Advice on Password Storage

Discussion in 'privacy technology' started by kennyboy, Mar 21, 2010.

Thread Status:
Not open for further replies.
  1. kennyboy

    kennyboy Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    404
    Hi Guys.

    Being totally useless at remembering passwords (due to age :( ) I use a method where I have concealed a (random) password
    in this completely normal text file:-

    The password is more than 13 characters in there somewhere, that I can immediately recognise and use.
    My question is, is there a weakness in my thinking, in that I am giving a cracker a head-start by allowing this text file to be available?
     

    Attached Files:

    Last edited by a moderator: Mar 21, 2010
  2. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    I have no clue. If there's something that's obvious to you, I'd worry that an attacker could recognize it.

    I do note that "bEr$UrF2pux67PEhpe3seq4!?TS?bar-=htarWUXeRc7P&&MurdEM_-=-RfuZar?" and "?raZufR-=-_MEdruM&&P7cReXUWrath=-rab?ST?!4qes3ephEP76xup2FrU$rEb" are each repeated three times. I also see that a pair of one repeat frames "9Pr9SUF5xawR5Da4razAXenesucHaj7PaP9wraTHuzEThExAPRa2reBe" and that a pair of the other repeat frames an inverted copy "eBer2aRPAxEhTEzuHTarw9PaP7jaHcuseneXAzar4aD5Rwax5FUS9rP9".

    Am I getting close?
     
  3. kennyboy

    kennyboy Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    404
    Thanks for the input. Very observant of you, but fortunately for me not close.
    I actually didn't realise that there were repeats in there, so maybe it's quite good that there is a "red herring" to throw someone in the wrong direction.
    Thanks again.
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    .
    Have you considered using LastPass, which will encrypt your passwords while relieving you of the need to remember them? I use it and it enables me to use more complex and unique passwords since I don't need to either remember or be able to type them.
     
  5. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
  6. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    My overall sense is that you would be much better off remembering a lower-quality password rather than secretly encoding a near-plaintext copy of a higher-quality password. The security of your secret encoding method can't be measured, but keep in mind that it would have to be fairly easy to use, otherwise you wouldn't be using it, and this fact considerably reduces the number of possibilities that a cracker would have to test.

    It all boils down to this: Rather than relying on the time it takes to brute force a good password, you are relying on cleverness, subterfuge and luck. However, keep in mind that other people can be clever too, as well as skilled, so your cleverness doesn't really gain you much (if any) advantage. And assuming you don't intend to rely on luck, all that remains is subterfuge. Basically, you're hiding your password in plain sight. Will your attacker realize that the file contains your password? Will they discover your encoding method? It's impossible to say, and thus it's impossible to calculate your method's overall security (wheras the strength of a conventional password can be easily calculated.) And that's the big weakness of your method -- you simply can't know how weak or strong it is.

    An analogy that springs to mind is that you're kind of like a person who tends to always loses his keys, and so you've decided that rather than carrying your front door key on you, you'll hide it somewhere on the property (but relatively near the front door). It's a fairly clever spot, but it's also fairly accessible (otherwise you wouldn't use it). Will a burglar figure it out someday? Maybe. (Especially if they're watching).
     
  7. kennyboy

    kennyboy Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    404
    My apologies guys. I should have said that the hidden password is the Master Password for Keepass which holds all the other passwords.

    @dantz

    Very useful input for which I thank you. Very good analogy, and I take your point, BUT, having accepted that the password is "upfront" for all to see, it is instantly recognisable to me (for some reason) but not in any way obvious to an intruder.
    I suppose what I am really asking is if it would be easy to crack given that they have a head start by seeing something which they know contains a password....somewhere.

    Anyway, no big deal, but very grateful to all.

    Regards

    Ken
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Unless you're a high value target, I wouldn't expect anyone to spend much time trying to crack your scheme. If you're still uneasy though, you could instead use a text file that contains hints as to what the real password is, without actually giving the password. For example "the name of my first dog followed by the last name of my first love followed by the last 4 digits of my social security number followed by the name of my favorite childhood music group, all in lower case and containing no spaces." Try to make sure that the answers to all of the questions are likely known by nobody except you.
     
  9. kennyboy

    kennyboy Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    404
    Not uneasy with my ability to remember the password as it is MrBrian, but was curious to know if there was a fatal flaw in my system of "putting it all out there" to be cracked. Not what you would call a high value target, but certainly use Keepass for online banking etc, so maybe high value to me.
    Thanks for your input.
     
  10. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    It seems to be a giant palindrome, but I'm guessing that somewhere the sequence is broken. I'll leave it for someone else to earn a well deserved headache! :argh:

    maybe in: feCuyedarurpABeR
     
    Last edited: Mar 25, 2010
  11. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
  12. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    2 reasons...

    First, 2.x requires .NET Framework. I don't have anything particularly against .NET Framework but don't see the need to run 2 programs just to get a password.

    Second, 1.x can be made 100% portable (with no dependencies) and ran from a flash USB drive. This is my preferred method (although I don't always use it this way.)
     
  13. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    version 2 also got portable state , i am using it atm....
     
  14. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    Yes, 2.x can be carried on a flash drive. But try using it on a PC that has no .NET Framework. A situation I can't live with.
     
  15. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Seems like little gain in playing hide and seek with your password. Also, I fail to see the advantage of playing that with the password to your KeePass database which holds your passwords. If your database is in on an encrypted drive, or your system at all - access to the database means all bets are off anyway. Physical security comes first.

    At some point, one has to go with best practices and not invent new and dubious schemes. For example, you could choose to encrypt your password which gains access to an encrypted file which holds your password to the encrypted password of the file that has your 'hide n' seek' password which would, alas, open your KeePass database. That could go on forever and for little gain.

    Not that it matters, but I'm a believer in Roboform Pro and it is my single most prized piece of software. As far as I'm concerned, everything else is 'wannabe' in this category.
     
  16. hugsy

    hugsy Registered Member

    Joined:
    May 22, 2010
    Posts:
    167
    Well this topic is really fun :) IMO, and i am no security expert, hardly a rookie:
    - using one key to get to second one is useless. If i break first safe that contains a key to second safe, that has a key of the third one... and so on, that wouldn't enhance security, it would only take a minute more to get to hidden treasure.
    - your pass is hidden from any random person, not wanting to get your pass intentionally, but a skilled hacker could use this txt file as some sort of dictionary and then go for it with its "pass cracking software".
    - but if we want to keep it simple, i would suggest that you hide txt inside of a bmp file. Just use (copy /b "bmpfile" + "txtfile" "newbmpfile") in command prompt
    - i read somewhere that mostly used and effective methods for gaining a password are social engineering and keyloggers.
    - so if your password container is hidden, then it can't be cracked, (since no app can use it) no meter if it is plain text or 256 AES encrypted. Then just be careful that it is not your pet's name in it and that you use a virtual keyboard (neo safekeys is good)
     
Loading...
Thread Status:
Not open for further replies.