Yes, my algorithm handles this. You vastly underestimate the complexity of my passwords.
Would you be able to share a dumbed-down "toy" version of your algorithm (or something like it) to demonstrate how it "handles" this case? I'd be interested to see that.
I don't know anything about Rym's algorithm. I also personally don't use such a method. Regardless, I will come up with a reasonable algorithm on the spot. Let's see how it goes.
An animal that starts with the same letter as the thing you are logging into: e.g: Facebook = Ferret A place that starts with the last letter - FerretKansas The number of letters in the name of the thing you are logging into - FerretKansas8 Add 5 (cycling around the keyboard) and press shift on that number. Put at the beginning - #FerretKansas8 Write your name backwards at the end all lowercase - #FerretKansas8niburttocs
That's strong enough.
...demonstrate how it "handles" the case Starfox describes above? I feel like that was a key point of the claim and of my request. Perhaps the *only* salient point.
...demonstrate how it "handles" the case Starfox describes above? I feel like that was a key point of the claim and of my request. Perhaps the *only* salient point.
Change the animal. Now you have two animals for that letter, and you remember that one one fucked site has the newer animal. Every time you change your older passwords for whatever reason elsewhere, you upgrade them to the new animal if the site starts with the same letter.
If you ever try to log into a site and you get the password wrong, you either:
1. Used the new animal instead of the correct old animal 2. Used the old animal instead of the correct new animal
Max two tries to get into anything, and over time you converge on the new animal.
...demonstrate how it "handles" the case Starfox describes above? I feel like that was a key point of the claim and of my request. Perhaps the *only* salient point.
Starfox asked if the algorithm elegantly handled the situation where the site gets compromised and you have to change the password. Any solution that requires you to remember which sites have been compromised (how many times) in order to choose the right variation on the algorithm is not "elegant". As the number of sites (and thus the number of at-some-point-compromised sites) scales up, this class of solution is roughly equivalent to remembering a unique password (algorithm) for each site.
How one would devise an elegant solution, I don't know. Which is why Rym's claim towards his system's elegance in this regard interested me!
Change the animal. Now you have two animals for that letter, and you remember that one one fucked site has the newer animal. Every time you change your older passwords for whatever reason elsewhere, you upgrade them to the new animal if the site starts with the same letter.
If you ever try to log into a site and you get the password wrong, you either:
1. Used the new animal instead of the correct old animal 2. Used the old animal instead of the correct new animal
Max two tries to get into anything, and over time you converge on the new animal.
What happens when one of the sites with a new animal gets compromised during the period of time before all sites have been updated to the new animals?
Passwords rarely if ever get "compromised" on any site. That's so rare it's crazy.
What gets compromised is the hash of that password, hopefully salted. If it's not salted (worst case scenario), then using that IDENTICAL password anywhere gets you in trouble.
If your password isn't 100% identical, then you're fine 99.999% of the time sites get compromised if at all.
Passwords rarely if ever get "compromised" on any site. That's so rare it's crazy.
What gets compromised is the hash of that password, hopefully salted. If it's not salted (worst case scenario), then using that IDENTICAL password anywhere gets you in trouble.
If your password isn't 100% identical, then you're fine 99.999% of the time sites get compromised if at all.
Agreed! And I agree in general that your system is practical and good. It's pretty much exactly what I used before I started using LastPass.
So...uh...is that a 'no' on the elegant algorithm thing, then? :-\
I think changing the animal for the letter is plenty elegant. The main thing you memorize is your list of animals: one for each letter of the alphabet. In practice, it's likely only a subset of the alphabet.
The worst case scenario is a secondary animal for one or two letters for a temporary period. Or, you change the animal for one letter of the alphabet all at once.
Or, you start using a separate specific password just for the site that has compromised non-hashed passwords.
I use a password card generated set of passwords that I've memorized for anything important. Everything else is in LastPass, although it's been buggy lately, annoying. I used to use true crypt on KeePass, but it just got annoying with all the devices I have now.
Hmm. Not quite as slick as I was hoping, but probably about as good as you'll get. You'll eventually have to change some password, and unless you want to redo every single one at the same time, you're going to have some divergence.
(If the salted hashes get compromised, you still change the password right??) (("niburttocs" sounds like... I don't know exactly what, but it's very Scott))
Unfortunately requires servers to add a small bit of code, if some big players like Google and Facebook profiles start using it, everyone will start using it. It's still in development but looks quite rock solid, pretty much the benefits of Super Gen Pass and private + public key security.
Uhh, that's one factor authentication on something that you have, no? aka anyone with my phone gets my everything. Or am I missing something?
The authentication is out of band (on your phone). The login starts on device A, requires your phone (a separate band), where it is authenticating the hash of the user and website request that has been made on the web server.
This is exactly the same premise of 2-factor. If someone gets my phone and somehow gets past the fingerprint and password and decrypts it before I wipe it remotely, all my security would be hosed because 2 factor is gone and anyone can just buy password databases on company servers. This method removes any burden for a company to secure usernames and passwords.
The username / password is replaced by your public key that any machine can have (however is unique to me and that specific site).
Comments
Change the animal. Now you have two animals for that letter, and you remember that one one fucked site has the newer animal. Every time you change your older passwords for whatever reason elsewhere, you upgrade them to the new animal if the site starts with the same letter.
If you ever try to log into a site and you get the password wrong, you either:
1. Used the new animal instead of the correct old animal
2. Used the old animal instead of the correct new animal
Max two tries to get into anything, and over time you converge on the new animal.
How one would devise an elegant solution, I don't know. Which is why Rym's claim towards his system's elegance in this regard interested me! What happens when one of the sites with a new animal gets compromised during the period of time before all sites have been updated to the new animals?
What gets compromised is the hash of that password, hopefully salted. If it's not salted (worst case scenario), then using that IDENTICAL password anywhere gets you in trouble.
If your password isn't 100% identical, then you're fine 99.999% of the time sites get compromised if at all.
So...uh...is that a 'no' on the elegant algorithm thing, then? :-\
The worst case scenario is a secondary animal for one or two letters for a temporary period. Or, you change the animal for one letter of the alphabet all at once.
Or, you start using a separate specific password just for the site that has compromised non-hashed passwords.
(If the salted hashes get compromised, you still change the password right??)
(("niburttocs" sounds like... I don't know exactly what, but it's very Scott))
Unfortunately requires servers to add a small bit of code, if some big players like Google and Facebook profiles start using it, everyone will start using it. It's still in development but looks quite rock solid, pretty much the benefits of Super Gen Pass and private + public key security.
This is exactly the same premise of 2-factor. If someone gets my phone and somehow gets past the fingerprint and password and decrypts it before I wipe it remotely, all my security would be hosed because 2 factor is gone and anyone can just buy password databases on company servers. This method removes any burden for a company to secure usernames and passwords.
The username / password is replaced by your public key that any machine can have (however is unique to me and that specific site).