![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
Hashing and Rolling Passwords: I'm Possibly Not A Good Expert to Talk About This
(In response to https://hackaday.com/2019/03/30/hash-and-roll-your-way-to-secure-passwords/ to keep a reminder of my mistakes on my own blog.)
Ah. Some weeks ago, I've talked about using such a similar system with someone over IRC, except considerably worse in that I was actually using SHA-*1*. That's obviously something I'll want to switch away from, and the person I was talking to also made the point stated above that it's in many ways less secure than a password manager. The main thing is that I thought hashes were somehow less vulnerable to certain classes of attack where an attacker has both the encrypted and unencrypted versions of at least one password, but I've since been told that it's actually easier to derive the password from a collection of hashes and secrets. Also, it seems that relying on potential collisions with other passwords, which is the mechanism I was thinking would thwart the above attack, is itself actually a huge liability.
So yeah, this isn't a system I think I would recommend now, and one I plan to phase out in my own use. Apologies to anyone who has ever spread my bad ideas and/or taken the blame for them, I'm sure there's more where that one came from. Anyway, before using this system, I was making my passwords directly with Diceware, which produces passwords generally in line with the XKCD comic recommendation. That's something I'll want to go back to for at least more crucial passwords.
On that note: Something I've been doing to help remember Diceware/XKCD style passwords is to make them six words long, then remember them as both a sequence of three word pairs and as a sequence of two word triplets. The trick here is, it's easier to remember those small chunks than an entire password, and by having them overlap this way, the end of each chunk is the start of another, which helps jog my memory of the rest of that chunk, giving me the start of the next. Seeing how well this works for longer passwords is something I should have been trying out over a year ago. If that works out, maybe it's what I'll use for getting into Keypass.
Ah. Some weeks ago, I've talked about using such a similar system with someone over IRC, except considerably worse in that I was actually using SHA-*1*. That's obviously something I'll want to switch away from, and the person I was talking to also made the point stated above that it's in many ways less secure than a password manager. The main thing is that I thought hashes were somehow less vulnerable to certain classes of attack where an attacker has both the encrypted and unencrypted versions of at least one password, but I've since been told that it's actually easier to derive the password from a collection of hashes and secrets. Also, it seems that relying on potential collisions with other passwords, which is the mechanism I was thinking would thwart the above attack, is itself actually a huge liability.
So yeah, this isn't a system I think I would recommend now, and one I plan to phase out in my own use. Apologies to anyone who has ever spread my bad ideas and/or taken the blame for them, I'm sure there's more where that one came from. Anyway, before using this system, I was making my passwords directly with Diceware, which produces passwords generally in line with the XKCD comic recommendation. That's something I'll want to go back to for at least more crucial passwords.
On that note: Something I've been doing to help remember Diceware/XKCD style passwords is to make them six words long, then remember them as both a sequence of three word pairs and as a sequence of two word triplets. The trick here is, it's easier to remember those small chunks than an entire password, and by having them overlap this way, the end of each chunk is the start of another, which helps jog my memory of the rest of that chunk, giving me the start of the next. Seeing how well this works for longer passwords is something I should have been trying out over a year ago. If that works out, maybe it's what I'll use for getting into Keypass.