How to remember a bunch of secure passwords, and do not go crazy
A colleague here asked to share my “password protection” scheme , i.e. inventing conveniently remembered (or recalled) passwords . Since it actually means to reveal a significant part of the passwords of my passwords, which will make them very vulnerable, I decided to refine the scheme taking into account the fact that I did not like the results of a rather long use (more than half a year, perhaps).
Read the topic further.
The advantages of the password scheme over the password manager as a principle:
Differences from other password creation schemes:
The scheme is supposed to be used to generate passwords for the whole bunch of web services (first of all it is them, why - below), which are not of fundamental importance, but by people who are seriously hooked on the Internet and do not want to fall victim to a virtual enemy or a fraudster who can bring down all your virtual life, having learned one password, because you did not deign to use either the password managers or the password scheme. Thus, it will go to the next left social forum, forum and blog, but it is necessary to generate mail or webmoney using at least the same scheme, but with a different “key”. It is quite obvious.
And in general, the scheme for creating passwords is effective, while nobody knows about it. Individual and difficult to recognize. So maybe I'm doing a mistake. Now all my passwords will be kidnapped! 11
It should also be noted that in modern computer technology protection the weakest link is the person, that is, you, the user of these passwords. All kinds of scam and phishing sites have filled the Internet, so, no matter how cool the password you have, you need not yet merge it directly into the hands of the attacker. Well, beware of thermorectal cryptanalysis.
Also, I am not a specialist in cryptography or the like, and if someone knows why the proposed scheme is bad, how to improve it - you are welcome in comments. I am really interested in the opinion of a hacker / defense specialist, in the extreme case - throw a reference to literature that is not very difficult to master (behind the basics of matan, ruler and Terver, although I do not pretend to really good knowledge of the items, the last of these I forgot 90% ).
Also, I am not a child prodigy, but I also do not think that the described generation method is so complicated that it is uncomfortable to use it. In the end, I'm not agitating anyone.
It may not be very easy to understand right away, but at least read the beginning - maybe the idea will seem worthwhile.
')
You can skip this section if you already know what a normal password should be.
And he should be like this:
Here they are:
So here. What we have is the most common and accessible identifier of a web service? That's right - the domain name. Consider some not very distant from life example.
You are going to play Warhammer Online on the occasion of a no-limit trial. Well, you need to register. Having passed on some link somewhere on the site you get to a page with an address like
https://accounts.eamythic.com/war/trial
Well, on it enter all registration info, incl. and password. Here is the password and generation: take, for example, the number of characters in each part of the domain name, separated by a dot, add (8 + 8 + 3 = 19), we get the first 2 characters of the password. Then we take either a meaningful phrase that you will clearly associate with this game (“Warhammer”, for example; this is not a good option, because the meaning in the password is evil), or a permanent strong eight-digit password that you previously memorized and you can call even being woken up at 3 am (let it be JE82adw] ).
Generation for example:
19 8 JE 8 82 ad 3 w]
Those. The first 2 digits are the sum of the number of characters in the first, second, and third parts of the domain name (to the point, between two points, after the point). In the second position - the number of characters in the first part of the domain name, in the third - 2 characters from our prepared password, in the fourth - the second part of the domain name, well, I think you understood the point. We received a 13-digit password, of which 8 characters we cared about, and the remaining 5 were obtained from the domain name. In general, the point is that in the same your password you insert pieces that you get by decrypting readily available information. It’s clear that using a domain name explicitly is a big pale, coding for example l33t 'is also chosen as a dictionary, therefore you need to be more sophisticated (although, as long as the password is not fully l33t-coded, you can use ). In general, the law of encryption - what you want. If you want to raise the power, you want to look for the difference between the number 100 and the length of the name of the web service — anything. Although the length of the three-dimensional vector of the lengths of the 3 parts of the domain name is looking for. What is important is that the law of your choice is the same for the whole “series” of services. Let there be one for the garbage dumps, another for the rank and file, another for the important ones. But you must clearly know where what is, otherwise it will be necessary for each login to recover the password.
Such a scheme loses its meaning when receiving multiple passwords from one series. Two common passwords contain a common subsequence, and this is already more than half of the password. The law is also not hard to find. Yes, even if it is not found - knowing the places where there should be numbers, and knowing that there are only numbers, it becomes very easy to pick it up.
Here, the options are either to split the passwords into groups, within which there will be the same constant part, or to create an encrypted part such that even after recognizing the constant part, the passwords remain difficult to find, or even to split into groups, within which there will be the same encryption law. If the encrypted part is also safe (8 characters, at least letters / numbers), then this is a decrease in security when receiving 2 passwords only (conditionally) 2 times (I know that the complexity of the selection of a password is not linearly dependent). And it is better to combine these 3 options together.
Thus, it is necessary:
We get:
I hope the post was useful to you, you are welcome to the discussion.
PS If you consider it necessary to post - move to a suitable blog.
| So when seeing a picture like this | you did not become like this man |
 |
What for?
The advantages of the password scheme over the password manager as a principle:
- no need for special software;
- as a result, file mobility and independence;
- requires some preparation for use (see below for details);
- requires mental stress when creating and remembering a password.
Differences from other password creation schemes:
- determinism (the strict law of creating passwords; it can be both a disadvantage and an advantage);
- hmm No, no more differences from the schemes that I saw, does not come to mind.
Disclaimer
The scheme is supposed to be used to generate passwords for the whole bunch of web services (first of all it is them, why - below), which are not of fundamental importance, but by people who are seriously hooked on the Internet and do not want to fall victim to a virtual enemy or a fraudster who can bring down all your virtual life, having learned one password, because you did not deign to use either the password managers or the password scheme. Thus, it will go to the next left social forum, forum and blog, but it is necessary to generate mail or webmoney using at least the same scheme, but with a different “key”. It is quite obvious.
And in general, the scheme for creating passwords is effective, while nobody knows about it. Individual and difficult to recognize. So maybe I'm doing a mistake. Now all my passwords will be kidnapped! 11
It should also be noted that in modern computer technology protection the weakest link is the person, that is, you, the user of these passwords. All kinds of scam and phishing sites have filled the Internet, so, no matter how cool the password you have, you need not yet merge it directly into the hands of the attacker. Well, beware of thermorectal cryptanalysis.
Also, I am not a specialist in cryptography or the like, and if someone knows why the proposed scheme is bad, how to improve it - you are welcome in comments. I am really interested in the opinion of a hacker / defense specialist, in the extreme case - throw a reference to literature that is not very difficult to master (behind the basics of matan, ruler and Terver, although I do not pretend to really good knowledge of the items, the last of these I forgot 90% ).
Also, I am not a child prodigy, but I also do not think that the described generation method is so complicated that it is uncomfortable to use it. In the end, I'm not agitating anyone.
It may not be very easy to understand right away, but at least read the beginning - maybe the idea will seem worthwhile.
')
Passwords Overview
You can skip this section if you already know what a normal password should be.
And he should be like this:
- consist of uppercase and lowercase Latin (and only them) letters, numbers and special characters (do not abuse, there will be troubles with input on mobile devices)
- have a length of 8 characters, which provides horseradish understand that, but the password options theoretically would be (26 * 2 (lowercase and uppercase letters) + 10 (numbers) + 10 special characters (those in the English layout on numbers in qwerty)) ^ 8 = (72) ^ 8 = 722204136308736 = 722 * 10 ^ 12 options. The figure is impressive, but I don’t have any real info about the “opening” of such a password in real conditions.
Additional requirements on the basis of which this password protection scheme is based
Here they are:
- the password must be “remembered” by any tricky and unknown to anyone except you, but simple enough to perform with everyday login not for one service, operations. In essence, these operations will be decryption operations, and the key can be both open and closed. The most convenient encryption public key is the domain name of the web service. Closed - any clever association of the image with this service (only it is very much non-deterministic, it turns out, it is difficult to remember.) Therefore, we take the public key, and more on that - below.
- when an intruder gets a password (and not even one, but 10, say, with a medium-active Internet user password database of 100 passwords, this is 10%) they should not be able to learn the sequence, rules, desires of your left heel and everything else that you used to generate similar passwords to other services. More details - again below.
- Well, of course, there should be no coincidence (at least, intentional). Generate passwords must be unique. If we are unlucky - then God bless him, the coincidence of 1 password out of 100 with the other of 100 is not considered critical.
Idea
So here. What we have is the most common and accessible identifier of a web service? That's right - the domain name. Consider some not very distant from life example.
You are going to play Warhammer Online on the occasion of a no-limit trial. Well, you need to register. Having passed on some link somewhere on the site you get to a page with an address like
https://accounts.eamythic.com/war/trial
Well, on it enter all registration info, incl. and password. Here is the password and generation: take, for example, the number of characters in each part of the domain name, separated by a dot, add (8 + 8 + 3 = 19), we get the first 2 characters of the password. Then we take either a meaningful phrase that you will clearly associate with this game (“Warhammer”, for example; this is not a good option, because the meaning in the password is evil), or a permanent strong eight-digit password that you previously memorized and you can call even being woken up at 3 am (let it be JE82adw] ).
Generation for example:
19 8 JE 8 82 ad 3 w]
Those. The first 2 digits are the sum of the number of characters in the first, second, and third parts of the domain name (to the point, between two points, after the point). In the second position - the number of characters in the first part of the domain name, in the third - 2 characters from our prepared password, in the fourth - the second part of the domain name, well, I think you understood the point. We received a 13-digit password, of which 8 characters we cared about, and the remaining 5 were obtained from the domain name. In general, the point is that in the same your password you insert pieces that you get by decrypting readily available information. It’s clear that using a domain name explicitly is a big pale, coding for example l33t 'is also chosen as a dictionary, therefore you need to be more sophisticated (although, as long as the password is not fully l33t-coded, you can use ). In general, the law of encryption - what you want. If you want to raise the power, you want to look for the difference between the number 100 and the length of the name of the web service — anything. Although the length of the three-dimensional vector of the lengths of the 3 parts of the domain name is looking for. What is important is that the law of your choice is the same for the whole “series” of services. Let there be one for the garbage dumps, another for the rank and file, another for the important ones. But you must clearly know where what is, otherwise it will be necessary for each login to recover the password.
An important thought, which I reached only in the process of describing the scheme
Such a scheme loses its meaning when receiving multiple passwords from one series. Two common passwords contain a common subsequence, and this is already more than half of the password. The law is also not hard to find. Yes, even if it is not found - knowing the places where there should be numbers, and knowing that there are only numbers, it becomes very easy to pick it up.
Here, the options are either to split the passwords into groups, within which there will be the same constant part, or to create an encrypted part such that even after recognizing the constant part, the passwords remain difficult to find, or even to split into groups, within which there will be the same encryption law. If the encrypted part is also safe (8 characters, at least letters / numbers), then this is a decrease in security when receiving 2 passwords only (conditionally) 2 times (I know that the complexity of the selection of a password is not linearly dependent). And it is better to combine these 3 options together.
Final option
Thus, it is necessary:
- to get several categories of passwords , approximately equal in size, and such that you will not know which password from which category it is. Within the category, one constant part and one encryption law (it is possible to split up even more, but then there is a chance to go crazy). If there are few passwords and it’s bothering to break, let the category be one, but you are warned above.
- for each category come up with a constant part of the password . Example: professional activity is the permanent part m2f ~ (kJB; social networks is the permanent part 5O ((eT! 1;
- for each category come up with the law of encryption . Example: professional activity - encryption law - at the beginning and end of the first and last characters of the domain name and the number of characters in each part of the domain name; social networks - encryption law - at the beginning - the number of characters in the first part of the domain name, in the middle - in the second, at the end - in the third, and at the end the first 2 characters of the domain name, going right before the dot, in the reverse order;
- understand that such passwords are conveniently entered as follows: first, a constant part, then encrypted additions to it (by moving the cursor to the right places);
- start using the scheme . Overpower yourself and start generating passwords. The first time, you may have to restore them, but again you need to change to the one that should be under the scheme. Password examples with the permanent parts and encryption rules mentioned above: habrahabr.ru (professional activity) - h92m2f ~ (kJBu92; vkontakte.ru (social networks) - (the first part of the domain name is not, consider it www) 35O ((9eT! 12et; facebook.com (social networks) - 35O ((9eT! 13ko.
results
We get:
- you need to remember as many passwords as you have categories of web services, and as many laws of generation. I believe this number will be exactly less than ten, and most likely - 4-5. I consider it quite possible to remember five eight-digit passwords and associated laws of generation;
- every single password is very resistant to selection;
- when receiving multiple passwords of one group and certain processing them (that is, understanding why certain characters are in certain places), all other passwords of this group can be generated. Generate will be obtained after obtaining 2-3 passwords, if the hacker is not imbecile. That is, the requirement for the stability of the rest of the scheme when receiving part of the passwords is not completely fulfilled, but at least all the passwords remain unknown when so many passwords are learned from different groups, how many of these groups are there, and then they “crack” in groups, but not all password bank immediately.
- Using such a scheme for non-web applications is more difficult because, as a rule, the ambiguity of the name of the password to be entered. If this is a web service, you raise your eyes to the address bar and see its domain name. If it is, for example, a flash drive encryption key, with semantic binding it is much more complicated;
- the law of generation is niepically complex! Author, kill yourself! 11 In fact, I use much simpler laws. And here - for an example of opportunities, for paranoids, and for those who say that all this is very easy to crack.
I hope the post was useful to you, you are welcome to the discussion.
PS If you consider it necessary to post - move to a suitable blog.
Source: https://habr.com/ru/post/79495/
All Articles