Remembering passwords

On May 12, 2007, at 11:40 AM, Kevin van Haaren wrote:

Bruce Schneier also recommends writing down your passwords. Just don't keep them with the device they're protecting, put them in your wallet and take them with you. If you write down your passwords you can pick longer ones, and because they're with you when you leave the security isn't that bad.

<http://www.schneier.com/blog/archives/2005/06/write_down_your.html>

My father even carries his bank pin numbers in his wallet. But he converts them to octal first.

You also don't have to write down the whole password. You can have one (or two or so) standard "wrappers" of a character or two for each end of the password as written. A stranger picking up your password list won't tumble to why the password isn't working. (An acquaintance might.)

--John

I have a number that I always remember - 5396 - an old girl friend's phone -- and when the bank assigns me a pin, for example 8324, I perform "idiot" subtraction (don't 'carry' from one column to the next) and get 3038. THIS is the number that I put on the back of my bank card, then I just do 'idiot' addition to 5396 and construct the pin. Remember - DON'T "carry the 1" when adding or subtracting.

When I need to memorize new bankcard pins, I add them to my pocket address book, but disguise them as bogus address book items. I either add a bogus work phone for my parents (who are retired) or maybe a bogus business, and then, four of the digits are my pin. I used to make the last four, but started randomizing them. It is seldom that I can't remember the pin once I see it in the phone number. So, while they are in my wallet, they aren't there as pins. You could do the same for passphrases made of words, too. Just get creative. Again, it helps if you consider this a temporary device to help you remember the pins or passphrases. I have a software on my Palm that is encrypted and password protected, but I've never used it. I just haven't felt safe with it, but the "purloined letter" approach seems far safer to me. :-)

-Jon

>I have a number that I always remember - 5396 - an old girl friend's phone --

Wow... she must have been good. ;)

I just convert the numbers to binary and write that down... so 5396 becomes:

00110101001100110011100100110110

Make the zeros dots and ones dashes and *poof* you now have
double-secret encryption!

While the thief is decoding morse, you're living safely in the latter
half of the 20th century! =)

--chuck


--

_____________________________________________________________
"On any given day, there's always something broken somewhere.
In DNS, there's always something broken everywhere."
                   --Paul Vixie 4:20 PM 3/31/07, on NANOG

I in fact do use Passwords Plus, which is as Jon said encrypted and password protected, to keep track of passwords. As my organic brain has aged, I have found my natural tendency is to fall back to one or two passwords as my "default behavior" ... convenient for me, but REALLY unsafe. The trouble comes when I am responsible for setting up accounts at home, at work, on voice mail, and for all the operations of four ISP accounts (including CMS admin accounts, some users, email, the MySQL and FTP access accounts, Word Press, and so on).

What I like is that I can make new password records or look up passwords on my Mac or on my Palm. Any changes I make to one gets synched to the other, and they're both encrypted. Yes, a theoretical bad guy might be able to break one or the other eventually, but I don't see it happening in the real world. It's way more than just convenience to have this info at my finger tips. It actually extends my resolve to use meaningful passwords in all my transactions. It becomes my "brain extension" for this important task.

Is there a huge problem with this approach for a "Joe Average" user like me?

--Matt

I use and love SplashID. Simple application runs on Mac and Palm and
HotSyncs, so all my access secrets are always with me. In addition to
passwords, I keep account numbers, domain registration data, card
numbers, etc. $30 (or as part of SplashWallet, a useful collection of
apps for not much more) and available for Palm, PocketPC, Blackberry,
others.

    http://www.splashdata.com/splashid/

After the third change to my two ATM PINs in less than a year, and twice
visiting an ATM and being unable the recall the number, I had to do
something. In my daily morning reminders, I put a reminder that says
"remember PINs". Of course the (insecure) reminder included no clue as to
what the PINs actually are. After a couple of weeks this had solidified the
memory with basically no effort or attention, and I changed it to every
third day.

Now, will I ever be able to forget them ... yeah, I think so. Four-digit
numbers remain rather uninteresting, except of course 1729.

Edward
--
Art works by Melynda Reid: http://paleo.org

Web Confidential from Alco Bloom (who also makes URL Manager Pro),
runs on Mac OS X, OS9, Windows and Palm ($20, $20, $15 or
combinations thereof).

A license for each platform (e.g. Macintosh) allows me to run the
program on all my Macs, so I feel good about doing so *and* keep my
password files on all. (My Windows machines have no
security-requiring data.)

It encrypts in Blowfish which is strong, and not only approved by
Bruce Schneier but also created by him. It has several of the
features of URL Manager Pro so they work well together.

the FAQ: <http://www.web-confidential.com/faq.html>
It was reviewed in TidBits here: <http://db.tidbits.com/article/05020>

When I need to memorize new bankcard pins, I add them to my pocket address book, but disguise them as bogus address book items. I either add a bogus work phone for my parents (who are retired) or maybe a bogus business, and then, four of the digits are my pin. I used to make the last four, but started randomizing them. It is seldom that I can't remember the pin once I see it in the phone number. So, while they are in my wallet, they aren't there as pins. You could do the same for passphrases made of words, too. Just get creative. Again, it helps if you consider this a temporary device to help you remember the pins or passphrases. I have a software on my Palm that is encrypted and password protected, but I've never used it. I just haven't felt safe with it, but the "purloined letter" approach seems far safer to me. :-)

That's not a bad idea.

I use Password Wallet on my Treo and on the desktop. It requires a password, but it's one that has meaning for me [an alphanumeric combination] and no one else.

From somewhere in the deep recesses of my ol' besotted brain I recognize the "purloined letter" expression, but could you explain a little further? For us Dummies? Thanks.

[Google and Wikipedia are your friend: the reference is to leaving something in plain sight to disguise its true nature. -Adam]

<http://en.wikipedia.org/wiki/The_Purloined_Letter>

Dave Clark http://home.earthlink.net/~dc1999/ http://web.mac.com/dave28c http://www.clarklawfirm.com

On 5/18/07 2:31 PM, "dave28c" <dave28cmac.com> wrote:

> I either add a bogus
> work phone for my parents (who are retired) or maybe a bogus business,

I do something similar in that I write a bogus check and use the amount for
my bank pin number. Before you think Iım totally wacked that I canıt
remember my bank pin, Iım disabled and rarely even go to the bank. I do
everything online.

--
Diane

--On May 18, 2007 2:31:17 PM -0700 dano <danowell.com> wrote:

> Web Confidential from Alco Bloom (who also makes URL Manager Pro),
> runs on Mac OS X, OS9, Windows and Palm ($20, $20, $15 or
> combinations thereof).

On a flash drive I have the open source KeePass, both a Windows version for
flash drives and a Mac version (somehow Mac apps don't seem to need special
portable versions....) They both use the same database so I can access
passwords from either platform (if I used Linux on a regular basis versions
for that are available too.) The database is encrypted using AES.

<http://portableapps.com/apps/utilities/keepass_portable>
<http://keepassx.sourceforge.net/>

It lets me generate more secure random passwords, but I still have needs
for passwords that are more memorable for occasions when I don't have
access to a computer to lookup passwords from KeePass.

If you're particularly fond of the Terminal, the utility "pwsafe" gives you
a very secure password storage tool that's never more than a terminal window
away. (Very nice if you leave your Mac at home and can SSH into it.)

<http://nsd.dyndns.org/pwsafe/>

Check the support requests forum for how to build it on the Mac. I've been
using it for a few weeks now and I find it to be very fast and easy to use.

--
Nik :: gerberiNik.net
Make a developer cry! Vote for the top Mac software ever!
<http://www.squidoo.com/topmacsoftware/>

On 22-May-2007, at 13:44, Nik wrote:
> If you're particularly fond of the Terminal, the utility "pwsafe"
> gives you
> a very secure password storage tool that's never more than a
> terminal window
> away. (Very nice if you leave your Mac at home and can SSH into it.)
>
> <http://nsd.dyndns.org/pwsafe/>

I'd love command line access to OS X's keychain; YAKU (Yet another
Keychain Utility) I don't need.

At 06:56 on 23-05-2007, Google Kreme wrote:
> I'd love command line access to OS X's keychain;

The 'osascript' command line utility and 'Keychain Scripting' (a
standard scripting addition) will provide this.

_________________
=> Jolin

On 5/23/07 14:32, "Jolin M Warren" <JolinWarrenOakAndApple.org> wrote:

> At 06:56 on 23-05-2007, Google Kreme wrote:
>> I'd love command line access to OS X's keychain;
>
> The 'osascript' command line utility and 'Keychain Scripting' (a
> standard scripting addition) will provide this.

As he just found out, Keychain Scripting has issues, particularly wrt SSL
certs. A better choice for CL access to the keychain is "security". man
security for details.

--
John C. Welch Writer/Analyst
Bynkii.com Mac and other opinions
jwelchbynkii.com

On 5/25/07 11:53 AM, "John C. Welch" <jwelchbynkii.com> wrote:

> A better choice for CL access to the keychain is "security". man
> security for details.

Thanks for the tip, John. I've been looking for such a utility for quite
some time.

Now why is it that "apropos keychain" won't pick up "security" as an
available tool?

--
Nik :: gerberinik.net
Software picks, serious Mac geekery and productivity tips!
<http://iNik.net/>

Check out the this"Bookmarklet" at <http://labs.zarate.org/passwd_new/>

A cool idea on how to keep all those passwords straight.