Author

Topic: Using Password Hints (Read 2949 times)

member
Activity: 98
Merit: 10
June 18, 2011, 08:51:03 AM
#13
I have an awful memory.

I walk the keyboard in a particular shape and that's the password.
member
Activity: 64
Merit: 10
June 18, 2011, 08:44:40 AM
#12
It would probably take less than a day to gather all of that information.

Possibly, but remember that I use a different group of passwords and hints for each different site and/or wallet; although, there is some overlap.  It just doesn't seem realistic that someone would do all of that meatspace investigation just to get at one or two 50-bitcoin wallets.

If you're just an average person, aren't 99% of the threats in cyberspace where the hacker's effort is cheap, as opposed to meatspace, which involves social engineering and is relatively expensive, considering the low payoff?
administrator
Activity: 5222
Merit: 13032
June 18, 2011, 01:42:03 AM
#11
Quote
Hint: HSMascot+My First Bank PIN+Tommy's Hometown+Lana's Mom's First Name

It would probably take less than a day to gather all of that information. The only "hard" part is the PIN, but four numbers can be brute-forced in no time.

Good passwords aren't hard to remember if you type them often enough.
newbie
Activity: 39
Merit: 0
June 18, 2011, 01:28:57 AM
#10
Can anyone find any holes in my technique of using password hints?

HSMascot+My First Bank PIN+Tommy's Hometown+Lana's Mom's First Name
^^ if a person knows you enough then yes that's a risk.

So yeah in some sense d@a2$sF2W9 can be more secure than Raiders5355RedburgEunice with that hint.
newbie
Activity: 56
Merit: 0
June 18, 2011, 01:00:04 AM
#9
Does a brute-force dictionary attack have any realistic chance of breaking a 24-character password like Raiders5355RedburgEunice, when the payoff is relatively small (e.g. my modest bank account or one of my modest bitcoin wallets)?

I do agree that adding in some special characters would help - maybe from now on I put a dash between each word, e.g. Raiders-5355-Redburg-Eunice.  A dash seems to be allowable by most password systems.

BH,

I agree with you, your password seems very strong. Adding a dash (or other things) should be done to make it even stronger.

(1) I suggest you devise a strong password such as that. Then get LastPass (www.lastpass.com) or Keepass (http://www.keepass.info). Keepass is FLOSS (i.e., free) and LastPass has a free version that will do do what you need (plus more).
I use LastPass myself, however KeePass is equally good (as in protection).

LastPass is easier to use it you want to use it to login to sites.  If you don't want to do that, then KeePass would be good.

You will need to keep a backup of KeePass somewhere (in case your computers crashes).
You will not have to do that with LastPass (An encrypted copy will be stored on a LastPass server).
LassPass does not have a copy of your LastPass key.

In both cases, if you forget your password then you are done.

!!Warning!! You could reset your password with LastPass, however I suggest you to turn that option off.
If you decided LastPass, then post again and I will instruct you how to turn that option off.

(2) Then use your password (the one you devised earlier) as your main password for Lastpass or KeePass. Then within LastPass or KeePass, you could store your other passwords.

Here is an example of what one of those stored passwords could look like: 2v&u&@wutxazC3%s&C@vhq^tykqa%WN8YAc!nh69JT6pTc2bSyqzgd$4GnKaaFK2cG4T3@vaHFWT3J*6QP4s*pTVcu*CaKtaf8uj

I used LastPass's Password Generator to come up with that. KeePass also has a Password Generator.

I also advise you to check out: https://www.grc.com/haystack.htm to get an ideal how long it could take to bruteforce your password.
Assuming you use Raiders5355RedburgEunice : 33.64 million trillion centuries

Please read the whole page, it will open up your eyes. From that site:
"...The #1 most commonly used password is “123456”, and the 4th most common is “Password.” So any password attacker and cracker would try those two passwords immediately. Yet the Search Space Calculator above shows the time to search for those two passwords online (assuming a very fast online rate of 1,000 guesses per second) as 18.52 minutes and 17.33 centuries respectively! If “123456” is the first password that's guessed, that wouldn't take 18.52 minutes. And no password cracker would wait 17.33 centuries before checking to see whether “Password” is the magic phrase..."

The generated password I provided could take: 1.90 million trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries
hero member
Activity: 767
Merit: 500
June 17, 2011, 03:22:04 PM
#8
I use passwordchart.com for all my passwords to make them all unique and I can access the site from anywhere even when offline if needed. Really glad I found it.

Will
newbie
Activity: 13
Merit: 0
June 17, 2011, 03:02:01 PM
#7
member
Activity: 64
Merit: 10
June 17, 2011, 02:59:29 PM
#6
Does a brute-force dictionary attack have any realistic chance of breaking a 24-character password like Raiders5355RedburgEunice, when the payoff is relatively small (e.g. my modest bank account or one of my modest bitcoin wallets)?

I do agree that adding in some special characters would help - maybe from now on I put a dash between each word, e.g. Raiders-5355-Redburg-Eunice.  A dash seems to be allowable by most password systems.
full member
Activity: 126
Merit: 103
June 17, 2011, 02:47:31 PM
#5
@Bunghole: Yes.  A bruteforce attacker could with some difficulty break your password because it contains dictionary words, proper names and numbers.  You're much better of scattering your numbers, special characters and capitals throughout the password, and finding a convenient trick to remember it.
newbie
Activity: 14
Merit: 0
June 17, 2011, 02:40:30 PM
#4
I use randomly generated keys.

KeePass seems pretty solid.
member
Activity: 64
Merit: 10
June 17, 2011, 02:38:49 PM
#3
Can anyone find any holes in my technique of using password hints?
full member
Activity: 126
Merit: 103
June 17, 2011, 02:21:01 PM
#2
That's somewhat effective, but I prefer this method:

Pick a phrase that you are very familiar with (either the line from a joke, movie, or book).  Make the password the first letters of every word in that phrase, and include punctuation and capitalization when appropriate.  For added security, change certain letters into numbers, for example e's into 3's.  This makes a neigh-unhackable password (assuming the phrase is long enough) that is relatively easy to remember.
member
Activity: 64
Merit: 10
June 17, 2011, 02:17:18 PM
#1
I don't see much discussion about using password hints, to ensure that you never forget your password.

With every encrypted wallet file, I include an unencrypted plaintext password hint.  I use hints that I would never forget, like the nickname of a childhood friend.  Yes, there will be a few people who would know the answer to one hint, but if you use hints from many areas and times of you life, then no one person would be able to answer all of them.  And probably none of those people are hackers anyway.

Here's an example:
- Password: Raiders5355RedburgEunice
- Hint: HSMascot+My First Bank PIN+Tommy's Hometown+Lana's Mom's First Name

If Tommy and Lana are from different walks of life (e.g. one is a childhood friend and one is a college girlfriend), that helps increase the security.

Yes, there is a tiny risk involved, but it seems that that risk is lower than the risk of forgetting your passwords or creating simple passwords that are easy to remember and thus also easy to hack.

Any comments?
Jump to: