[153646] in North American Network Operators' Group
Choosing Passwords
daemon@ATHENA.MIT.EDU (Jay Ashworth)
Sat Jun 9 16:28:15 2012
Date: Sat, 9 Jun 2012 16:28:01 -0400 (EDT)
From: Jay Ashworth <jra@baylink.com>
To: NANOG <nanog@nanog.org>
In-Reply-To: <20120608223329.4683E80003B@ip-64-139-1-69.sjc.megapath.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
----- Original Message -----
> From: "Hal Murray" <hmurray@megapathdsl.net>
> Security is a tradeoff. I think there are two cases for passwords. I'll
> call them important and junk. I'm willing to store the junk ones in a file
> or piece of paper that I'm careful with. I have to memorize the important
> ones.
Well, my personal approach to this -- one which I'm well aware is disparaged
by Security Professionals -- is tiered passwords.
I have one password for 'throwaway' accounts -- drive-forum postings and
the like, another password for slightly more important accounts -- forums
in which I participate regularly and the like, a third password for actual
machine accounts, VPNs and similar things like equipment control panels, and
finally a tier for accounts that people can actually change my life or spend
my money; things like eBay, PayPal, etc -- on this tier, each password is
actually distinct.
Finally, there's a top-emergency fallback password, which I use for password
safes, which is -- as nearly as I can determine, unresearchable, even if I
told you its description.
All of these passwords are rule/pattern constructed, using either The XKCD
Rule, or one of a couple of my own construction, and each individual password
is infixed after what it applies to, so as to make the actual final passwords
*never be the same string of characters*, the infix going in a nondeterministic
place in the string.
This puts enough bits of entropy into the passwords to make them relatively
strong -- sites with strength checkers on password set tend to like them a
lot -- while keeping them all unique so they can't be cross referenced... and
making them complex enough that they cannot be dictionary cracked either.
I am, of course, a special case; I've been a system administrator for 30
years; this is my business -- I am willing to put the necessary energy into
it as part of my work. I realize that lots of people (where, by lots, I
mean several billion) aren't -- either because they don't understand why
its important, or because they don't care, or because "it's someone else's
fault when $3800 gets taken out of my bank account cause I'm a careless
slob".
TL;DR: Everyone, admin, user, or civilian, has to make their own decisions
about how much work they want to put into security -- and *we* have to
find ways to explain the choices so that Joe Q. Sixpack can understand
*why it's important to him to think about it*. That's a sales pitch;
engineers are *singularly* unsuited to it, in general.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
