Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Passphrases That You Can Memorize — But That Even the NSA Can’t Guess
THE // INTERCEPT ^ | 03/26/2015 9:29 AM | Micah Lee

Posted on 03/27/2015 9:21:39 AM PDT by Utilizer

It’s getting easier to secure your digital privacy. iPhones now encrypt a great deal of personal information; hard drives on Mac and Windows 8.1 computers are now automatically locked down; even Facebook, which made a fortune on open sharing, is providing end-to-end encryption in the chat tool WhatsApp. But none of this technology offers as much protection as you may think if you don’t know how to come up with a good passphrase.

A passphrase is like a password, but longer and more secure. In essence, it’s an encryption key that you memorize. Once you start caring more deeply about your privacy and improving your computer security habits, one of the first roadblocks you’ll run into is having to create a passphrase. You can’t secure much without one.

For example, when you encrypt your hard drive, a USB stick, or a document on your computer, the disk encryption is often only as strong as your passphrase. If you use a password database, or the password-saving feature in your web browser, you’ll want to set a strong master passphrase to protect them. If you want to encrypt your email with PGP, you protect your private key with a passphrase. In his first email to Laura Poitras, Edward Snowden wrote, “Please confirm that no one has ever had a copy of your private key and that it uses a strong passphrase. Assume your adversary is capable of one trillion guesses per second.”

(Excerpt) Read more at firstlook.org ...


TOPICS: Computers/Internet
KEYWORDS: password; security
Navigation: use the links below to view more comments.
first previous 1-2021-38 last
To: Utilizer

For just daily use passwords, Gibson Research Corporation has a website that refreshes with a string of 63 or 64 random characters, and you can help yourself to as many as you like.

https://www.grc.com/passwords.htm

Then *these* logins and passwords you would keep in a secure file vault with greater decryption protection.

I might add that it is very useful to keep a “master key” hidden in perpetual archive storage on some unimpressive websites around the world. Just a seemingly random stream of characters that you put there from somebody else’s computer.


21 posted on 03/27/2015 11:06:46 AM PDT by yefragetuwrabrumuy ("Don't compare me to the almighty, compare me to the alternative." -Obama, 09-24-11)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Utilizer

The NSA doesn’t “guess” at passphrases. The author has no idea what it’s talking about.


22 posted on 03/27/2015 11:21:07 AM PDT by CodeToad (Islam should be outlawed and treated as a criminal enterprise!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: MeganC

“The NSA calculates the hash key that’s generated by your password”

Not even that. They use very high order math to simply decode your message. No key needed.


23 posted on 03/27/2015 11:21:47 AM PDT by CodeToad (Islam should be outlawed and treated as a criminal enterprise!)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Utilizer

Boston Mississippi is easy enough to remember. Replace every other “i” and “o” with 1 or 0 and it makes it pretty secure.

B0stonM1ssiss1ppi

Try Oklahoma City Minnesota or Islip Colorado.


24 posted on 03/27/2015 11:28:22 AM PDT by muir_redwoods ("He is a very shallow critic who cannot see an eternal rebel in the heart of a conservative." G.K .C)
[ Post Reply | Private Reply | To 1 | View Replies]

BKMK


25 posted on 03/27/2015 11:29:31 AM PDT by Faith65 (Isaiah 40:31)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Utilizer

ping


26 posted on 03/27/2015 11:34:28 AM PDT by dennisw (The first principle is to find out who you are then you can achieve anything -- Buddhist monk)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Riflema

Just re-read your post. What you are asking about is actually fairly common, and is called a dual-encryption scheme. Encrypting a file more than once using the same or differing passwords for greater security.

Using different passwords makes it more difficult to decrypt your file later if you do not recall which passwords were used and where, however.

There are other methods, but this article is simply discussing passwords, not methods of encryption.


27 posted on 03/27/2015 11:36:16 AM PDT by Utilizer (Bacon A'kbar! - In world today are only peaceful people, and the muzlims trying to kill them)
[ Post Reply | Private Reply | To 12 | View Replies]

To: bgill

Who is BB?


28 posted on 03/27/2015 11:37:08 AM PDT by Utilizer (Bacon A'kbar! - In world today are only peaceful people, and the muzlims trying to kill them)
[ Post Reply | Private Reply | To 16 | View Replies]

To: Utilizer

29 posted on 03/27/2015 11:37:26 AM PDT by dfwgator
[ Post Reply | Private Reply | To 1 | View Replies]

To: yefragetuwrabrumuy

Useful, but then there’s still the problem of remembering the passwords.


30 posted on 03/27/2015 11:38:09 AM PDT by Utilizer (Bacon A'kbar! - In world today are only peaceful people, and the muzlims trying to kill them)
[ Post Reply | Private Reply | To 21 | View Replies]

To: MeganC
So “I Like Ice Cream” is not stored on your computer but the hash key of 7b783177134c3bfe95647ca3e12ddeb4 is stored on your computer and it can be calculated.

Uh, no. That's not how hashes work.

In order to build a hash table for a target, you first have to know a lot of details, like the algorithm, the salt, and any additional padding. This will let you build a pre-computed table that will save you some work.

When you build a hash table, it is only good for the passwords you used to build the table. Fortunately for the NSA and other criminal crackers, a table of a few hundred passwords would let you break into most systems, because there is always at least one idiot who thinks that "password123" is a good password. If you have a decent password, you're not going to be able to precompute it.

It's been claimed, and I'd be surprised if it wasn't true that NSA and other criminal organizations have multi-gigabyte hash tables to facilitate certain types of dictionary attacks. Again, it's still not going to help if your password is D6nl^@9a[v76@X),.s*y.

Of course few people use passwords like that.  I have certain passphrases that are more than 30 characters long.  You'd be surprised at how quickly you can type a string if you enter it enough times.

 

 

 

31 posted on 03/27/2015 12:16:17 PM PDT by zeugma ( The Clintons Could Find a Loophole in a Stop Sign)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Utilizer

That is why you use different passwords at different levels of activity.

For instance, the perhaps 10 or so passwords you use online for important sites, should be unmemorable characters in an unusual number greater than say 17 characters. If they are “junk” sites that do not have personal or financial information on them, they don’t need greater security, so can be throwaway logins and passwords.

Importantly, you DO NOT store these passwords on your computer, or let your browser store them, either. Instead, you keep them in a vault, typically 2 thumb drives, both of which are protected by your “dice” password.

This means it is far more likely that your password will be compromised by the online site than by you. So every one of these 17 character passwords should be “dated for freshness”, and changed periodically, say once each six months.


32 posted on 03/27/2015 12:48:28 PM PDT by yefragetuwrabrumuy ("Don't compare me to the almighty, compare me to the alternative." -Obama, 09-24-11)
[ Post Reply | Private Reply | To 30 | View Replies]

To: Utilizer

Big Brother


33 posted on 03/27/2015 12:52:50 PM PDT by bgill (CDC site, "we still do not know exactly how people are infected with Ebola")
[ Post Reply | Private Reply | To 28 | View Replies]

To: Utilizer

An unforgettable phrase can be used for passwords. “The right of the people to keep and bear arms shall not be infringed” gives “TROTPTKABASNBI”. Make a few letters lower case and a few into numbers, and you have “Tr0tPTK@Ba5nB1”. Pretty good security, and memorable after typing it a few times. I prefer to use something only slightly better than “password123” for non-financial sites with highly secure passwords for things that matter.


34 posted on 03/27/2015 2:20:36 PM PDT by Pollster1 ("Shall not be infringed" is unambiguous.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Riflema

I’ve wondered that myself.


35 posted on 03/27/2015 5:43:15 PM PDT by DuncanWaring (The Lord uses the good ones; the bad ones use the Lord.)
[ Post Reply | Private Reply | To 12 | View Replies]

To: MeganC

or slept with derek jeter.


36 posted on 03/27/2015 6:24:40 PM PDT by Secret Agent Man (Gone Galt; Not averse to Going Bronson.)
[ Post Reply | Private Reply | To 9 | View Replies]

To: ShadowAce; Liz
...and that it uses a strong passphrase. Assume your adversary is capable of one trillion guesses per second.”

Ping

37 posted on 03/30/2015 8:13:25 AM PDT by GOPJ (Racism is racism, regardless of the race of the racist. - Freeper RipSawyer)
[ Post Reply | Private Reply | To 1 | View Replies]

To: atomic_dog

Yep - and ‘password’ along wit ‘1234’ are strong...


38 posted on 03/30/2015 8:25:03 AM PDT by GOPJ (Racism is racism, regardless of the race of the racist. - Freeper RipSawyer)
[ Post Reply | Private Reply | To 20 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-38 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson