[PLUG] Passwords

Kris krisa at subtend.net
Fri Apr 28 10:11:31 UTC 2006


I was discussing passwords with someone the other day, and I was telling
him some of the methods I've used.

I've always been a fan of diceware[1], modified to use my own wordlists.
 Remembering a 4-6 word sentence is easier than a long password with
mixed case, numbers and symbols.

I was thinking about how you could take it further to make it easier to
obtain a password using a diceware like phrase as a seed.  But I'm not
sure if it actually makes it more difficult or just adds a layer of
obscurity.

One example would be to take a _very_ easy phrase and sha1sum it for a
password.

echo plug rocks|sha1sum
085c0af93df7240980dbee4c484f24c5cc4b86b0  -

Using that hash (maybe even include the "  -" at the end) as the
password.  Obtaining this is faster than decrypting from a master GPG
file.  But in this example you don't know what it's for.

Maybe a mnemonic where DNS is applied, or a purpose, combined with a
standard prefix and separator that is only known in the mind.

echo myvoiceismypassport =: www.pdxlinux.org|sha1sum
2635de49082a81a5b71bfadd1c0df5df406a54c2  -

echo myvoiceismypassport =: www.visacardx.com|sha1sum
4a7fdd148fb1862b1af9618ac08e61a9fb196c6d  -

Of course most banking websites don't give you the opportunity to use
such a long password (why is this?).  Maybe the hash could be used up to
the maximum char's the website will take.

Another benefit (possibly) is one could obtain their password for
something on any system with `sha1sum` on it (taking into account trust
issues of the random host you are on).

..hmm.. what about a known passphrase seed, separator, DNS, and a fixed
pattern of hashing (lets use 551 to remember md5|md5|sha1):
echo myvoiceismypassport =: www.pdxlinux.org|md5sum|md5sum|sha1sum
585d7a2429b4a842fa696c89b2f3352609929a7b  -

Maybe involving md5sum lowers our available bits for hashing that it
makes sha1 less effective.

Another method, more for generation, I've tried is `cat
/dev/random|strings` and just wait a while, choosing a number of lines.
 Not sure of the strength of this either.

This is more of a post to spark a discussion of what weird ways have you
used for password generation, policy, storage, and use?

Random password musings brought to you by 3am.

-- 
I'm just a packet pusher.



More information about the PLUG mailing list