Re: [Savannah-users] password must be more complicated

[Bob Proulx]

Bruce Korb wrote:
> OK, a tad easier but still a nuisance in the grand scheme of things.
> Were there only one web site to worry about, one could make a
> password as arbitrarily difficult as one wanted to make it and
> still be able to cope.  The problem is that I visit lots of different
> web sites that have lots of different requirements about user names
> and passwords.  Even worse, the password requirements conflict.
> One web site (thankfully only one) requires digits only.

And don't forget that many web sites require frequent password
changes.

I don't mind my financial institutions having conservative security
policies.  As long as it is real security and not security theater.
But it is annoying when trivial and inconsequential web sites have
inappropriately strict policies.

> The solution I cooked up is not about just one web site, regardless
> of how friendly you've made it.  (I do think it is better than any
> other site I know of, but it is still beside the point.)

Frankly I wouldn't go that far.  Savannah isn't the worst.  It is
pretty good all in all.  Is it best in class?  Not yet.

> The problem statement:
> 
>   How do you remember many login credentials without recording them?

Personally I use a file.  Simple and effective for me.

> The best solution I've seen is a shared secret encryption database
> kept "in the cloud".

Please be careful when using the "cloud" term.  It means so many
different things to so many different people.  It has become one of
the great weasil words of current computing.  If ten of us were in the
room and we said the word cloud computing we could all voice a "yes"
agreement but then define it twelve different ways showing that we had
all misunderstood each other.

> I wanted a secure database secured in a way that I don't care
> if someone gets ahold of it and even manages to obtain one
> valid password.  I have accomplished this, I believe. You must
> remember a "password id" (e.g. a domain name and some prefix
> and/or suffix) and that id and a password "seed" get sha256
> hashed into random letters, digits and special characters,
> trimmed to a maximum length and then fiddled based on
> character classification requirements.  To change the password,
> I add a new seed.  Done.  The only thing to remember are the
> password ids.  Those are trivial, but nowhere recorded.

An interesting idea.

> >$ mypw bogus
> >
> >seed-tag     bogus pw:
> >first        4W4cnDvA+xDjWOEJ
> >second       g6Sb5UNeTMvpd45n
> >$ mypw -l 40 -t bogus-name bogus
> >
> >seed-tag     bogus-tag: bogus-name   pw:
> >first        4W4cnDvA+xDjWOEJw/bC+NAdZ0Q4dBQA4P9XEU9U
> >second       g6Sb5UNeTMvpd45nuVPHPTjZ56ooOsvTsSixvmbC
> >$ mypw bogus
> >
> >seed-tag     bogus-tag: 'bogus-name'   pw:
> >first        4W4cnDvA+xDjWOEJw/bC+NAdZ0Q4dBQA4P9XEU9U
> >second       g6Sb5UNeTMvpd45nuVPHPTjZ56ooOsvTsSixvmbC
> 
> The password to use depends on whether the bogus site is still on
> the first password or has been updated to the second.  You do
> need to remember that, too.  The old seeds get removed when you
> are sure you're done with them.  My real current seed tag
> is "May 2013".
> 
> Oh, you can reproduce the above results with this ~/.local/mypw.cfg
> file if you are curious:
> 
> <seed>
>   <tag>first</tag>
>   <text>the first text seed</text>
> </seed>
> 
> <seed>
>   <tag>second</tag>
>   <text>some more text</text>
> </seed>

Whenever I need to think about security related things I always need
to look at it at least three times.

And I still need to download your program and take it for a test
drive.

Bob