Ok, I’ve been having a debate in my head for about a week now, and so I figured I’d open it up for discussion:
Right now, I have three classifications of passwords:
- "Secure" – A memorable, yet obscure base (would look random to most people) with host-specific unique data inserted within (via a mental hash function)
- "Screen-door lock" – a simple mixed case alphanumeric password I reuse across multiple hosts. This is for hosts (typically, random Web sites) where it would be mildly irritating if someone had access to my account…
- "Who cares" – This is for the hosts that I don’t care about yet require me to input a password. It is a completely insecure, throwaway password. It could probably be brute-forced in about 30 seconds.
I began thinking about whether or not it would be ultimately more secure to have one classification of password (really secure, pseudo random noise) and store those passwords in a single, encrypted password store behind a single "secure" password. This store would obviously be very backed up and treated as other personal data.
Clearly, this is a single point of failure, so if someone compromises my password store, everything is compromised. On the other hand, each individual password would be far less guessable…
6 thoughts on “Nerdy Security Discussion”
I use an approach very similar to what you currently use. I’m not willing to go with the alternative approach you mention for exactly the reasons you mention (a single point of failure).
If the only upside of a keychain is convenience, would you consider using it to store only the low-stakes passwords? Is this an all-or-nothing proposition?
For web sites, I started using hash-based passwords a couple of years ago. The Password Composer Greasemonkey script does a nice job, and there are similar browsers extensions and standalone tools.
The major downside is that you basically never “know” your password because they’re unique for each site and not easy to memorize. It’s especially annoying when you need to enter passwords on something like an iPhone.
I’m considering moving to more of a “key vault” solution, but I still need to think that through.
I think I still remember your “Who Cares” password, by the way. =)
I’ve used password safe from time to time, and usually share the vault across systems where I need access to it (home, work). I use the same system to sync SSH keys, login scripts, etc.
On a related note, SSH Key Chain is a decent OSX SSH agent.
Work encourages KeePass and people carry it on a USB stick. But I still secure my passwords with NotePad.exe and brass knuckles.
i use keepass for almost all of my poker sites:
i dont even know what my passwords are for most of the sites.