Passwords and protecting yourself

Recently there has been a spate of Gmail accounts being compromised by what sounds like poor passwords. This begs the question what are we doing wrong ? I’ve come to the following conclusions:

- We’re choosing poor passwords to begin with.

– We’re using shady third party providers for some reason.

– We’re using insecure methods to check mail.

– Someone somewhere knows something we don’t

I know I’m stating the obvious here, but for the sake of my sanity I’m going to go through my process for choosing a password. As much as I really like this post, I don’t believe it’s really enough. When choosing a password I’ll take a favourite phrase, generally something obscure that only I will know. And yes, some of the time it’s related to the site I am saving a password for. Instead of rambling on about some obscure phrase only I know let’s take an example.

I have just created a Twitter account for @leethaX0r69 which I am going to use as a C&C page for my …wait…er..plans for world domination should not be published. Regardless. I’ll take that account and come up with something like “Leet HaX0r is now on Twitter”. From that phrase I’ll take the first letter of each word and get “LHinoT” which is pretty good (not really). Now let’s add a little spice into the mix and get “LH1n0T” which is marginally better. Finally, some padding to get this “&LH1n0T%”. That’s not too bad now is it. Eight characters, upper and lower case with some special characters for good measure. And it’s not based on anything in a dictionary.

There are a number of trains of thought on the topic of a good password. Some think that having a standard pass{word,phrase} with a slight change depending on what site you are using is fine. I’d disagree with that simply because I don’t like the idea of sharing a common password among sites, even if there are slight changes in it.

This brings me to password managers. I’ve been using 1Password for a while now and it’s awesome. No, they don’t sponsor this blog, nor do I receive any kick backs from them. The basic idea is that I have one password to get into my 1Password database and I am then free to use extremely complex passwords for all my online stuff. Very neat. Yes, I am up a certain creek without a certain paddle if I’m stuck without my laptop but that’s what 1Password for the iPhone is for. Alas my iPhone died a horrible death and is now about to be taken apart with a screwdriver just because I can….

What do you do for passwords ?
Am I crazy doing what I’m doing ?

Let me know what you think…

And no…my password for Twitter is NOT &LH1n0T%

Or is it…

OLLS: OpenSSL Base64 En/Decoding

One Line Life Saver:

Found this while checking out the latest news of Twitter being used as a C&C centre for a botnet.

cat yourfile.txt | openssl base64 -e > newfile.enc

This will take yourfile.txt and base64 encode the file into a new file newfile.enc. You can then switch it around and use -d to decode your encoded file back. Very simple encoding / decoding if you want to send a simple file across to someone and not send it in clear text.