<html><head></head><body><div style="color:#000; background-color:#fff; font-family:lucida console, sans-serif;font-size:13px"><div><span></span></div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1490997434056_4354">Well the pattern I use you could probably break with N=1 samples.  </div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1490997434056_4407"><br></div><div class="qtdSeparateBR">My thought is that when passwords are "stolen", they probably go into a database where a simple computer software can give a lot of "benefit" to the thief by just using the passwords as is, combined with a lot of people using same login and password in many places.  Why go to the bother of even attempting to "derive a pattern"?  </div><div class="qtdSeparateBR"><br></div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1490997434056_4462"><br><br></div><div class="yahoo_quoted" id="yui_3_16_0_ym19_1_1490997434056_4435" style="display: block;">  <div id="yui_3_16_0_ym19_1_1490997434056_4434" style="font-family: lucida console, sans-serif; font-size: 13px;"> <div id="yui_3_16_0_ym19_1_1490997434056_4433" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_ym19_1_1490997434056_4432" dir="ltr"> <font id="yui_3_16_0_ym19_1_1490997434056_4443" face="Arial" size="2"> <hr size="1" id="yui_3_16_0_ym19_1_1490997434056_4442"> <b id="yui_3_16_0_ym19_1_1490997434056_4451"><span id="yui_3_16_0_ym19_1_1490997434056_4450" style="font-weight: bold;">From:</span></b> Tony Godshall <togo@of.net><br> <b><span style="font-weight: bold;">To:</span></b> Paul Zander <paulz@ieee.org> <br><b><span style="font-weight: bold;">Cc:</span></b> "conspire@linuxmafia.com" <conspire@linuxmafia.com><br> <b><span style="font-weight: bold;">Sent:</span></b> Friday, March 31, 2017 10:16 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [conspire] storing passwords<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_ym19_1_1490997434056_4441"><br><div id="yui_3_16_0_ym19_1_1490997434056_4440" dir="ltr">+1 for algorithmic passwords, so long as the algorithm is sufficiently complex.<br clear="none"><br clear="none">i always imagine someone getting two or three of passwords, and try to<br clear="none">figure out if the pattern would be obvious enough that they could<br clear="none">derive a pattern.<br clear="none"><br clear="none"><br clear="none"><br clear="none"><br clear="none"><div class="yqt6864091095" id="yqtfd97490"><br clear="none">On Thu, Mar 30, 2017 at 9:33 AM, Paul Zander <<a href="mailto:paulz@ieee.org" shape="rect" ymailto="mailto:paulz@ieee.org">paulz@ieee.org</a>> wrote:<br clear="none">> I totally understand the need to have different passwords for different<br clear="none">> accounts.  I also seem to have a limit on the number of brain cells for<br clear="none">> this.<br clear="none">><br clear="none">> What I have been doing is to take the name of a bank, for example, and mess<br clear="none">> around with capitalization and number substitution.  Each of the several<br clear="none">> banks then has a unique password. If a computer got the password for one<br clear="none">> bank, it would only work at that bank.  However, if I wrote down the<br clear="none">> password, I am sure that anyone on this list could make a correct guess for<br clear="none">> a different bank.<br clear="none">><br clear="none">> I am sure this is a lot better than using 1234 for everything.<br clear="none">><br clear="none">> BTW, my user name is also deliberately not consistent across different<br clear="none">> websites, but I only think of this as weak protection.<br clear="none">><br clear="none">> Side issue: I recently had to jump through some security hoops when calling<br clear="none">> a credit card company.  I was the one initiating the conversation.  They<br clear="none">> insisted that I had to have the answer to a security question. I was told it<br clear="none">> began with "B", but my mind went blank. In hindsight, the answer had been so<br clear="none">> obvious when I had first created it, that I hadn't recorded it in my offline<br clear="none">> password base ... I was simultaneously frustrated and apologetic because I<br clear="none">> knew that they needed to be cautious.   Eventually they called me back on a<br clear="none">> number in their records. ...<br clear="none">><br clear="none">> Then they said I needed to set up a new question / answer.  "What is your<br clear="none">> favorite place to vacation?"  I already knew they could prompt with the<br clear="none">> first letter of the answer.  If the answer was,"Hawaii", how easy would it<br clear="none">> be to guess the answer given "H"?  So I was on the line for a while longer<br clear="none">> until I found something less obvious.<br clear="none">> ________________________________<br clear="none">> From: Daniel Gimpelevich <<a href="mailto:daniel@gimpelevich.san-francisco.ca.us" shape="rect" ymailto="mailto:daniel@gimpelevich.san-francisco.ca.us">daniel@gimpelevich.san-francisco.ca.us</a>><br clear="none">> To: <a href="mailto:conspire@linuxmafia.com" shape="rect" ymailto="mailto:conspire@linuxmafia.com">conspire@linuxmafia.com</a><br clear="none">> Sent: Wednesday, March 29, 2017 9:19 AM<br clear="none">> Subject: Re: [conspire] storing passwords<br clear="none">><br clear="none">> On Tue, 28 Mar 2017 15:04:54 +0000, Paul Zander wrote:<br clear="none">>> Here is a DIY project for managing passwords.  It's a USB dongle that<br clear="none">>> can save the passwords and upload them to the PC.<br clear="none">>><br clear="none">>> Not a complete air gap, but you don't have to type the string.<br clear="none">>> <a href="https://www.instructables.com/id/Password-Manager-Typer-Macro-Payload-" target="_blank" shape="rect">https://www.instructables.com/id/Password-Manager-Typer-Macro-Payload-</a><br clear="none">> All-in-ONE/?utm_source=newsletter&utm_medium=email<br clear="none">><br clear="none">> Of special note are the comments on the page by ia42 and by SuperSonik,<br clear="none">> and the comment by robertbu is also interesting.<br clear="none">><br clear="none">><br clear="none">> _______________________________________________<br clear="none">> conspire mailing list<br clear="none">> <a href="mailto:conspire@linuxmafia.com" shape="rect" ymailto="mailto:conspire@linuxmafia.com">conspire@linuxmafia.com</a><br clear="none">> <a href="http://linuxmafia.com/mailman/listinfo/conspire" target="_blank" shape="rect">http://linuxmafia.com/mailman/listinfo/conspire</a><br clear="none">><br clear="none">><br clear="none">><br clear="none">> _______________________________________________<br clear="none">> conspire mailing list<br clear="none">> <a href="mailto:conspire@linuxmafia.com" shape="rect" ymailto="mailto:conspire@linuxmafia.com">conspire@linuxmafia.com</a><br clear="none">> <a href="http://linuxmafia.com/mailman/listinfo/conspire" target="_blank" shape="rect">http://linuxmafia.com/mailman/listinfo/conspire</a></div><br clear="none">><br clear="none"><br clear="none"><br clear="none"><br clear="none">-- <br clear="none">--<br clear="none">Best Regards.<br clear="none">This is unedited.<br clear="none">This message came out of me<br clear="none">via a suboptimal keyboard.<div class="yqt6864091095" id="yqtfd22084"><br clear="none"></div></div><br><br></div> </div> </div>  </div></div></body></html>