a63ntsm1th (OP)
Member
Offline
Activity: 95
Merit: 11
|
|
July 24, 2011, 02:37:07 AM |
|
While setting up some bitcoin security measures and opening up some trading accounts i was having trouble thinking up passwords. After googling for a few minutes I realized that there is no way you can trust a piece of software or a website to generate a password for you. I was then reminded of diceware, the most secure password generation program in existence. (hint its not a computer program) http://world.std.com/~reinhold/diceware.htmlI have used this before to generate passphrases that are totally immune to any subconcious thought patterns I may have. This is like superspy type level of security stuff (I like to pretend I'm Jason Bourne) so its kinda fun too! edit: I realize this is a bit dated (not unlike myself) so any improved methods would be appreciated!
|
just my .02 btc
|
|
|
error
|
|
July 24, 2011, 02:44:20 AM |
|
I usually generate passwords with something like: dd bs=32 count=1 if=/dev/random | base64 This isn't for everyone, of course, but it's going to be quite a while before anyone breaks one of those.
|
3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
|
|
|
|
Phinnaeus Gage
Legendary
Offline
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
|
|
July 24, 2011, 02:52:04 AM |
|
How about colored diced and a color-coded periodic table? Bitcoin: Where Liberty Blossoms
|
|
|
|
a63ntsm1th (OP)
Member
Offline
Activity: 95
Merit: 11
|
|
July 24, 2011, 02:56:12 AM |
|
Its not particularily special beyond the fact that it totally disconnects you from computer technology in the generation of the passphrase which is kinda cool to me The other ideas here are interesting as well!
|
just my .02 btc
|
|
|
Smalleyster
Member
Offline
Activity: 84
Merit: 10
I yam what I yam. - Popeye
|
|
July 24, 2011, 02:57:48 AM |
|
How about colored diced and a color-coded periodic table? Bitcoin: Where Liberty BlossomsOOOOOHHHHH Pretty colors! Oops musta been a flasback. (felt like '69 8^)
|
|
|
|
Smalleyster
Member
Offline
Activity: 84
Merit: 10
I yam what I yam. - Popeye
|
|
July 24, 2011, 03:01:25 AM |
|
Its not particularily special beyond the fact that it totally disconnects you from computer technology in the generation of the passphrase which is kinda cool to me The other ideas here are interesting as well! I looked at that page and then the colors...made me put down my drink and hold the armrests. You guys work too hard. 8^)
|
|
|
|
Vod
Legendary
Offline
Activity: 3836
Merit: 3123
Licking my boob since 1970
|
|
July 24, 2011, 03:02:10 AM |
|
While setting up some bitcoin security measures and opening up some trading accounts i was having trouble thinking up passwords. After googling for a few minutes I realized that there is no way you can trust a piece of software or a website to generate a password for you.
http://www.lastpass.com
|
https://nastyscam.com - featuring 13 years of OGNasty bitcoin scams https://vod.fan - fast/free image sharing - cleaning it up! (240905) Will Theymos finish his $100,000,000 forum before this one shuts down?
|
|
|
Phinnaeus Gage
Legendary
Offline
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
|
|
July 24, 2011, 03:07:44 AM |
|
Its not particularily special beyond the fact that it totally disconnects you from computer technology in the generation of the passphrase which is kinda cool to me The other ideas here are interesting as well! I looked at that page and then the colors...made me put down my drink and hold the armrests. You guys work too hard. 8^) Here's something that'll calm you down. Bitcoin: Where Liberty Blossoms
|
|
|
|
nux
Newbie
Offline
Activity: 24
Merit: 0
|
|
July 24, 2011, 04:20:23 AM |
|
I use a tool called pwqgen:
nux@stone:~$ pwqgen random=81 Under8Aroma-levy7boyish3Tutor brass5cork!Trim=Warmth=Cycle Rudder+colon$Dense2radio$Guilty Tariff2Maybe7Bark7ribbon2wipe Warp9noun_Dove-Tweed*Gang
You can even get somewhat readable/memorizeable passwords if you want
nux@stone:~$ pwqgen Nicely+French&Viola
|
|
|
|
phillipsjk
Legendary
Offline
Activity: 1008
Merit: 1001
Let the chips fall where they may.
|
|
July 24, 2011, 05:31:26 PM |
|
My favorite online password generation site is GRC's Ultra High Security Password Generator. Of course, you would have to trust them not to record every passphrase ever generated. I also like converting a web-page that changes from time to time to text; then taking the MD5 hash. However, given that I am using public information, I have this nagging feeling that the entropy may no longer "count" as being over 128 bit. I have the feeling everything that has ever been published probably adds up to less than 64 bits of entropy. I have a local file that changes from time-to-time. If it has enough entropy built up, I will use that instead. Example: MD5 hash of the msn frontpage converted to text: 01ac3a67614d6a37ac1fc3731d4fd8d1. Edit: entropy pool of the file that changes over time: 0; since I overwrote it with the text version of MSN.com and published the hash. New msn.com hash at the time of this writing: 2c822728666881b433ba27caccbc3c6d.
|
James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE 0A2F B3DE 81FF 7B9D 5160
|
|
|
ctoon6
|
|
July 24, 2011, 06:04:45 PM |
|
solutions: hardware RNG take pictures of lava lamps, traffic or other stuff and hash it out. Geiger counter, radiation is truly random. microphone next to a fan
|
|
|
|
nafai
Member
Offline
Activity: 112
Merit: 10
|
|
July 24, 2011, 06:52:22 PM |
|
Most password managers have a built-in password generator. You are using a password manager aren't you? No? Then I assume you either use the same password at more than one website/service, or your passwords are too simple. I have yet to find someone who uses a unique, strong password for their email, facebook, twitter, all their forum accounts (like this one), online banking, paypal, dropbox, domain registrar, dns service, hosting account, amazon, newegg, cell phone provider, credit card accounts, computer administrator account, daily deals sites like groupon, car insurance, student loans, financial analysis like mint, turbotax, gaming accounts like world of warcraft or rift or runescape or w/e, bookmarking/networking sites like delicious, ebay, flickr, github, not to mention their bitcoin wallet, mtgox/tradehill, namecoin wallet, pool accounts like slush/deepbit/btcguild, etc etc ad nauseum... WITHOUT using a password manager. Never happened to my knowledge. Human memory is limited, no way that most of us can remember 50+ unique, strong passwords.
And I'm sorry, but if your password for gmail is hfeu91hr_gmail and for facebook its hfeu91hr_facebook and for newegg its hfeu91hr_newegg, or some other pattern that is easily discerned, those passwords may be unique but they are not strong, because if someone hacks one account and sees your password it's not too hard to guess the password for your other accounts. No, using "_fb" and "_ne" doesn't help, a smart person can still figure out your scheme. No, using 3 different "strong" password prefixes instead of 1 doesn't help, then not all of your accounts are vulnerable only 1/3 of them are, but it's still overlapping passwords, i.e. not "strong and unique", just cuz you add a suffix or prefix doesn't make it truly unique.
I recommend KeePass by the way. All of my passwords are 20-character alphanumeric w/punctuation (pseudo-randomly generated of course, no RNG is truly random) and completely unique. When the mtgox database was leaked, I was absolutely certain that all I had to be concerned about was getting my mtgox account back and changing its password, none of my other 100+ accounts were in any way vulnerable because every password I use is both strong AND completely unique.
And I don't have to remember them, or even type them in, because like most password managers my keepass lets me hit a hotkey (ctrl-alt-A actually) and it types my login info for me on any of my 100+ accounts.
|
1HQiS9PLHPcoQMgN8ZdcGwhoMHWh2Hp37p
|
|
|
error
|
|
July 24, 2011, 07:52:58 PM |
|
Most password managers have a built-in password generator. You are using a password manager aren't you? No? Then I assume you either use the same password at more than one website/service, or your passwords are too simple. I have yet to find someone who uses a unique, strong password for their email, facebook, twitter, all their forum accounts (like this one), online banking, paypal, dropbox, domain registrar, dns service, hosting account, amazon, newegg, cell phone provider, credit card accounts, computer administrator account, daily deals sites like groupon, car insurance, student loans, financial analysis like mint, turbotax, gaming accounts like world of warcraft or rift or runescape or w/e, bookmarking/networking sites like delicious, ebay, flickr, github, not to mention their bitcoin wallet, mtgox/tradehill, namecoin wallet, pool accounts like slush/deepbit/btcguild, etc etc ad nauseum... WITHOUT using a password manager. Never happened to my knowledge. Human memory is limited, no way that most of us can remember 50+ unique, strong passwords.
And I'm sorry, but if your password for gmail is hfeu91hr_gmail and for facebook its hfeu91hr_facebook and for newegg its hfeu91hr_newegg, or some other pattern that is easily discerned, those passwords may be unique but they are not strong, because if someone hacks one account and sees your password it's not too hard to guess the password for your other accounts. No, using "_fb" and "_ne" doesn't help, a smart person can still figure out your scheme. No, using 3 different "strong" password prefixes instead of 1 doesn't help, then not all of your accounts are vulnerable only 1/3 of them are, but it's still overlapping passwords, i.e. not "strong and unique", just cuz you add a suffix or prefix doesn't make it truly unique.
I recommend KeePass by the way. All of my passwords are 20-character alphanumeric w/punctuation (pseudo-randomly generated of course, no RNG is truly random) and completely unique. When the mtgox database was leaked, I was absolutely certain that all I had to be concerned about was getting my mtgox account back and changing its password, none of my other 100+ accounts were in any way vulnerable because every password I use is both strong AND completely unique.
And I don't have to remember them, or even type them in, because like most password managers my keepass lets me hit a hotkey (ctrl-alt-A actually) and it types my login info for me on any of my 100+ accounts.
Hi!!! Chrome + KWallet.
|
3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
|
|
|
grantbdev
|
|
July 24, 2011, 08:23:11 PM |
|
Yeah, Keepass is my choice because it's FOSS and cross platform. You can tell the program how long you want the password, what you want it to include, etc., and it will generate the password among your other stored passwords in an encrypted safe that stays on your computer.
|
Don't use BIPS!
|
|
|
|