Until biometrics become cheaper and more accessible to the consumer market, Wogs will have to depend on the security of passwords. Unfortunately, as computers get faster, the capabilities of time/memory trade off techniques (Rainbow Tables) and dictionary based password crackers are becoming amazing.
Keeping your password secure is important on a system because if someone compromises an account through an exploit they could get a hold of the hashes that the system compares your password to, to allow access. In order to stop this from happening the other passwords not compromised must also stay uncompromised. This requires all passwords to be complex, secure, and memorable.
The solution is to use this system of random password generation:
You will need
One 100 sided die
or
Two 10 sided dice
For all current hashing algorithms the following characters are available for
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnop
qrstuvwxyz0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/
52 letters, 10 numbers and 32 special characters, for a total of 94 characters. We need to use one of each category of letters, numbers and special characters. In fact though we need to maintain an even distribution of letters, numbers, and special characters so we are going to load the last 6 slots with some numbers, you can use any random assortment of six letters or characters.
You may use this table here:
Rainbow tables can crack any hash if a programmer wants to, and script kiddie tools already exist for cracking LM, LMNT, MD5, and SHA1 hashes. With large amounts of computing power it could take as little as six months, maybe less to create tables for 99.99% of the hashes for the character set we use assuming a 14 character password. Project Shmoo is already offering rainbowtables for the LM and LMNT hashes over bittorrent. What this means is that passwords on computer accounts are crackable unless they are 15 characters long. This means that in addition to making sure our passwords use every type of character, we need to have a password that is longer then 15 characters.
Every account needs to have these tough passwords. This is because if an attacker has an exploit that allows the bypass of account permissions, any account that the attacker has access to could potentially allow them to climb the ladder and own your box. To accomplish this without writing passwords down we will infuse an easy to remember word, with randomly generated characters. So the procedure is simple, in order to get to the recommended 15 think up a normal password and put the randomly generated characters in somehow, and don't tell anyone about it.
Remembering your password
The first memory trick is muscle memory. Memory is really just a response to certain stimuli. This gives the illusion that outward influences have a memory of their own. For instance as I type this post, my subconscious is remembering what signals to send my hands. The stimulus of being seated at the keyboard is a key component in remembering how to type, otherwise we would go insane, constantly remembering useless information at times that more then a bit inappropriate. Your first task in remembering a new password is to execute ten commands using #sudo making sure you have to type in your password each time. Use muscle memory to learn the salt (random characters) of your password.
The second trick is Priming
If there is only one manipulative trick you learn, make sure it is priming. It is the basis, for cold reading, convincing argument, and most of all false memory. Priming has other uses though. When your memorizing something, you can surround it with other similar concepts that help to enhance the memory. However, make sure that the concepts you choose also naturally lead you to the password. This is how it works:
1. Think of your salted password.
2. Write an associative list based off your password 15 words should be enough.
3. Pick 3 of the words that represent three aspects of your password.
4. Write 3 more associative lists from these three words, and pick 3 words that represent aspects of your password, from each.
5. Think of your password and the 9 aspects.
After this you should be able to remember your salted password. Using muscle memory it should solidify soon.
The third trick is Emotion
When you want to remember anything, stimulating an emotion around it will create a subconscious link between that concept and the emotion. For passwords, I like to link the emotions of happiness. Now the actual application is hard to explain, so I'll leave you the two tricks above and simply say that linking the typing of your password to a memory that has a strong emotion, which all old memories do, will make it easy to remember.
No comments:
Post a Comment