The Real Deal 125: Passwords

Rafe and Tom discuss what makes a secure password and how to manage passwords securely.

Tom Merritt Former CNET executive editor
5 min read

Rafe and Tom discuss what makes a secure password and how to manage passwords securely.

Listen now: Download today's podcast

Show notes

  1. Coming up with passwords -Password generators

  2. Remembering your passwords

  3. http://www.macosxhints.com/article.php?story=20040920120520528


I have a system I use for passwords that I learned from a friend of mine. It involves having one master password which has capital letters, numbers and special characters. When you want to create a new password, you append a context sensitive password to this master password and generate an easily remembered password. For example, my master password could be RealDeal?+1337 (its not) and when I want to sign up for a Real Deal account, my context password would be FudBusters?, so the password I use for realdeal would be RealDeal?+1337FudBusters. How safe does the method look? Chustar

  • Utilities for managing passwords.

  • Our episode on OpenID - https://podcast-files.cnet.com/podcast/cnet_realdeal021208.mp3


    During the encryption episode, I kept thinking: "They really need to do an episode on passwords." Seems like you read my mind (though I was thinking this after you recorded the show, so it's a bit weird). But I hope you'll do an episode on authentication in general. In terms of generating passwords, I recently discovered SuperGenPass through TWiT (wasn't Tom on that episode?). http://supergenpass.com/ I do have a few "Road Test" issues with SGP, including the fact that I need these passwords outside of browsers (say, in OS X iPhone apps).

    One thing you already mentioned on occasion but that I think deserves more discussion is OpenID.

    IMHO, it's especially useful for authentication to post on forums (!!). Though SGP helps me in not having to remember too many passwords, I still find it absurd that I have to create complete authentication every time I need to post something on a site I rarely visit (including CNET.com, to be honest).


    My big issue with online password managers is that you have to have at least some trust that the backend is secure and reliable. I don't see a way to eliminate that disadvantage over a local application.

    From reading about SuperGenPass, it looks as though it limits your flexibility with the passwords to support its implementation and security model. You decide on a master password, and then it decides on the passwords for each site. You'll need some sort of supplemental personal algorithm if you want to alter the strength of your passwords or change your passwords regularly.

    I still strongly favor KeePass (www.keepass.info). Free and open source. Strong security and great flexibility.

    - Joel

    This may be a little remedial, but whenever I help people with passwords they think it’s sliced bread. It’s simple, and easy to remember but meets the primary goal of passwords. I will take a current favorite of the day, let’s use Cnetrealdeal and change the letters to numbers. My key is change E’s to 3’s (Backwards E); A’s to 4’s (An A missing a leg) or O’s to 0’s. You could do B’s to 8’s, and S’s to 5’s, but I haven’t used those.

    That would change Cnetrealdeal – Cn3tr34ld34l. Usually I would only do one or two changes, and just do Cn3trealdeal, and then next time it could be Cnetr34ldeal. Then on my Cheat-sheet (hidden in my Notepad in Outlook) I replace the changed characters with # signs or place them at the end of the word just to remind me there are numbers in there without giving the correct password away.

    Hope someone finds this useful.


    JCSandvik, I do something like that which I then add to a core password that I use for all passwords. The result is that all of my passwords are about 12 to 18 characters long and I usually can recall them from memory.

    I'm interested to hear what acedtect has to say about this technique though. It's not truly random, so how easy would it be to break? Better than "password," I guess.


    Q: How secure is Firefox's password manager?



    I liked the last show about encryption. Thanks for putting it out there.

    I do have a follow-up question, though. On just about every word processor I've ever used, there's always an option to “save with password” when I finish with the file I'm working on. Not that I'm looking to Microsoft Word to defend me against the Forces of Evil here, but is this actual encryption? For example, I have a Letter of Resignation on my flash drive written with a cool head and diplomatic language in case I have to use it instead of my gut reaction of yelling, “Bite me! I'm outta here.” It would be bad if my boss got a look at it before the time of it's intended use.

    Oh, and about encryption and travel plans... As we all know, the TSA doesn't have to be nice about poking their noses into whatever you're dragging around with you when you fly. Having a chunk of encrypted data is the fastest way I can think of to get “upgraded” to Cops in Suits, with sunglasses, the first name of Agent, and (abso-frakking-lutely) zero sense of humor! And using the TrueCrypt “Hide the Real OS” game has got to earn you a water-boarding. If you need to access something like this, Amazon S3 would be ideal AFTER YOU'VE ARRIVED AT YOUR LOCATION!

    Thanks again.</robotic_bol_love the show>

    Hi Guys,

    I am just listening to the Episode on the Olympic Video. If want to see it done right, you should have a look at the coverage on cbc.ca. I am not sure if you will be able to watch it from the U.S., but it is worth a look if you can.

    It gives you the times when the events they are covering start. They have the primary feed which is the same as the TV broadcast online (commercials and all). They also have secondary feeds that are the event coverage directly, so you can watch an event that is not currently being broadcast on TV.

    CBC also covers the events as they happen, they understand that people want to see things live, not always taped delayed. As an example, I watched Usain Bolt set the new World Record just after 7 AM PDT Wednesday, NBC was showing volleyball at the time....seems a little wrong to me....

    - Andre

    Next episode - SciFi Made Real realdeal@cnet.com