[ale] OT - making really strong pass phrases - was New encryption technology using a piece of paper

JD jdp at algoloma.com
Wed Sep 7 10:24:32 EDT 2011


On 09/06/2011 11:15 PM, Tim Watts wrote:
> Interesting stuff. Unless I'm misunderstanding this, these times only
> apply under the assumed conditions (multiple 1-4 char words etc.). If
> the off-line attackers only have say a 256-bit hash of your
> password/phrase then they have no rational basis to make these
> assumptions. Depending on the attacker's degree of motivation and

Yes, this is all interesting, but there seems to be a really simple
answer that has been used for years.

Please find a realistic flaw in my method.

Use a password manager that supports long, random, generated passwords.

Certainly my 55 character, computer generated, passwords with large
alphabets is more secure than anything shorter made up of words.  Every
login/password is different (within reason). Inside the network, ssh
keys are used, so those passwords don't get in the way. Using this
technique for all but 3 of your passwords seems the best case answer to me.

All but 3 passwords?  Huh?

There will always be a few passwords / passphrases that we need to
memorize. These are for systems you need access to **before** you can
access the password manager program and encrypted database.

1) Login to your work desktop.
2) Password Manager passphrase
3) Login to your home desktop, cell phone, or other portable devices.

Those 3 passwords need to be secure enough, which depends on your data
and access sensitivity. If your laptop has access to all your servers
without any challenges, then it needs to be highly secure.

KeePassX http://www.keepassx.org/ is cross platform, F/LOSS, and
supports the KeePass v1.x database. There are versions for Linux,
Windows, OSX, Android, Nokia Maemo and probably others between KeePass
and KeePassX, you are probably covered. The password database is
encrypted. I use the "autotype" facility, which probably breaks all
sorts of security rules, but it is the only way I can type some of these
passphrases.  It is the only realistic way I can access my GPG keys for
encrypted email.

Every online account has a long, complex, unrecallable, untypeable,
password. To me, it doesn't matter if the password is 15, 55 or 100
characters.  I'm not gonna type or remember them, so I use the longest,
most complex supported by the system or 55 characters by default.  There
is no substitute for length, assuming the alphabet is the same.

I'm nervous about using anything labeled as "new encryption technology"
on my systems. Time will tell if these "new" ideas really are secure at
all. Let me know how that works out in 2-3 years.  Being an "early
adopter" for encryption seems like a really bad idea to me.



Are you using strong encryption for all your portable devices? Without
it (and maybe with it), your password doesn't matter. Physical access is
everything.


More information about the Ale mailing list