so about an hour ago my mum came running into my bedroom and told me to look at my window. naturally, i tweeted the scene:
My colleague Dan and I have talking to walking up one of the buildings where I work at lunchtime. We started about 3 weeks ago by walking to the tenth floor and increased the number of floors we walk to most days. The building has 19 floors in total, although we tend to walk to the 18th, then take the Today we hit 36 floors, which i estimate is about 680 steps.
This was originally posted on an internal mailing list at work, but has been reproduced here as other people were interested in it.
The recent compromises of LinkedIn and Last.FM (both services I use) and eHarmony (one I don’t ;) ) got me thinking about the way we use passwords and I thought it might be interesting to start a bit of a discussion.
I have two different types of password; ones I need to remember and ones I don’t.
Passwords I have to remember
For the ones I have to remember, I have come up with my own neat way of generating passwords that are reasonably easy to remember and difficult to guess. I would tell you what that is, but it’s probably best if people come up with their own. howsecureismypassword.net is a nice way of giving an indication of how secure your password is (your password never gets sent to their server). My scheme has generated a password which that site expects would take many millions of years for a PC to break.
Passwords I don’t have to remember
For these I treat them as a shared key. I generate a random 32 character string. If you assume that there is roughly 6 bits of data per character, that gives a key length of 192 bits to play with. That makes for 6,277,101,735,386,680,763,835,789,423,207,666,416,102,355,444,464,034,512,896 possible combinations. Good luck searching through that keyspace. If in the future it becomes feasible to search through that, I’ll extend to 64 characters (384 bits).
Avoiding remembering passwords
I avoid having to remember passwords by using a password manager. I use LastPass (www.lastpass.com), there are others out there. I would strongly recommend that if you want to use something like this, you do some research into how these systems work before using one. The nice thing about this is that I hardly have to remember any passwords. I don’t even know what some of my passwords are. Of course for this to work, you have to be able to trust the password manager you use, and you need to be able to log in to it securely. For this I have a YubiKey (http://www.yubico.com/personal-use) and one of my “have to remember” passwords.
Where I have to log in to servers by SSH, I use SSH Keys to log in. These are public key pairs which allow you to distribute a public key to the server you want to log in (using some secure channel) and then login using the private key that only you have. The private key is encrypted by (you guessed it!) a password (one of the “I have to remember” passwords. I could protect these using a combination of YubiKey/LastPass/Mac Keychain, but I don’t for other reasons.
So. Thoughts. Any other people fancy commenting?
 of course, there’s a chance of a hash collision with another password. That increases significantly for hashing algorithms with shorter output sizes like MD5, SHA0 and SHA1, which is another good argument for not using those hashing algorithms for passwords. The guy who developed the (current) standard for Unix passwords wrote an interesting blog post about choosing a hashing algorithm for securing passwords: http://phk.freebsd.dk/sagas/md5crypt_eol.html
This photo of Otto Frank, take in 1960 in the attic of the annex where he and his family hid during World War 2 is one of the most moving I have ever seen.
Berlin/Amsterdam - April 2012, a set on Flickr.My photos of Berlin and Amsterdam are up!
13/2/2012 on Flickr.
Ben at the Grove