[conspire] storing passwords

[Rick Moen]

Quoting Paul Zander (paulz at ieee.org):

> I totally understand the need to have different passwords for different accounts.  I also seem to have a limit on the number of brain cells for this.

This is a wise and astute comment.  The biggest problem with passwords
is that we need to create, reliably remember, and occasionally change
quite a lot of them, that any compromosing of password complexity 
or duplication makes them a lot weaker, and that the human brain simply
can't do all that.

So, how most people handle the situation is:  Promise (including,
sometimes, to one's self) to do all that properly, but then don't.

For example, I worked at a firm where Operations staff (sysadmins) were
forced to change VPN passwords monthly, but most used a trick where you
went to the site for the forced password change, but instead of
completing the change dialogue, went sideways to the password _reset_ 
function, and specified your old password again.  And this, I will
stress, was a department of _sysadmins_.  So, it's a big problem, and
people are dealing with it poorly.
 
> What I have been doing is to take the name of a bank, for example, and
> mess around with capitalization and number substitution.  Each of the
> several banks then has a unique password. If a computer got the
> password for one bank, it would only work at that bank.  However, if I
> wrote down the password, I am sure that anyone on this list could make
> a correct guess for a different bank.  I am sure this is a lot better
> than using 1234 for everything.  

It is, yet has the obvious problem of a pattern.  Of course, the pattern
helps your brain cells cop, but it makes the scheme weaker.

> BTW, my user name is also deliberately not consistent across different
> websites, but I only think of this as weak protection.

Perhaps stronger than you think, especially if your choices of username
are poorly predictable.

> Side issue: I recently had to jump through some security hoops when
> calling a credit card company.  I was the one initiating the
> conversation.  They insisted that I had to have the answer to a
> security question. I was told it began with "B", but my mind went
> blank. In hindsight, the answer had been so obvious when I had first
> created it, that I hadn't recorded it in my offline password base ... 

I fear doing this, but in general have been pretty good about recording
'password reminder' (etc.) security questions and answers in my Keyring
for PalmOS (http://gnukeyring.sourceforge.net) 3DES crypto store --
still after many years my way of slicing the Gordian knot of poor
password memory.

There was an informal competition among readers of Bruce Schneier's blog,
some years ago, for most creative way to amusingly abuse systems of
security questions and answers.  I greatly prefer the ones where you can
create both the question and the answer.

Q:  How's it going?
A:  Nu.

Q:  Are you going to give a surrealistic answer?
A:  Plate of shrimp.

Q:  Why is that watermelon there?
A:  I'll tell you later.

(Too many in-jokes from cult movies are of course also a bad idea.[1 
Well, a good idea for many other purposes, but bad for limiting the
predictability of security tokens.])

My favourite suggestion from the Schneier blog discussion (envisioning
your having the question read to you by a customer service agent):

Q: What are you wearing?
A: I'm not comfortable with that question, and need to speak to your
supervisor.


[1] https://www.youtube.com/watch?v=bpVXpCNFOSg
http://www.thegeektwins.com/2014/02/the-real-reason-for-watermelon-in.html