Bitcoin Forum
March 30, 2024, 04:42:02 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Using Password Hints  (Read 2923 times)
Bunghole (OP)
Member
**
Offline Offline

Activity: 64
Merit: 10


View Profile
June 17, 2011, 07:17:18 PM
 #1

I don't see much discussion about using password hints, to ensure that you never forget your password.

With every encrypted wallet file, I include an unencrypted plaintext password hint.  I use hints that I would never forget, like the nickname of a childhood friend.  Yes, there will be a few people who would know the answer to one hint, but if you use hints from many areas and times of you life, then no one person would be able to answer all of them.  And probably none of those people are hackers anyway.

Here's an example:
- Password: Raiders5355RedburgEunice
- Hint: HSMascot+My First Bank PIN+Tommy's Hometown+Lana's Mom's First Name

If Tommy and Lana are from different walks of life (e.g. one is a childhood friend and one is a college girlfriend), that helps increase the security.

Yes, there is a tiny risk involved, but it seems that that risk is lower than the risk of forgetting your passwords or creating simple passwords that are easy to remember and thus also easy to hack.

Any comments?
1711773722
Hero Member
*
Offline Offline

Posts: 1711773722

View Profile Personal Message (Offline)

Ignore
1711773722
Reply with quote  #2

1711773722
Report to moderator
Each block is stacked on top of the previous one. Adding another block to the top makes all lower blocks more difficult to remove: there is more "weight" above each block. A transaction in a block 6 blocks deep (6 confirmations) will be very difficult to remove.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711773722
Hero Member
*
Offline Offline

Posts: 1711773722

View Profile Personal Message (Offline)

Ignore
1711773722
Reply with quote  #2

1711773722
Report to moderator
Auspician
Full Member
***
Offline Offline

Activity: 126
Merit: 103



View Profile
June 17, 2011, 07:21:01 PM
 #2

That's somewhat effective, but I prefer this method:

Pick a phrase that you are very familiar with (either the line from a joke, movie, or book).  Make the password the first letters of every word in that phrase, and include punctuation and capitalization when appropriate.  For added security, change certain letters into numbers, for example e's into 3's.  This makes a neigh-unhackable password (assuming the phrase is long enough) that is relatively easy to remember.
Bunghole (OP)
Member
**
Offline Offline

Activity: 64
Merit: 10


View Profile
June 17, 2011, 07:38:49 PM
 #3

Can anyone find any holes in my technique of using password hints?
dontListen2me
Newbie
*
Offline Offline

Activity: 14
Merit: 0


View Profile
June 17, 2011, 07:40:30 PM
 #4

I use randomly generated keys.

KeePass seems pretty solid.
Auspician
Full Member
***
Offline Offline

Activity: 126
Merit: 103



View Profile
June 17, 2011, 07:47:31 PM
 #5

@Bunghole: Yes.  A bruteforce attacker could with some difficulty break your password because it contains dictionary words, proper names and numbers.  You're much better of scattering your numbers, special characters and capitals throughout the password, and finding a convenient trick to remember it.
Bunghole (OP)
Member
**
Offline Offline

Activity: 64
Merit: 10


View Profile
June 17, 2011, 07:59:29 PM
 #6

Does a brute-force dictionary attack have any realistic chance of breaking a 24-character password like Raiders5355RedburgEunice, when the payoff is relatively small (e.g. my modest bank account or one of my modest bitcoin wallets)?

I do agree that adding in some special characters would help - maybe from now on I put a dash between each word, e.g. Raiders-5355-Redburg-Eunice.  A dash seems to be allowable by most password systems.
maykelmoya
Newbie
*
Offline Offline

Activity: 13
Merit: 0


View Profile
June 17, 2011, 08:02:01 PM
 #7

Some hints and metrics in http://www.baekdal.com/tips/password-security-usability.
willphase
Hero Member
*****
Offline Offline

Activity: 767
Merit: 500


View Profile
June 17, 2011, 08:22:04 PM
 #8

I use passwordchart.com for all my passwords to make them all unique and I can access the site from anywhere even when offline if needed. Really glad I found it.

Will

BitCoinBarter
Newbie
*
Offline Offline

Activity: 56
Merit: 0



View Profile
June 18, 2011, 06:00:04 AM
 #9

Does a brute-force dictionary attack have any realistic chance of breaking a 24-character password like Raiders5355RedburgEunice, when the payoff is relatively small (e.g. my modest bank account or one of my modest bitcoin wallets)?

I do agree that adding in some special characters would help - maybe from now on I put a dash between each word, e.g. Raiders-5355-Redburg-Eunice.  A dash seems to be allowable by most password systems.

BH,

I agree with you, your password seems very strong. Adding a dash (or other things) should be done to make it even stronger.

(1) I suggest you devise a strong password such as that. Then get LastPass (www.lastpass.com) or Keepass (http://www.keepass.info). Keepass is FLOSS (i.e., free) and LastPass has a free version that will do do what you need (plus more).
I use LastPass myself, however KeePass is equally good (as in protection).

LastPass is easier to use it you want to use it to login to sites.  If you don't want to do that, then KeePass would be good.

You will need to keep a backup of KeePass somewhere (in case your computers crashes).
You will not have to do that with LastPass (An encrypted copy will be stored on a LastPass server).
LassPass does not have a copy of your LastPass key.

In both cases, if you forget your password then you are done.

!!Warning!! You could reset your password with LastPass, however I suggest you to turn that option off.
If you decided LastPass, then post again and I will instruct you how to turn that option off.

(2) Then use your password (the one you devised earlier) as your main password for Lastpass or KeePass. Then within LastPass or KeePass, you could store your other passwords.

Here is an example of what one of those stored passwords could look like: 2v&u&@wutxazC3%s&C@vhq^tykqa%WN8YAc!nh69JT6pTc2bSyqzgd$4GnKaaFK2cG4T3@vaHFWT3J*6QP4s*pTVcu*CaKtaf8uj

I used LastPass's Password Generator to come up with that. KeePass also has a Password Generator.

I also advise you to check out: https://www.grc.com/haystack.htm to get an ideal how long it could take to bruteforce your password.
Assuming you use Raiders5355RedburgEunice : 33.64 million trillion centuries

Please read the whole page, it will open up your eyes. From that site:
"...The #1 most commonly used password is “123456”, and the 4th most common is “Password.” So any password attacker and cracker would try those two passwords immediately. Yet the Search Space Calculator above shows the time to search for those two passwords online (assuming a very fast online rate of 1,000 guesses per second) as 18.52 minutes and 17.33 centuries respectively! If “123456” is the first password that's guessed, that wouldn't take 18.52 minutes. And no password cracker would wait 17.33 centuries before checking to see whether “Password” is the magic phrase..."

The generated password I provided could take: 1.90 million trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries
iBTC
Newbie
*
Offline Offline

Activity: 39
Merit: 0


View Profile
June 18, 2011, 06:28:57 AM
 #10

Can anyone find any holes in my technique of using password hints?

HSMascot+My First Bank PIN+Tommy's Hometown+Lana's Mom's First Name
^^ if a person knows you enough then yes that's a risk.

So yeah in some sense d@a2$sF2W9 can be more secure than Raiders5355RedburgEunice with that hint.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5152
Merit: 12580


View Profile
June 18, 2011, 06:42:03 AM
 #11

Quote
Hint: HSMascot+My First Bank PIN+Tommy's Hometown+Lana's Mom's First Name

It would probably take less than a day to gather all of that information. The only "hard" part is the PIN, but four numbers can be brute-forced in no time.

Good passwords aren't hard to remember if you type them often enough.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Bunghole (OP)
Member
**
Offline Offline

Activity: 64
Merit: 10


View Profile
June 18, 2011, 01:44:40 PM
 #12

It would probably take less than a day to gather all of that information.

Possibly, but remember that I use a different group of passwords and hints for each different site and/or wallet; although, there is some overlap.  It just doesn't seem realistic that someone would do all of that meatspace investigation just to get at one or two 50-bitcoin wallets.

If you're just an average person, aren't 99% of the threats in cyberspace where the hacker's effort is cheap, as opposed to meatspace, which involves social engineering and is relatively expensive, considering the low payoff?
AntiVigilante
Member
**
Offline Offline

Activity: 98
Merit: 10



View Profile
June 18, 2011, 01:51:03 PM
 #13

I have an awful memory.

I walk the keyboard in a particular shape and that's the password.

Proposal: http://forum.bitcoin.org/index.php?topic=11541.msg162881#msg162881
Inception: https://github.com/bitcoin/bitcoin/issues/296
Goal: http://forum.bitcoin.org/index.php?topic=12536.0
Means: Code, donations, and brutal criticism. I've got a thick skin. 1Gc3xCHAzwvTDnyMW3evBBr5qNRDN3DRpq
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!