Posts Tagged ‘passwords’

Kent’s Super-Simple, Excellent Password Advice

Thursday, September 22nd, 2016

This excellent advice is simple, in fact its excellence depends upon being simple. Complicated is the enemy of security. If you follow this advice you will be among a very rare elite in how secure your passwords will be.

Four parts:

1. Write down your passwords. On real paper, with a real pen or pencil, and keep the list safe. If you want to get fancy, maybe don’t quite tell the truth, at least not the whole truth, maybe leave something off each password (something you will remember), so if someone finds the list they won’t quite know any of the passwords on the list. And keep the list safe.

2. Now that you can keep track of what your passwords are, never recycle passwords between accounts. So, if someone breaks into one site, your other accounts aren’t at risk. (Today’s news, as I write this, is information on 500,000,000 accounts were stolen from Yahoo.) Don’t reuse passwords in different places.

3. When you make up a new password, dream up something you think no one will guess. (I know, you already do that.) Now, to be extra secure, add something even you couldn’t guess. Maybe look at the time, exactly how many minutes past the hour? Include that in the password. Or look around you, pick something else—but pick something you could not anticipate—and include it as part of the password.

4. Keep this entirely manual, the whole approach is low-tech for a reason. Computers are usually pretty insecure. (Ask Yahoo…) Don’t automate any of it, because that’s really hard to do safely (ask Yahoo), keep it manual. Don’t even photocopy your password list, because copiers are really computers these days. Don’t take a picture of the list, because cameras are also computers these days. Yes, backups are good, but sorry that has to be manual. The benefit is, as long as you keep all of this manual, you can trust your common sense, because you will understand every aspect, you have real expertise manual stuff because you can see it.

That’s it. Low-tech as hell, which means most techies will hate it, but who cares that it’s controversial as hell? It’s smart. Because it is simple.


P.S. And I really am so very sorry you can’t use a password manager program, but they are just too complicated, they will have security problems, admit it, you know it in your heart they will. Don’t trust them.

Touchscreen Password Idea

Monday, February 1st, 2016

Passwords are a problem, and lots of people say they are doomed, but I have seen no good alternatives, so I sometimes think about making them better.

Touchscreens are important yet really hard to enter good passwords.

Also, I would like to do more of a “key exchange” when entering my password. I use different computers and I don’t reuse passwords between these computers, which means I sometimes enter a password for the wrong computer. Oops! Some sort of richer interaction with the other end would prevent this.

So here is my (embrionic) idea.

Have the password be a location in a virtual 3D space. Use the 3D hardware capabilities of phones and tablets and have the user drag around the screen to drive to the location that is the password. By having different randomly chosen starting points in the 3D space for each login attempt a simple “key logger” is made more difficult as is reading screen smudges. By having more of the space revealed as the user navigates the computer has to reveal more information in response to the user’s input, making it more of a “key exchange” and making the space richer and so lengthing the password.

Put another way: a complex 3D space, uniquely generated for each user. The password is a “secret button” somewhere is the space. To authenticate the computer starts the user in some random location and the user flies through the space and touches the secret button but no other.

Shoulder surfing is a problem, but once the user gets good at it s/he might be swooping through so fast that a casual observer might have a hard time realizing what just happened. Particularly if there were a needle-threading aspect where some routes are good and other are not.

By using the full power of the GPU it also puts a limit on how far away a man-in-the-middle could be. (Which makes remote authentication tricky.)

By drawing on the user’s motor skills there might be a way to drop the password down in the brain so the user doesn’t know it in a way that can be told to others. Make the password more like a customized motor skill.


©2016 Kent Borg

Associated Press and Passwords

Tuesday, April 23rd, 2013

Dear AP,

Today you tweeted that there were two explosions in the White House and Obama was injured. It seems you didn’t intend to do so. Someone else broke into your Twitter account. In other words, someone else had your password.

Jeeze, it isn’t that complicated:

  1. Make up a password, with some random stuff in it, so it can’t be guessed.
  2. Don’t tell your password to anyone…


  1. Tell Twitter.
  2. Tell those who will be tweeting on your behalf.

Not that complicated.

Do not reuse your password on other systems, don’t e-mail it, don’t let spyware run on your crappy Windows box and see you type it. (Tell those who tweet for you to also not tell anyone.)

It is a piece of information that needs to be managed. If it were a hundred dollar bill you could keep track of it, right? Okay, pretend it is worth at least that much. Use a little care.  (Dear CBS: Didn’t you lose your Twitter password recently, too? Same lecture. Shape up.)

-kb, the Kent who is getting tired of such sloppiness.

© 2013 by Kent Borg

Sony Passwords: Now do you believe you should not reuse passwords on different sites?

Friday, June 3rd, 2011

Sony has been cracked.  Multiple times.  It seems Sony employs nerds who know nothing about security.  Now, has had a million username and passwords (and other information: DoB, e-mail) scooped up and made public.

Are you on that list?

The Playstation breaks would have been even more users.  It hasn’t been posted public, are you on that list?

Are you an X-Factor wannabe?  That database was also grabbed by the same crackers.

And these are just the public breaches.  The real bad guys–the ones who want to steal money instead of making a political point–are breaking in quietly, grabbing passwords, and moving on to see what other doors these keys will open.

What is the lesson here?  That companies have terrible security?  Yes, they do.  But that isn’t what should keep you up at night.

You should toss and turn if you are one of those people who reuse one password on multiple web sites.  If one site is broken into, then the bad guys have the keys to any other sites you have given that same password to.

Don’t reuse passwords.  Use a different password on every account you have.  And how should you keep track of all these passwords?  Write them down.

Yes.  Write down your passwords.  The advice about not writing down your password comes from way olden days when the number of computer accounts a person had was either zero or one.  It is obsolete.  Write down your passwords.

-kb, the Kent who used to use three different passwords for everything, until he discovered a machine on which he had an account, one he used the “good” password on, was broken into.

©2011 Kent Borg