Re: exploring the use of manual encryption of passwords (newbie)

> I don't see why you need fancy encryption for that. Just write the
> words backwards or something. Also, it's simple enough to avoid
> pulling out the paper when someone is looking over your shoulder.
>
> > or even worse: forget or lose the piece of paper.
>
> Think of the paper as a $20 bill. You've probably carried $20 bills
> in your pocket any number of times. How often have you forgotten and
> lost one? Just exercise the same level of care with the piece of
> paper, and you shouldn't forget or lose it.

When I lose a 20$ bill, I lose 20$; when I lose my list of passwords, a lot of
(albeit personal) data is at risk. The piece of paper is worth far more than
the 200$ mentioned in the other post.

The problem is that it is generally known and advised over and over again that
you should *never* write down passwords on paper. That's OK if you have only
one password to remember, but a problem if you have 20-50 sites, each with
their password policy (making a single password impossible).

So it is nice to have some manual encryption scheme to protect pasword lists,
without the need of software to decrypt them.

-alex-

Alex D

"Alex D" <> writes:
> So it is nice to have some manual encryption scheme to protect
> pasword lists, without the need of software to decrypt them.

One thing you could do is pick some secret common suffix to all your
passwords. Say your suffix is "khhx9". Then you could write your
list as:

hotmail fred295, penguin
AOL freddy231, jellybean
work fjones, banana

etc. You'd memorize the suffix and not write it down, or else write
it somewhere unobtrusive. Your actual passwords would be
penguinkhhx9, jellybeankhhx9, bananakhhx9, etc.

Just how much trouble do you think someone finding your piece of paper
is going to go to, in order to cryptanalyze your passwords anyway?
Where do you intend to use these passwords? If you're going to type
them into (e.g.) public kiosk computers, maybe you want to be more
concerned about keystroke loggers than someone pulling a piece of
paper from your pocket, figuring out its significance, and using it
against you.

Another thing you could do is use an electronic gadget, either a PDA
or maybe a cell phone. Most cell phones these days have a phone book
feature and maybe some of them can be protected by an access code. So
you'd just store your passwords in the phone book.

Paul Rubin

Paul Rubin wrote:
> "Alex D" <> writes:
>> So it is nice to have some manual encryption scheme to protect
>> pasword lists, without the need of software to decrypt them.
>
> One thing you could do is pick some secret common suffix to all your
> passwords. Say your suffix is "khhx9". Then you could write your
> list as:
>
> hotmail fred295, penguin
> AOL freddy231, jellybean
> work fjones, banana
>
> etc. You'd memorize the suffix and not write it down, or else write
> it somewhere unobtrusive. Your actual passwords would be
> penguinkhhx9, jellybeankhhx9, bananakhhx9, etc.
>
> Just how much trouble do you think someone finding your piece of paper
> is going to go to, in order to cryptanalyze your passwords anyway?
> Where do you intend to use these passwords? If you're going to type
> them into (e.g.) public kiosk computers, maybe you want to be more
> concerned about keystroke loggers than someone pulling a piece of
> paper from your pocket, figuring out its significance, and using it
> against you.
>
> Another thing you could do is use an electronic gadget, either a PDA
> or maybe a cell phone. Most cell phones these days have a phone book
> feature and maybe some of them can be protected by an access code. So
> you'd just store your passwords in the phone book.

Also as a though you could use a cheap electronic diary / telephone
directory 32 k memory etc the ability to use a password to lock everyone
else out and brute forcing is hard (a little harder) because the device is
slow. I did this once to travel in a country that didn't like encryption.
Not to worry I couldn't remember the password for the organiser when I got
off the plane.

A friend just lost a bank card (with the pin written on he back) - i showed
him some ways to hide his pin - write 10 pin numbers on the back of the
card. one bank I know issues pins with at leats one pair doubled - you have
to match the format -none of them your pin but perhaps related - like the
last digit of each is 2 away or some such.. Finders love such things
because there odds of nabbing your cash 30%. They try your numbers and by
misdeed do you the favour of retuning your card after the third failed
attempt.

As my last try for a possible solution for you try the NKVD system for
encryption. J Savard has a good description on his web site.
Letters are turned into digits in a repeatable non to straining method - a
little care is required
You memorise a few digits to be a key and stretch it out as long as you
need. Add the key stream to the NKVD letters without any carry - you
reverse the process by regenerating the key stream and subtracting from the
NKVD letters. Not too tedious but not perfect security either.

David Eather

You can make an easy-to-remember passphrase and turn it
into a password like this:

"In the winter it is too cold for swimming so I play video games"

becomes

"Itwii2c4ssIpvg"

(Note the upper case, lower case, and use of numbers.)

You should, of course, make up a sentence and not use anything that
someone else might figure out such as a quotation or saying.

Guy Macon

"Alex D" <> wrote in message
news:uOt6d.260425$...
> > I don't see why you need fancy encryption for that. Just write the
> > words backwards or something. Also, it's simple enough to avoid
> > pulling out the paper when someone is looking over your shoulder.
> >
> > > or even worse: forget or lose the piece of paper.
> >
> > Think of the paper as a $20 bill. You've probably carried $20 bills
> > in your pocket any number of times. How often have you forgotten and
> > lost one? Just exercise the same level of care with the piece of
> > paper, and you shouldn't forget or lose it.
>
> When I lose a 20$ bill, I lose 20$; when I lose my list of passwords, a
lot of
> (albeit personal) data is at risk. The piece of paper is worth far more
than
> the 200$ mentioned in the other post.
>
> The problem is that it is generally known and advised over and over again
that
> you should *never* write down passwords on paper. That's OK if you have
only
> one password to remember, but a problem if you have 20-50 sites, each with
> their password policy (making a single password impossible).
>
> So it is nice to have some manual encryption scheme to protect pasword
lists,
> without the need of software to decrypt them.
>
> -alex-
>

.....sorry if I'm stating the obvious, or if it has already been mentioned
(only just joined the thread), but could you not simply write the password
list as a text file, and then encrypt that file using PGP or something
similar, then you only need to remember one password (the PGP'd file
password). You could then quite happily e-mail a copy of the PGP'd file
round your organisation, and still feel quite safe that only the most expert
and determined organisation is ever going to read it without knowing your 1
password to open it.

Cheers

L;ozT ....................

L;ozT

> ....sorry if I'm stating the obvious, or if it has already been mentioned
> (only just joined the thread), but could you not simply write the password
> list as a text file, and then encrypt that file using PGP or something
> similar, then you only need to remember one password (the PGP'd file
> password). You could then quite happily e-mail a copy of the PGP'd file
> round your organisation, and still feel quite safe that only the most expert
> and determined organisation is ever going to read it without knowing your 1
> password to open it.
>
> Cheers
>
> L;ozT ....................


OK, but I want to carry a paper version around, not an electronic version: so,
everything has to be done in my head.

Alex D

> As my last try for a possible solution for you try the NKVD system for
> encryption. J Savard has a good description on his web site.

Just to help a little, Savard's site is here:
http://home.ecn.ab.ca/~jsavard/
Quite interesting.
I could not find out NKVD system's page: would it be a big problem for
you to post it here, please?
Thank you.

Luigi

Luigi