DISQUS

dmiessler.com | grep understanding: Security: Implementing A Secure And Usable Internet Password Scheme

  • Ken · 2 years ago
    I agree with the leveling of controls for the sensitivity of the data. That is absolutely the methodology that we would use to secure a corporate environment. I think it is way to complicated for the average person to remember. What I would recommend is that you create online passwords that fallow and algorithm based on the site. This is fairly easy to remember and you would do it for all your accounts. So as an example:

    If you bank was www.securebanking.com you could do something like this

    Yso3cdua

    Now this is overly simple, but with a password like that and an algorithm that could easily be fallowed and remembered there would be little need to write down a password or have levels.
  • arikb · 2 years ago
    Hi Daniel,

    I used to work like this, and I have decided against it. It's too much of a hassle to remember even the simpler ones. Writing is outside of the question, because putting the password in your wallet increases the value of your wallet. In case it is lost, the passwords are lost too and then you need to recover them.

    I ended up using Personal Info Keeper from a small software company called HighCriteria - http://www.highcriteria.com/productfr_pik.htm - it costs $11 but it's worth it. The entire repository is encrypted and you can back it up. It also remembers the last 3 passwords so if your password change attempt didn't go well you can retrace your steps. Very neat.

    I don't work for HighCriteria and I don't get paid to say this, I just think it's a good value and it solved most of my password problems. Obviously the hidden assumption is that you have that repository with you whenever you need it, and I have my laptop with me most of the time. If you don't... perhaps it's not for you.

    -- Arik
  • Tara · 2 years ago
    I've been using a password manager for years now, but - like Arik mentioned - when you don't have your data with you, and you urgently need it... well, things get ugly.

    There are quite a few *online* password manager out there. I know, sounds scary, but as long as it's well built, its a good solution - anytime, anywhere.

    Unlike Arik, I can't claim to be unbiased - I'm a PassPack founder, and I love my own product. But PassPack isn't the only online password manager out there... so Google it, shop around, and pick one. It's really handy.

    Anyway, here's a blog post about making strong passwords:
    http://passpack.wordpress.com/2006/12/29/passpa...
  • jojomonkey · 2 years ago
    Arik,

    what's wrong w/ keeping passwords in one's wallet if properly protected?
    say using a flash stick and keeping on it a simple text file w/ a list of your passwords (serving as a password keeper) and then encrypting the file w/ your public key. You can then even keep the public / private keys on your stick and protect the private key w/ a passphrase. that becomes the only password one must remember. it's better than any software solution since (at least for me) it's not guaranteed i'm on a w32 machine.

    Tara,

    online password keepers - that's crazy - no offense :)