Topic: Damage/Risk Management Strategy 101 (Best Practices) (Read 1402 times)

That is the scheme I use for things I don't care much about. Think of a word and transform it. But I use a transformation scheme that I created and I remember, not something common like "Make it l33t".

I use much stronger pws for all my bitcoin related activities.

What do you think of taking a bad password (that's easy to remember) and making good? For instance:

Bad password: riceball
Why it's bad: dictionary word, no numbers, no symbols, no capital letters, all lower case
Would probably fall to a dictionary attack on a standard home computer in two days or less.

Now lets transform it....

Add capital letters: Riceball
Add numbers: Ric38a11
Add symbols: Ric3!8411

Now it's no longer a standard dictionary word (but still is based on one) and you have increased the keyspace needed to brute force it from 26^8 to at least 70^9 (depending on what symbols are accepted by the system).

I still wouldn't secure money with this (MtGox, PayPal, your bank, etc) but I think it would be fine for something like these forums or Facebook and the like. Thoughts?

I am starting to move over to the camp that says 'If you can remember your password it is not strong enough.'

Actually we can actually avoid memorizing the password itself, instead we can just use our procedural memory to remember it.
Have you had trouble "remembering" your password when you were trying to type it in your touchscreen phone?

This happens because our fingers "remember" the position of the keys of the keyboard. You actually don't remember the characters, you remember the positions of the characters in your keyboard.
You could type them with your eyes closed on a keyboard, but on the phone, you must struggle to actually remember the composition of your password.

It is applying that to the generation of password. Make "easy to type" passwords, "hard to crack"
(Obviously if the attacker knows this, he could apply a statistical attack, but who on Earth would suspect this?)

I feel sorry for stoners, there is going to be a lot more things to remember if you want to stay safe

Another option that is often overlooked is rather than using hard to remember key codes and combinations, use a really long password made up of English words. By adding to the selection of keycodes, you're adding to the base of an exponent in complexity, which is to say polynomial growth in complexity. By adding length you're changing the exponent itself, or exponential growth which, as you might remember from school, is much faster. Additionally, it's much easier to remember 6 words than it is 8 random characters. A neat implementation that produces totally random and secure easy-to-remember passwords is at http://www.diceware.com. And don't worry, it won't hack you, because there is no program you run. It's just a list of numbered words that you choose from with a standard die.

For Risk aversion in Investment
1) Diversify, Diversify, Diversify. Never put all your eggs in one basket. If you had all your money in MtGox, you lost everything.
If you put 50% in MtGox and another 50% in TradeHill, you lost only 50%. Keeping 50% is still better than 0%.
2) Risk investments, only invest 10% in highly risky investments.
3) Set safety nets: never speculate too much. Play safer, set yourself an objective and no matter if the market keeps growing, sell it at the objective. Don't expect the lucky strike of another 2000% increase. 20% gain is better than -10%
Holding for too long can be a big mistake.

Damage containment: Be Prepared for the worst.
1) Set more than one wallet.
You can send money from one place to another anyway. Nobody limits the amount of wallet.
Set one for your main stash and set satellite wallets to mine, another one to receive payments, and set another to send payments.
A pain in the ass? Yes. Security usually is a pain in the ass. But at least you can contain the damage if one wallet gets compromised/stolen.

2) The same philosophy for emails: divide at least 3 email accounts:
2.1) A public email
Used for emailing with people who you don't know, strangers. Maybe used for registering in public and potentially vulnerable sites (forums, etc...), although I would strongly recommend the usage of disposable email addresses for registering purposes.
If a hacker only knows this public email, the damage is contained and he has no access to your personal account (twitter/facebook/etc)
2.2) A personal email
Used only with people you know and met personally. Used also for registration on social networking.
If someone finds out your personal email and accesses it, he still can't reset your banking/paypal passwords. The damage is again contained.
2.3) Last email account solely for Banking/Paypal.
This email should be kept in secret and nobody but you should know about it.
Only used for registration for banking, ewallet, egovernment stuff.

Although it is not perfect, it is infinitely much better than having all your life centralized in one single email address.
I guess it is not necessary to mention that these three accounts should have all absolutely different passwords.

How to remember complex and secure passwords?
As a habit you should always consider these three things:

• At least 1 capital letters
• At least 1 number
• At least 1 symbol
• At least 10 characters long

Sounds too complicated? I can share with you three very simple methods:

+ My favorite one: keyboard geometry
Look at your keyboard. Imagine shapes on it: triangles, circles, squares, etc... whatever pattern you like.
Lets see that I see a triangle from . to 9 to n (.lo9ijn)
Then I close the base of it (from n to .)
In total your password is: ".lo9ijnm,." a pretty damn strong password, (this password would take more than 1000 years to be bruteforced).
So you are not really memorizing characters, you are memorizing shapes on the keyboard.
The only thing you must remember are two things: the starting point and the vertices of it.

Although some of you might complain that it is not really random, the mere fact that nobody contemplates such generation of passwords, it makes them damn strong. Also one can't really imagine the creativity of the user. It might not be lines or triangles, there are infinite possibilities of shapes.

+ My second favorite one: l33t speech passphrase
Remember a short frase: "Two stones kill one bird."
Now use l33t speech, it works by replacing:
o = 0
e = 3
i = 1
t = 7
s = 5
z = 2
Resulting in: Tw0st0n3sk1ll0n3b1rd. (this password would take 6,481,659,015,630,310,000,000,000 years to be cracked by bruteforce)
This is damn strong, and damn easy to remember.

+ My least favorite one: Mnemonics
Just type anything random on the keyboard. Close your eyes and just yank on it, randomly pressing shift with one had and with the other just tap on the keyboard with your palm.
Trying: U(),890KOP (this one also takes around a millennium to crack with bruteforce alone on a Class F)
Now lets make sense of it by applying mnemonics:
Make an absurd story in your mind: You parentheses, (fought) 890 (pounds) KO (and now in) Prison

Although effective if you are used to this technique.

I find the first two much simpler, but I use them all.
I hope you like my methods, they are very simple yet very effective.

-bitsalame