Angband.oook.cz
Angband.oook.cz
AboutVariantsLadderForumCompetitionComicScreenshotsFunniesLinks

Go Back   Angband Forums > The real world > Idle chatter

Reply
 
Thread Tools Display Modes
Old October 21, 2016, 14:48   #1
Angrist
Apprentice
 
Join Date: Jul 2014
Location: Belarus
Posts: 77
Angrist is on a distinguished road
A way to remember good passwords

I learned PAO mnemonic technique for remembering long numbers based on assignation each digit combination 00-00-00 — 99-99-99 a fixed image and realized that I already have strong associations beetween alphabet symbols and Angband monsters. Hence I can remember a relatively short senseless various-case chars combination like "SeJffGoZq" trough creating a mental visual story about a spider, floating eye, snake, tigers etc.. You put more work to remember something that way in comparsion with rote memorization, but such memories tend to fade slow over time even without repetition.
Angrist is offline   Reply With Quote
Old October 21, 2016, 16:19   #2
nikheizen
Adept
 
Join Date: Jul 2015
Posts: 122
nikheizen is on a distinguished road
I think passwords consisting of several words or a phrase are generally more secure than short, complex, and hard to remember passwords.

Considering a password field which only allows lower case and uppercase letters, "SeJffGoZq" (max 52^9 attempts) is less secure against brute-forcing methods than a password such as "sunnydayvisibility" (max 52^18)- even if the password length is somehow known and the program attempts lower case letters first. The latter password is probably easier to remember even with this mnemonic.

Using roguelike character sets to remember nonsense strings of letters is a good idea, but I think there are better applications than passwords!
nikheizen is offline   Reply With Quote
Old October 22, 2016, 15:20   #3
Carnivean
Swordsman
 
Join Date: Sep 2013
Posts: 476
Carnivean is on a distinguished road
https://xkcd.com/936/

Apparently this isn't quite as good a method as it used to be, but it's quite easy to remember hard to brute force passwords in this format.

On the other hand, common inscriptions should be relatively straightforward to remember, and you can put arcane hints if there are questions related to the password.

"Keleks" = @m9!d!k!v
Carnivean is offline   Reply With Quote
Old October 22, 2016, 20:01   #4
Zireael
Adept
 
Join Date: Jul 2011
Posts: 203
Zireael is on a distinguished road
Wasn't there something about not using common words in passwords? Since the breaker algo will attempt a dictionary search first before brute forcing it?
Zireael is offline   Reply With Quote
Old October 22, 2016, 20:07   #5
Therem Harth
Knight
 
Join Date: Jan 2008
Location: Entropia
Posts: 884
Therem Harth is on a distinguished road
Use a password manager?

I like kpcli myself, since it's text-based and compatible with KeePass database formats:

http://kpcli.sourceforge.net/
Therem Harth is offline   Reply With Quote
Old October 22, 2016, 20:51   #6
AnonymousHero
Veteran
 
AnonymousHero's Avatar
 
Join Date: Jun 2007
Posts: 1,303
AnonymousHero is on a distinguished road
Here's the current recommendation from experts: Generate[1] separate passwords for each site and write them down. Obviously you shouldn't keep those written-down password on a post-it on your monitor[2], but perhaps in your wallet or just as an encrypted file on your hard drive.

EDIT: I suppose I should explain a little bit of the reasoning. Point #1: Some random person stealing your wallet is most likely not interested in your twitter password. They're interested in your money and/or credit cards. Point #2: Using the same password across different sites is a really bad idea because once a valid username/password combination has been obtained, it's completely trivial to compromise a lot of different sites in an automated fashion. (That is to say: The fact that it would take a human X amount of time to compromise your Twitter, Instagram, Facebook, Gmail, etc. means nothing when a computer program can do that in a few seconds given that the correct username/password combination is known.)

[1] That is, use, e.g. apg, to generate a separate password. (If you're paranoid you might want to tweak the parameters to apg, though.) Actually, if it's a site you don't particularly care about you might want to also use apg to generate the "user name", though usually sites will just want a working e-mail.

[2] See http://arstechnica.com/security/2015...-tv-interview/ for how well that can go...

Last edited by AnonymousHero; October 22, 2016 at 20:57.
AnonymousHero is online now   Reply With Quote
Old October 22, 2016, 21:18   #7
Derakon
Prophet
 
Derakon's Avatar
 
Join Date: Dec 2009
Posts: 7,943
Derakon is on a distinguished road
Quote:
Originally Posted by Zireael View Post
Wasn't there something about not using common words in passwords? Since the breaker algo will attempt a dictionary search first before brute forcing it?
Using just one word plus maybe some numbers and/or basic transformations (like replacing "o" with 0) leaves you with a "weak" password that can relatively rapidly be guessed by an attacker who is both willing and able to brute-force-attack you. However, adding just one more word to the password greatly increases the number of potential combinations the attacker would have to try, and a three-word password has frankly amazing strength compared to what people actually commonly use these days.

Such attacks are somewhat rare these days; usually the infrastructure of the site itself is attacked and the passwords[1] get exposed and then re-used on other sites. Still, you shouldn't make your passwords easy to guess. Use a password manager, or write the passwords down. The important thing is that an attacker that gets one of your passwords should not be able to figure out what your password is on a different site -- so if your password was "applesandbananas1" on this site, for example, an attacker that hacks the site might plausibly guess that your password is "applesandbananas2" (or 3, 4, etc.) on another site.

[1] Stored, depressingly, in plaintext in their database, because people are Bad At Security. Passwords ought to be stored as a "hash", which is a consistent one-way mathematical transformation, because all you care about is if the value the user input matches the value stored in the database. Hash the input, and if it matches the hash in the database, all is well. There is zero reason to store the actual password, and it greatly increases the damage from a hack. An attacker that gets their hands on the hash will, if you do it properly, have great difficulty recovering the passwords from the hashes.
Derakon is online now   Reply With Quote
Old October 22, 2016, 21:29   #8
AnonymousHero
Veteran
 
AnonymousHero's Avatar
 
Join Date: Jun 2007
Posts: 1,303
AnonymousHero is on a distinguished road
@Derakon

Nice comment. Just a little addendum: Of course the usual corporate "Best Practice" (ugh!) strategy is to force people to choose a new password every few months... and what you get is "mypassword1" changes to "mypassword2", changes to "mypassword3" (or the moral equivalent -- these things are usually ridiculously easy to game). Sigh.

EDIT: Small addendum for anyone who's interested in the technology: In addition to just "hashing" you'll also want to add a salt to avoid attacks on one of your users becoming an attack on all your users. (Dundundun!). (Read the wiki page for details.)

Last edited by AnonymousHero; October 22, 2016 at 21:36.
AnonymousHero is online now   Reply With Quote
Old November 29, 2016, 09:00   #9
Grannt
Rookie
 
Join Date: Nov 2016
Location: New York
Posts: 1
Grannt is on a distinguished road
Quote:
Originally Posted by Angrist View Post
I learned PAO mnemonic technique for remembering long numbers based on assignation each digit combination 00-00-00 — 99-99-99 a fixed image and realized that I already have strong associations beetween alphabet symbols and Angband monsters. Hence I can remember a relatively short senseless various-case chars combination like "SeJffGoZq" trough creating a mental visual story about a spider, floating eye, snake, tigers etc.. You put more work to remember something that way in comparsion with rote memorization, but such memories tend to fade slow over time even without repetition.
That's incredible!
Grannt is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
I don't remember this amount of ood monsters. Amnekian Vanilla 2 August 18, 2015 20:46
Level feeling - how good is good? :) Chud Vanilla 2 July 30, 2015 19:31
Bug: Good Grief, Good Greaves! mrrstark Sil 2 December 8, 2013 07:49
"You cant remember how to read" konijn_ Vanilla 10 February 13, 2010 23:59
Anyone remember Kamband? Delver Variants 4 June 16, 2009 21:11


All times are GMT +1. The time now is 18:39.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.