The Real Deal 125: Passwords
Rafe and Tom discuss what makes a secure password and how to manage passwords securely.
Listen now: Download today's podcast
- Coming up with passwords -Password generators
- Remembering your passwords
- Utilities for managing passwords.
http://www.macosxhints.com/article.php?story=20040920120520528
http://www.passwords.org.uk/memorable-passwords.html
I have a system I use for passwords that I learned from a friend of mine. It involves having one master password which has capital letters, numbers and special characters. When you want to create a new password, you append a context sensitive password to this master password and generate an easily remembered password. For example, my master password could be RealDeal?+1337 (its not) and when I want to sign up for a Real Deal account, my context password would be FudBusters?, so the password I use for realdeal would be RealDeal?+1337FudBusters. How safe does the method look? Chustar
Our episode on OpenID - http://chkpt.zdnet.com/chkpt/1pcast.rdpod/http://podcast-files.cnet.com/podcast/cnet_realdeal021208.mp3
FORUMS During the encryption episode, I kept thinking: "They really need to do an episode on passwords." Seems like you read my mind (though I was thinking this after you recorded the show, so it's a bit weird). But I hope you'll do an episode on authentication in general. In terms of generating passwords, I recently discovered SuperGenPass through TWiT (wasn't Tom on that episode?). http://supergenpass.com/ I do have a few "Road Test" issues with SGP, including the fact that I need these passwords outside of browsers (say, in OS X iPhone apps). One thing you already mentioned on occasion but that I think deserves more discussion is OpenID.
IMHO, it's especially useful for authentication to post on forums (!!). Though SGP helps me in not having to remember too many passwords, I still find it absurd that I have to create complete authentication every time I need to post something on a site I rarely visit (including CNET.com, to be honest).
-enkerli
My big issue with online password managers is that you have to have at least some trust that the backend is secure and reliable. I don't see a way to eliminate that disadvantage over a local application.
From reading about SuperGenPass, it looks as though it limits your flexibility with the passwords to support its implementation and security model. You decide on a master password, and then it decides on the passwords for each site. You'll need some sort of supplemental personal algorithm if you want to alter the strength of your passwords or change your passwords regularly.
I still strongly favor KeePass (www.keepass.info). Free and open source. Strong security and great flexibility.
- Joel
This may be a little remedial, but whenever I help people with passwords they think it’s sliced bread. It’s simple, and easy to remember but meets the primary goal of passwords. I will take a current favorite of the day, let’s use Cnetrealdeal and change the letters to numbers. My key is change E’s to 3’s (Backwards E); A’s to 4’s (An A missing a leg) or O’s to 0’s. You could do B’s to 8’s, and S’s to 5’s, but I haven’t used those.
That would change Cnetrealdeal – Cn3tr34ld34l. Usually I would only do one or two changes, and just do Cn3trealdeal, and then next time it could be Cnetr34ldeal. Then on my Cheat-sheet (hidden in my Notepad in Outlook) I replace the changed characters with # signs or place them at the end of the word just to remind me there are numbers in there without giving the correct password away.
Hope someone finds this useful.
-JCSandvik
JCSandvik, I do something like that which I then add to a core password that I use for all passwords. The result is that all of my passwords are about 12 to 18 characters long and I usually can recall them from memory.
I'm interested to hear what acedtect has to say about this technique though. It's not truly random, so how easy would it be to break? Better than "password," I guess.
-engnr-chik
Q: How secure is Firefox's password manager?
-Billy
I liked the last show about encryption. Thanks for putting it out there.
I do have a follow-up question, though. On just about every word processor I've ever used, there's always an option to “save with password” when I finish with the file I'm working on. Not that I'm looking to Microsoft Word to defend me against the Forces of Evil here, but is this actual encryption? For example, I have a Letter of Resignation on my flash drive written with a cool head and diplomatic language in case I have to use it instead of my gut reaction of yelling, “Bite me! I'm outta here.” It would be bad if my boss got a look at it before the time of it's intended use.
Oh, and about encryption and travel plans... As we all know, the TSA doesn't have to be nice about poking their noses into whatever you're dragging around with you when you fly. Having a chunk of encrypted data is the fastest way I can think of to get “upgraded” to Cops in Suits, with sunglasses, the first name of Agent, and (abso-frakking-lutely) zero sense of humor! And using the TrueCrypt “Hide the Real OS” game has got to earn you a water-boarding. If you need to access something like this, Amazon S3 would be ideal AFTER YOU'VE ARRIVED AT YOUR LOCATION!
Hi Guys,
I am just listening to the Episode on the Olympic Video. If want to see it done right, you should have a look at the coverage on cbc.ca. I am not sure if you will be able to watch it from the U.S., but it is worth a look if you can.
It gives you the times when the events they are covering start. They have the primary feed which is the same as the TV broadcast online (commercials and all). They also have secondary feeds that are the event coverage directly, so you can watch an event that is not currently being broadcast on TV.
CBC also covers the events as they happen, they understand that people want to see things live, not always taped delayed. As an example, I watched Usain Bolt set the new World Record just after 7 AM PDT Wednesday, NBC was showing volleyball at the time....seems a little wrong to me....
- Andre
Next episode - SciFi Made Real realdeal@cnet.com
forums.cnet.com
877-600-CNET
Tom Merritt appears on CNET TV and loves to dive into technology and help consumers fight fear, uncertainty, and doubt with technology.
Rafe Needleman is editor of Webware.com, CNET's blog about Web applications. He lives to discover great new online apps – and to rip apart bad ones.
This script asks me for my master password, and then hashes it with the domain of the web page to generate a site specific password. This allows me to remember one secure password (That isn't stored anywhere), and the passwords for each site will be unique.
Also, it should be very hard for someone to determine the master password, as the algorithm uses a one way hash.
--Paul
the good thing about it is that it also has a 'mobile' version so you can 'look up' your password on say an iphone or on somebody elses computer
-
by ofmyony
August 27, 2008 1:38 PM PDT
- These ideas are going to drive people crazy. I am not a hacker but my experience is that just be smart and deal with legit sites and know who to trust around you.
-
Reply to this comment
-
(3 Comments)