Re: Choosing unique passwords - how paranoid is too paranoid?

["Eric Furman" <ericfurman () fastmail net>]

On Tue, 24 Jun 2008 23:27:37 -0400, "Johann MacDonagh"
<johann () macdonaghs com> said:
> Hi all,
>
> I've recently began a full on password change process where I'm  
> increasing the security of passwords I use for various systems I use  
> (computer systems, websites, etc...). In the past I've only used a few  
> different passwords and hoped for the best. I'd like to start working  
> on a new system that allows me to create easy to remember passwords  
> for each unique system. I don't want to create completely random ones  
> and rely on a password manager, because I use these systems at home,  
> at work, and on my iPhone. They need to be something I can easily type.
>
> So my first scheme involved coming up with a rather long base  
> password, choosing a 4 character acronym for each system, mixing it up  
> in a certain way, and inputting those jumbled characters in predefined  
> locations. This solved one issue:
> 1. If someone where to compromise one password, it's unlikely they  
> would be able to deduce the same pattern for other systems.
>
> Then, I got paranoid. What if they had two passwords? The differences  
> could be found, and analyzing the 24 different permutations (4!) of  
> the differences could quickly find a pattern.
>
> So, I modified it a little. I took the name of each system, padded and  
> mixed in yet *another* master password (this time much shorter), and  
> ran it through this (on OS X):
>
> echo -n mypaddedstring | openssl dgst -md5 -binary | openssl enc -base64
>
> and took the first few characters. I put that in a certain location of  
> my master password. The reason to use a hash function is pretty  
> obvious, and base64 allows me to add in additional bits to brute force  
> with the same number of keys.
>
> This has worked out better. I've started using mnemonics to remember  
> each system's unique part. Muscle memory!
>
> Now, I'm up against a wall. I can't possibly remember a different  
> password for *each* system. So I came up with the (final) idea of  
> classifying systems as high or low, depending on the problems a  
> compromise would create. For example, my registration on some random  
> forum is low, whereas my PGP passphrase is high.
>
> I know this is looking like there will never be a question, but there  
> is. What does everyone think of this system? Would you classify sites  
> that hold somewhat private information (such as Amazon.com without any  
> saved payment methods) as high or low? Is there another way?

Anything with saved confidential personal info I consider High.
I consider my address and phone number confidential.

I know this doesn't really answer your question, but...
What I did for (non critical) passwords where I had to change my
passwords fairly frequently was I wrote them down. :-)
This was my system. I wrote a list of passwds like;
Ab25dQ9kQ5
s6tRM972Zw
l8RW2sx9Wj
o0pdF43Wv
etc...
Then one time I would use b25dQ9kQ, then 6tRM972Z then RW2sx9W...
When done I would use 25dQ9kQ5 then tRM972Zw and so on.
Given enough passwds on this list, even if this list was compromised
and they even realized what it was, I believe it would provide more
than enough security. Especially with 3 strikes and your locked out
systems.
For non critical systems (critical would be any admin passwd or your
online
banking passwd) I don't think you need separate passwds.
Just one really good one.