Bitcoin Forum
December 04, 2016, 08:26:04 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Using Password Hints  (Read 2667 times)
Bunghole
Member
**
Offline Offline

Activity: 64



View Profile
June 17, 2011, 07:17:18 PM
 #1

I don't see much discussion about using password hints, to ensure that you never forget your password.

With every encrypted wallet file, I include an unencrypted plaintext password hint.  I use hints that I would never forget, like the nickname of a childhood friend.  Yes, there will be a few people who would know the answer to one hint, but if you use hints from many areas and times of you life, then no one person would be able to answer all of them.  And probably none of those people are hackers anyway.

Here's an example:
- Password: Raiders5355RedburgEunice
- Hint: HSMascot+My First Bank PIN+Tommy's Hometown+Lana's Mom's First Name

If Tommy and Lana are from different walks of life (e.g. one is a childhood friend and one is a college girlfriend), that helps increase the security.

Yes, there is a tiny risk involved, but it seems that that risk is lower than the risk of forgetting your passwords or creating simple passwords that are easy to remember and thus also easy to hack.

Any comments?
1480839964
Hero Member
*
Offline Offline

Posts: 1480839964

View Profile Personal Message (Offline)

Ignore
1480839964
Reply with quote  #2

1480839964
Report to moderator
1480839964
Hero Member
*
Offline Offline

Posts: 1480839964

View Profile Personal Message (Offline)

Ignore
1480839964
Reply with quote  #2

1480839964
Report to moderator
1480839964
Hero Member
*
Offline Offline

Posts: 1480839964

View Profile Personal Message (Offline)

Ignore
1480839964
Reply with quote  #2

1480839964
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480839964
Hero Member
*
Offline Offline

Posts: 1480839964

View Profile Personal Message (Offline)

Ignore
1480839964
Reply with quote  #2

1480839964
Report to moderator
Auspician
Member
**
Offline Offline

Activity: 112



View Profile
June 17, 2011, 07:21:01 PM
 #2

That's somewhat effective, but I prefer this method:

Pick a phrase that you are very familiar with (either the line from a joke, movie, or book).  Make the password the first letters of every word in that phrase, and include punctuation and capitalization when appropriate.  For added security, change certain letters into numbers, for example e's into 3's.  This makes a neigh-unhackable password (assuming the phrase is long enough) that is relatively easy to remember.
Bunghole
Member
**
Offline Offline

Activity: 64



View Profile
June 17, 2011, 07:38:49 PM
 #3

Can anyone find any holes in my technique of using password hints?
dontListen2me
Newbie
*
Offline Offline

Activity: 14


View Profile
June 17, 2011, 07:40:30 PM
 #4

I use randomly generated keys.

KeePass seems pretty solid.
Auspician
Member
**
Offline Offline

Activity: 112



View Profile
June 17, 2011, 07:47:31 PM
 #5

@Bunghole: Yes.  A bruteforce attacker could with some difficulty break your password because it contains dictionary words, proper names and numbers.  You're much better of scattering your numbers, special characters and capitals throughout the password, and finding a convenient trick to remember it.
Bunghole
Member
**
Offline Offline

Activity: 64



View Profile
June 17, 2011, 07:59:29 PM
 #6

Does a brute-force dictionary attack have any realistic chance of breaking a 24-character password like Raiders5355RedburgEunice, when the payoff is relatively small (e.g. my modest bank account or one of my modest bitcoin wallets)?

I do agree that adding in some special characters would help - maybe from now on I put a dash between each word, e.g. Raiders-5355-Redburg-Eunice.  A dash seems to be allowable by most password systems.
maykelmoya
Newbie
*
Offline Offline

Activity: 13


View Profile
June 17, 2011, 08:02:01 PM
 #7

Some hints and metrics in http://www.baekdal.com/tips/password-security-usability.

1D7oFWmoC6aEa6EdN9itmtuTDp9bcZDxEe, thanks.
willphase
Hero Member
*****
Offline Offline

Activity: 770


View Profile
June 17, 2011, 08:22:04 PM
 #8

I use passwordchart.com for all my passwords to make them all unique and I can access the site from anywhere even when offline if needed. Really glad I found it.

Will

BitCoinBarter
Jr. Member
*
Offline Offline

Activity: 56



View Profile
June 18, 2011, 06:00:04 AM
 #9

Does a brute-force dictionary attack have any realistic chance of breaking a 24-character password like Raiders5355RedburgEunice, when the payoff is relatively small (e.g. my modest bank account or one of my modest bitcoin wallets)?

I do agree that adding in some special characters would help - maybe from now on I put a dash between each word, e.g. Raiders-5355-Redburg-Eunice.  A dash seems to be allowable by most password systems.

BH,

I agree with you, your password seems very strong. Adding a dash (or other things) should be done to make it even stronger.

(1) I suggest you devise a strong password such as that. Then get LastPass (www.lastpass.com) or Keepass (http://www.keepass.info). Keepass is FLOSS (i.e., free) and LastPass has a free version that will do do what you need (plus more).
I use LastPass myself, however KeePass is equally good (as in protection).

LastPass is easier to use it you want to use it to login to sites.  If you don't want to do that, then KeePass would be good.

You will need to keep a backup of KeePass somewhere (in case your computers crashes).
You will not have to do that with LastPass (An encrypted copy will be stored on a LastPass server).
LassPass does not have a copy of your LastPass key.

In both cases, if you forget your password then you are done.

!!Warning!! You could reset your password with LastPass, however I suggest you to turn that option off.
If you decided LastPass, then post again and I will instruct you how to turn that option off.

(2) Then use your password (the one you devised earlier) as your main password for Lastpass or KeePass. Then within LastPass or KeePass, you could store your other passwords.

Here is an example of what one of those stored passwords could look like: 2v&u&@wutxazC3%s&C@vhq^tykqa%WN8YAc!nh69JT6pTc2bSyqzgd$4GnKaaFK2cG4T3@vaHFWT3J*6QP4s*pTVcu*CaKtaf8uj

I used LastPass's Password Generator to come up with that. KeePass also has a Password Generator.

I also advise you to check out: https://www.grc.com/haystack.htm to get an ideal how long it could take to bruteforce your password.
Assuming you use Raiders5355RedburgEunice : 33.64 million trillion centuries

Please read the whole page, it will open up your eyes. From that site:
"...The #1 most commonly used password is “123456”, and the 4th most common is “Password.” So any password attacker and cracker would try those two passwords immediately. Yet the Search Space Calculator above shows the time to search for those two passwords online (assuming a very fast online rate of 1,000 guesses per second) as 18.52 minutes and 17.33 centuries respectively! If “123456” is the first password that's guessed, that wouldn't take 18.52 minutes. And no password cracker would wait 17.33 centuries before checking to see whether “Password” is the magic phrase..."

The generated password I provided could take: 1.90 million trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries

Do no evil,

Smiley 12KYva8D2GT3C1wSD8wvgkFkP5TnBp3LPC Smiley
iBTC
Jr. Member
*
Offline Offline

Activity: 39


View Profile
June 18, 2011, 06:28:57 AM
 #10

Can anyone find any holes in my technique of using password hints?

HSMascot+My First Bank PIN+Tommy's Hometown+Lana's Mom's First Name
^^ if a person knows you enough then yes that's a risk.

So yeah in some sense d@a2$sF2W9 can be more secure than Raiders5355RedburgEunice with that hint.

I won't mind if you sent me some BTC.
1UeuQxKG3dYgmT6FsbXrFJgdfFmwkczgM
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2492


View Profile
June 18, 2011, 06:42:03 AM
 #11

Quote
Hint: HSMascot+My First Bank PIN+Tommy's Hometown+Lana's Mom's First Name

It would probably take less than a day to gather all of that information. The only "hard" part is the PIN, but four numbers can be brute-forced in no time.

Good passwords aren't hard to remember if you type them often enough.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Bunghole
Member
**
Offline Offline

Activity: 64



View Profile
June 18, 2011, 01:44:40 PM
 #12

It would probably take less than a day to gather all of that information.

Possibly, but remember that I use a different group of passwords and hints for each different site and/or wallet; although, there is some overlap.  It just doesn't seem realistic that someone would do all of that meatspace investigation just to get at one or two 50-bitcoin wallets.

If you're just an average person, aren't 99% of the threats in cyberspace where the hacker's effort is cheap, as opposed to meatspace, which involves social engineering and is relatively expensive, considering the low payoff?
AntiVigilante
Member
**
Offline Offline

Activity: 98



View Profile
June 18, 2011, 01:51:03 PM
 #13

I have an awful memory.

I walk the keyboard in a particular shape and that's the password.

Proposal: http://forum.bitcoin.org/index.php?topic=11541.msg162881#msg162881
Inception: https://github.com/bitcoin/bitcoin/issues/296
Goal: http://forum.bitcoin.org/index.php?topic=12536.0
Means: Code, donations, and brutal criticism. I've got a thick skin. 1Gc3xCHAzwvTDnyMW3evBBr5qNRDN3DRpq
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!