Disappointed to read this news. Might have to rethink my choice of opting for 1Password over KeePass.
I caught this link in a thread here a long time ago and bookmarked it. This is actually where they go into the "zxcvbn" algorithm that the OP article mentions. It's definitely one of the better writeups I've seen on this topic: http://tech.dropbox.com/?p=165 And just in case you miss the link in the article, here's the demo to test your own passwords: https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html
password: WhtttbsetamacettaebtCwcuRtataLLatpoH entropy: 130.064 crack time (seconds): 7.113331373418745e+34 crack time (display): centuries score from 0 to 4: 4 calculation time (ms): 2 But then, this tool isn't smart enough to know all published text, or even the US Declaration of Independence
Keepass' behavior is normal, because as far as I know they compute the actual entropy (using the definition). They do not try to measure how easy or hard it is to actually crack a password.
And worse, password crackers can be fed all the personal information on your drive as seed data if a weak client's been compromised.
Well, I'm hosed anyway if that's accessible via FDE OPSEC failure Also, "WhtttbsetamacettaebtCwcuRtataLLatpoH" is just one of the words in my scheme, not the whole password.
Well this is really interesting. We have two threads going covering the same topic. I'm really impressed with the system and math 142395 uses. I use math too but it is far simpler. It is obscure math but not too difficult to do mental calculations in. About the same as adding up a grocery bill. Long obscure phrases from obscure literature in obscure languages can make a good password by themselves but they would be much better used as keys in a cryptographic system so the resulting password would be a randomized hash with extreme entropy that could be easily reconstructed if the key, seed and algorithm were known. I have a lot of passwords and some are much better than others but none to the point of Mirimir's example. Reading all of this makes me realize I could do much better without too much work.
Just so it doesn't get lost, the point of my example is that I don't need to remember the string, just that it's constructed from the second sentence of the US Declaration of Independence, and how (preserving case, but not punctuation or spaces). If used frequently, I'll remember it, and will learn to type it very quickly. But it's not problematic if I forget.
Another approach I use is for throwaway accounts on sites that that I want to access but I want to remain completely anonymous on and don't care if the account credentials are lost. I always use a VPN for such sites and first create a user name based on a disposable email account's random letters. Then I just bang keys randomly to create a password. Both user name and password have lots of entropy but they are used on accounts that don't need it in any way. No need to remember anything because these are not accounts I intend to maintain long. Sometimes just one browser session, sometimes a few days or weeks. I use a browser's built in password manager for longer stays which is something I would never do for any accounts that were important to me.
As for keeping passwords I normally use NoteCipher from the Guardian Project. It seems pretty safe but I may be wrong. https://github.com/guardianproject/notecipher OT. : I have been lurking this place from my job for 3months now but now their IT dept. deems this site as "Suspucious". So freaking mad right now..
Although I'm a mathematics guy, exactly speaking I don't use math for my password, it's rather word game. But some ppl may use math for their password (don't know actual case tho), or I know a person who hash his password (is it math...maybe not).
With a little bit of math, you can note down a short number and do a few processes on it and have a much longer number. When you enter the password, you use the full number, when you write it down, you use the short one. That way you can keep a written copy that isn't the actual password. Just one example. I use language and linguistics more than math for passwords too but both can be combined. The same sort of transformations can be applied to words using grammatical rules. Grammatical and mathematical processes can be combined. Here's a real world example. I file an annual report online for a small organization with an agency of the federal government. This year, when I filed, I was greeted with a message that the agency's database had been compromised and a new password was required. I came up with long secure password but it was rejected because passwords were limited to 14 characters. I did the best I could but I couldn't do the sort of password I normally do for such a site. No wonder they were hacked.
The combinations of strings that I use as passwords, or rather the underlying words, are in fact incantations. Each one helps to put me in the mindspace for the persona at hand. It's also a mnemonic device.
Of course, what we are doing when attempting to accommodate the deficiencies of website passwords, having to remember strong ones at all, is making up for their terribly weak security and lack of TFA. There is no reason at all we should be wasting remembered strong passwords when we are using a machine to authenticate to another machine. To the extent you can trust the client (not much), you should be able to trust it to manage some TFA with the destination. But the reality is that commercial sites get away with terribly weak security.
Thanks for valuable example and suggestion. That's feasible! I may consider employ some math in my next scheme, but probably I won't use text note. I can relate to it, but in my case incantation is user name and/or email address.
Put a punctuation symbol somewhere in that and a number and you increase the strength exponentially. Or alternatively, a much shorter password with just a single number and punctuation symbol in it would be equally as strong and much easier to type in.
I could include punctuation, but that makes the method more obvious. I don't substitute any characters, because then I'd need to remember that.
The dice ware scheme sounds good but in practice it falls down a lot of the time because there is no standard for password length or what chars it may contain. The result is password chaos where some sites/apps have a 16 char limit, some have even have an 8 char limit. Some insist you use at least one number some insist at least one number and one symbol. This really makes it difficult to come up with a universal password scheme that will work everywhere.
I was thinking of LUKS passphrases. Doh For accounts, I generate random strings with ... Code: tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1 .. or ... Code: tr -cd '[:print:]' < /dev/urandom | fold -w30 | head -n1 ... adjusting length as needed. And I use KeePass for storing them.
The diceware scheme uses all lower-case characters, no special characters, which is a big advantage when it comes to keyboard variants/cultures. There are quite reasonable discussions for entropy and the number of words that should be used, for example, for good assurance with at-rest encryption (where you need very strong passwords), 7 words will do the trick. I really like that the entropy is predictably calculable, it's not a guesstimate. I personally find the absence of special tweaks (uppercase and special characters) blissful, because I got confused with my own clever tweaks before, and couldn't remember which version I was using. I also find it faster to type, even though it's longer, because it's regular. It's also the case that password crackers already "know" some of the standard tweaks such as putting caps or { or something to start every other word, all that kind of rule. I have no intention whatsoever of "wasting" those strong remembered passwords on websites (they are only for FDE, account passwords, sensitive data). As you point out, some sites have restrictions on password length, or demand what they deem to be password complexity. But that's why I've got Lastpass and Password Safe (both with TFA) - they can remember the rubbish for the rubbishy websites which I don't trust anyway, there is NO password chaos for me, I don't have to remember that many. What I want from the websites is decent TFA, which even appears beyond the scope of most banking and huge e-commerce sites. Pathetic.