Password security
Martin Crandall
mcrandall at mailvault.com
Tue Dec 3 19:58:24 PST 2002
I've been thinking about and investigating the issue of password
management. Passwords are the weak link in any computer security
system. The problem is that following the standard recommendations --
choose long, random passwords, and never recycle them for use with
multiple accounts -- quickly overloads the memory capacity of all but
the most dedicated. Here are some solutions that I've been
investigating, intended to be practical for unsophisticated computer
users. I'd like your comments.
1. Use Diceware (www.diceware.com) to generate passphrases. The way it
works is that you use physical randomness (rolling dice) to generate
groups of five numbers in the range 1-6. For each group of five numbers
you then look up the corresponding word in a list of 7000+ of the
shortest English words. Your passphrase is the sequence of words thus
generated, separated by spaces. I have found that the passphrases
generated using this method are much easier to memorize than random
alphanumeric strings of equal entropy. You get a shorter sequence of
symbols by choosing from a larger -- and semantically rich -- "alphabet"
(the list of 7000+ words).
2. Use something like Bruce Schneier's Password Safe (now an open source
project at http://passwordsafe.sourceforge.net) to keep track of your
passwords, so that you only absolutely, positively have to remember
one.
3. The problem now is that Password Safe only runs on the notoriously
insecure Windows operating systems. Even if it were to be ported to
something more secure (Linux, *BSD), there are still plenty of security
bugs found every day even on these systems, and it's not inconceivable
that someone hacking into your system could catch your master password
as you type it into Password Safe. I'm very uncomfortable with the idea
of leaving my password database on any network-connected machine. This
leaves two possibilities:
3a. Keep your "password database" as a handwritten list on physical
paper. This is secure from network attacks, but physical security is
minimal.
3b. Use a Palm OS-based PDA with PDA Defense (www.pdadefense.com)
installed to store your password database. I'm not sure yet if you
can use that to encrypt important databases, or if it's aimed more at
securing the entire device. If the latter, use a Palm OS port of
Password Safe (doesn't yet exist :-( ), or use one of the encrypted
PDA password managers at Tucows.com. Backup the encrypted password
database onto a removable expansion card, NOT on your PC.
What are your thoughts? Am I off-base here? Are there better
solutions I've missed?
-- Martin Crandall
More information about the cypherpunks-legacy
mailing list