[conspire] Password permutations (was: Correction)

Tony Godshall tony at of.net
Mon Mar 30 15:33:03 PDT 2020


On Mon, Mar 30, 2020, 1:20 PM Rick Moen <rick at linuxmafia.com> wrote:

> I would suggest that -- at least according to my own criteria and usage
model, so adjust to suit -- a more-reasonable strategy is a modified
version of the famous/infamous XKCD 'password strength' algorithm. Partial
discussion is here:
https://security.stackexchange.com/questions/62832/is-the-oft-cited-xkcd-scheme-no-longer-good-advice

> To get past the otherwise-inevitable wasted-time discussion, Schneier
said that the _literal_ use of the XKCD method (merely stringing
together dictionary words) was obsolete.  But that doesn't mean that the
general approach if modified to foil dictionary attack doesn't have
merit.

> (I'm not going to state exactly how I arrive at passwords, for the
self-evident reason that I don't want the world to know exactly how I
arrive at passwords.)

I would also suggest that whatever password scheme you currently use, you
periodically alter it in an arbitrary fashion, sometimes in some way that
varies per site, or domain.  Like inserting a punctuation mark in the 8th
position, or deleting the third character, or prefixing the second letter
of the domain or hostname you are connecting to.  That way you can improve
the nonguessability of your passwords over time, while at the same time
reducing the amount you need to memorize at a time.  Once the prior
password becomes second nature, and all hosts have been updated, you can
move onto the next permutation.  Eventually your password becomes as line
noise and nobody can guess that you started with a less than ideal
password.



>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20200330/efbd5f59/attachment.html>


More information about the conspire mailing list