Skip to comments.Passphrases That You Can Memorize ó But That Even the NSA Canít Guess
Posted on 03/27/2015 9:21:39 AM PDT by Utilizer
Its getting easier to secure your digital privacy. iPhones now encrypt a great deal of personal information; hard drives on Mac and Windows 8.1 computers are now automatically locked down; even Facebook, which made a fortune on open sharing, is providing end-to-end encryption in the chat tool WhatsApp. But none of this technology offers as much protection as you may think if you dont know how to come up with a good passphrase.
A passphrase is like a password, but longer and more secure. In essence, its an encryption key that you memorize. Once you start caring more deeply about your privacy and improving your computer security habits, one of the first roadblocks youll run into is having to create a passphrase. You cant secure much without one.
For example, when you encrypt your hard drive, a USB stick, or a document on your computer, the disk encryption is often only as strong as your passphrase. If you use a password database, or the password-saving feature in your web browser, youll want to set a strong master passphrase to protect them. If you want to encrypt your email with PGP, you protect your private key with a passphrase. In his first email to Laura Poitras, Edward Snowden wrote, Please confirm that no one has ever had a copy of your private key and that it uses a strong passphrase. Assume your adversary is capable of one trillion guesses per second.
(Excerpt) Read more at firstlook.org ...
For just daily use passwords, Gibson Research Corporation has a website that refreshes with a string of 63 or 64 random characters, and you can help yourself to as many as you like.
Then *these* logins and passwords you would keep in a secure file vault with greater decryption protection.
I might add that it is very useful to keep a “master key” hidden in perpetual archive storage on some unimpressive websites around the world. Just a seemingly random stream of characters that you put there from somebody else’s computer.
The NSA doesn’t “guess” at passphrases. The author has no idea what it’s talking about.
“The NSA calculates the hash key thats generated by your password”
Not even that. They use very high order math to simply decode your message. No key needed.
Boston Mississippi is easy enough to remember. Replace every other “i” and “o” with 1 or 0 and it makes it pretty secure.
Try Oklahoma City Minnesota or Islip Colorado.
Just re-read your post. What you are asking about is actually fairly common, and is called a dual-encryption scheme. Encrypting a file more than once using the same or differing passwords for greater security.
Using different passwords makes it more difficult to decrypt your file later if you do not recall which passwords were used and where, however.
There are other methods, but this article is simply discussing passwords, not methods of encryption.
Who is BB?
Useful, but then there’s still the problem of remembering the passwords.
Uh, no. That's not how hashes work.
In order to build a hash table for a target, you first have to know a lot of details, like the algorithm, the salt, and any additional padding. This will let you build a pre-computed table that will save you some work.
When you build a hash table, it is only good for the passwords you used to build the table. Fortunately for the NSA and other criminal crackers, a table of a few hundred passwords would let you break into most systems, because there is always at least one idiot who thinks that "password123" is a good password. If you have a decent password, you're not going to be able to precompute it.
It's been claimed, and I'd be surprised if it wasn't true that NSA and other criminal organizations have multi-gigabyte hash tables to facilitate certain types of dictionary attacks. Again, it's still not going to help if your password is D6nl^@9a[v76@X),.s*y.
Of course few people use passwords like that. I have certain passphrases that are more than 30 characters long. You'd be surprised at how quickly you can type a string if you enter it enough times.
That is why you use different passwords at different levels of activity.
For instance, the perhaps 10 or so passwords you use online for important sites, should be unmemorable characters in an unusual number greater than say 17 characters. If they are “junk” sites that do not have personal or financial information on them, they don’t need greater security, so can be throwaway logins and passwords.
Importantly, you DO NOT store these passwords on your computer, or let your browser store them, either. Instead, you keep them in a vault, typically 2 thumb drives, both of which are protected by your “dice” password.
This means it is far more likely that your password will be compromised by the online site than by you. So every one of these 17 character passwords should be “dated for freshness”, and changed periodically, say once each six months.
An unforgettable phrase can be used for passwords. “The right of the people to keep and bear arms shall not be infringed” gives “TROTPTKABASNBI”. Make a few letters lower case and a few into numbers, and you have “Tr0tPTK@Ba5nB1”. Pretty good security, and memorable after typing it a few times. I prefer to use something only slightly better than “password123” for non-financial sites with highly secure passwords for things that matter.
I’ve wondered that myself.
or slept with derek jeter.
Yep - and ‘password’ along wit ‘1234’ are strong...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.