ankh-Morpork
    Posts
    13,943
    Although as I think about it, if we assume that people started getting into the habit of using several dictionary words concatenated into one password, that entropy rating might be overly optimistic, since you would not have to guess at 25 characters' worth of entropy, as in the comic's example, but just 4 words' worth of entropy?
    Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be." ~ from Nation, by Terry Pratchett

    "But the main reason that any programmer learning any new language thinks the new language is SO much better than the old one is because he’s a better programmer now!" ~ http://www.oreillynet.com/ruby/blog/...ck_to_p_1.html


    eBookworm.us

  8. #8
    Senior Member Derokorian's Avatar
    Join Date
    Apr 2011
    Location
    Denver
    Posts
    1,783
    Yes and no nogdog. The reason I say no is because there are far greater than 26 words, so its not 25^26 > 4^26 but rather 25^26 (2.220446e+36) < 4^171,476 (Infinity, no calc can solve for me) (The number of full, active entries in the oxford english dictionary. However there are also 47,156 obsolete words and ~10,000 derivative words)*

    Edit: Although, there would be patterns for things like most common words, but this can be thwarted by substituting a characters (like O -> 0 or l -> 1).


    * Source: http://oxforddictionaries.com/words/...glish-language
    Last edited by Derokorian; 11-14-2012 at 01:20 PM.
    Sadly, nobody codes for anyone on this forum. People taste your dishes and tell you what is missing, but they don't cook for you. ~anoopmail
    I'd rather be a comma, then a full stop.
    User Authentication in PHP with MySQLi - Don't forget to mark threads resolved - MySQL(i) warning

  9. #9
    Senior Member
    Join Date
    Apr 2003
    Location
    Silver Lake
    Posts
    4,874
    I think his assumptions are correct -- he's only assuming 11 bits per word (about 2048 possibilities) whereas there are about 100,000 words in the English language.

    Does anyone use a password manager?
    IMPORTANT: STOP using the mysql extension. Use mysqli or pdo instead.
    World War One happened 100 years ago. Visit Old Grey Horror for the agony and irony.

  10. #10
    Senior Member
    Join Date
    Mar 2009
    Posts
    812
    I use a variation of a dictionary word for throw away accounts like forums. I have a different one for my email address. The rest I have no idea what they are. I use KeePass to remember them all for me. I do know that the passwords I use are 25 random characters (or whatever character sets and length the service will allow). It can also generate passwords for you based on criteria you provide it.

    One would think that this is annoying, having to run KeePass, enter a master password (which is unique of course, and also about 30 characters) and then look it up, but it really has become second nature, and I don't even think about it anymore. Also the peace of mind is pretty nice. You can also take it with you on a USB key if required. I know that would freak some people out, which is why I don't do it, but it is an encrypted file container. I don't do it mainly because there's nothing I need to get into that badly that can't wait for me to get home (plus I can use RDP to connect to my computer in most cases).

    One thing to remember: backup your KeePass file!

    EDIT: Something I tell to everyday people: at the very least, make sure your email, Facebook, and banking passwords are different. It's those three that will hit you where it hurts.
    Declare variables, not war.

  11. #11
    Pedantic Curmudgeon Weedpacket's Avatar
    Join Date
    Aug 2002
    Location
    General Systems Vehicle "Thrilled To Be Here"
    Posts
    21,885
    Quote Originally Posted by Derokorian
    Yes and no nogdog. The reason I say no is because there are far greater than 26 words, so its not 25^26 > 4^26 but rather 25^26 (2.220446e+36) < 4^171,476 (Infinity, no calc can solve for me)
    You mean 171476^4; 171476 choices for the first word × 171476 choices for the second word .... = 864,596,308,417,753,067,776. Compare with 26^25 (twenty five uniformly-selected characters from {A,..., Z}): 236,773,830,007,967,588,876,795,164,938,469,376.

    FYI: 4^171476 ≈ 6.903557614789747×10^103238.
    THERE IS AS YET INSUFFICIENT DATA FOR A MEANINGFUL ANSWER
    FAQs! FAQs! FAQs! Most forums have them!
    Search - Debugging 101 - Collected Solutions - General Guidelines - Getting help at all

  12. #12
    Senior Member
    Join Date
    Apr 2003
    Location
    Silver Lake
    Posts
    4,874
    Wired had some topical articles today.

    Quote Originally Posted by Mat Honan
    This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat. As a three-letter username, it’s considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.
    IMPORTANT: STOP using the mysql extension. Use mysqli or pdo instead.
    World War One happened 100 years ago. Visit Old Grey Horror for the agony and irony.

  13. #13
    PHP Witch laserlight's Avatar
    Join Date
    Apr 2003
    Location
    Singapore
    Posts
    13,563
    Yeah, I got a link to Mat Honan's article in an tech newsfeed email today. The thing is, individual users and even developers cannot fix those problems, since the problems cited are really at the protocol level.
    Use Bazaar for your version control system
    Read the PHP Spellbook
    Learn How To Ask Questions The Smart Way

  14. #14
    Senior Member
    Join Date
    Apr 2003
    Location
    Silver Lake
    Posts
    4,874
    I think there is probably some pragmatic balance that one might adopt to manage many accounts without a) introducing significant security risk and b) going crazy trying to remember some billion passwords.

    I think 3 mutually-exclusive tiers is a pretty good way to cover most actions. When I say "mutually exclusive" I mean that each tier has NO connection to some other tier -- i.e., no way to get a password reminder from one to the other.

    Tier 1: unimportant stuff where risk of embarassment or financial loss is negligible. e.g., phpbuilder.com
    Tier 2: social networking, etc., where one's real-life identity might be discernible
    Tier 3: banks, credit cards, financial stuff, deep dark sex fantasies, etc.

    If you keep one basic password for each tier (possibly with variations by website) and make sure that there is no possibility of password reminders crossing between tiers then it seems to be a good balance of manageable versus secure.

    Comments welcome.
    IMPORTANT: STOP using the mysql extension. Use mysqli or pdo instead.
    World War One happened 100 years ago. Visit Old Grey Horror for the agony and irony.

  15. #15
    Senior Member
    Join Date
    Mar 2009
    Posts
    812
    Quote Originally Posted by sneakyimp View Post
    Tier 1: unimportant stuff where risk of embarassment or financial loss is negligible. e.g., phpbuilder.com
    Tier 2: social networking, etc., where one's real-life identity might be discernible
    Tier 3: banks, credit cards, financial stuff, deep dark sex fantasies, etc.

    If you keep one basic password for each tier (possibly with variations by website) and make sure that there is no possibility of password reminders crossing between tiers then it seems to be a good balance of manageable versus secure.

    Comments welcome.
    Not a bad idea but there is a flaw: the issue isn't always in the security questions but in the passwords and user names themselves. If you're on Forum A with the user name Newguy and password password, and you're on Forum B with the user name Newguy and the password Password, that presents a security issue. If one is compromised then an attacker is going to look into other services and websites that use the same user name or email address, and they're going to look into variations of that password if the same one doesn't work.

    Passwords should be completely different across websites and services and have no relation at all. For best results user names should be unique when possible as well (sometimes this is impossible because services require your email address as your user name, and you're not about to have unique email addresses). Now that introduces a new problem that's next to impossible to fix: we're only human. We can only remember so much. Not only do we need to remember unique passwords but now we have to remember unique user names, too? Impossible. So we cheat and we either reuse passwords, user names, or both. To get around this limitation we write important stuff down, but that presents another security issue altogether. Where do we draw the line?

    This is why I use the method that I do. I feel it is the best compromise.
    Declare variables, not war.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •