Renzo's guide to password security - A MUST-READ!
I've been around for some time and just because of that, it is no surprise that I come across several STUPID questions being asked.
If you ever heard the phrase: "A stupid question is the one that is never asked".
Let me tell you something, internet is a TOOL. As such it has other purposes better than searching for porn!
95% of the stupid questions, can get a very complete answer by typing "whateveryouwanttoknow steemit" at google.
Yes, there's plenty of stupid questions, yet, there's other questions that require a deeper tutorial. I haven't seen any "pasword security" tutorials around, other that ones involve using "lastpass" (a third party program, made by somebody you do not know, with a code you cannot read: Would you give the keys of your house, address included to a locksmith you do not know?). This, is very insecure! You never know when a third party you rely on for your security can have an underpaid employee or a "hack" (*wink* *wink*) that compromises all its users.
1st rule, trust no one.
It is a sad part of human nature: People will take advantage whenever it is possible to get away with it with no consequences, what a bunch of sons-o-bitches.
Even when third party tools are meant to make your life easier, the risk factor of trusting in them is too high for my liking, all it takes is a minor glitch and several thousand's of people lose their login credentials.
Not trusting in anyone includes family, friends and acquaintances. Given the right conditions, excuses, and potential reward... PEOPLE WILL SCREW YOU OVER.
This means: Do NOT save your password in the computer! Do NOT save it at your google account (this would break TWO of the points here!) giving access to your account to anyone that gains control of your nice cloud-based android mobile. Do NOT trust anyone!.
Then, what should you do?
Use your frikkin' brain
By this, I do not mean that you should memorize your hell-o-long WIF key (yet, we know that this is a great idea and perfectly doable thanks to mnemotechnic).
But, if you do not have the skill to do it, it is not hard to safeguard your password in a frikking piece of paper, in your wallet, in your pocket!
While ALSO saving a few copies of it at several locations.
Encryption and obfuscation, the last line of defense.
Yes, someone may "find" one of those "backup pieces of paper". That someone "may" know about steemit, and know that "that" is the KEY to open the vault where you're saving money to be able to finally fulfill your project (whether it is buying a Japanese sex-doll or finally upgrade your hardware to be able to work online as 3D animator; it does not matter). If that happens, THAT PERSON WILL SCREW YOU!
Here's where you "really" have to use that chunk of electrically charged meat that you haven't roasted because you're using it.
Encrypt it!
You can do so with several methods, a "simple" one, is saving a RAR/ZIP file on the cloud, password locking the file as you create it, that, you should ZIP/RAR again, under ANOTHER password... (do it as many times as you wish).
There's also several tools that you may use available online, yet... trust (?).
So, what if RAR/ZIP encryption is ever compromised?
USE YOUR BRAIN
Who told you that you have to save the raw password?
A simple example:
Lets work over a sample password:
P5Example1paSsWorD9tHat6we1wilL2uSe5fOr5thiS7aRticLeOf course, not a single smart being would ever dare to save the password raw! First, we should clear the recursive data: all of this keys start with "P5", take them out.
(Don't ask me how I did I made it match the correct length, I've a skill for those sort of things).
Example1paSsWorD9tHat6we1wilL2uSe5fOr5thiS7aRticLeSecond, there's no need to keep a standard order of reading, lets reverse it!
eLcitRa7Siht5rOf5eSu2Lliw1ew6taHt9DroWsSap1elpmaxEThird, we are still under a basic obfuscation here, what about Caesar ciphering it? Use as "shift" any number you're fond with (68, in this case: You blow me, and I owe you one).
Vordgcv1grJjNfiU9kYrk6nv1nzcC2lJv5wFi5kyzJ7rIkztCvAgain, mess it up a bit: Add 1 to each one of the numbers, if it becomes "10", make it a "0".
(Note how the numbers remain in place)
Vordgcv2grJjNfiU0kYrk7nv2nzcC3lJv6wFi6kyzJ8rIkztCvI'm not happy... lets reverse it again!
vCtzkIr8Jzyk6iFw6vJl3Cczn2vn7krYk0UifNjJrg2vcgdroVNow, we can take that string of "text", and save it in a txt file, better yet: Embed it inside an image as part of the EXIF data.
Now, the password became THIS:
You can see the EXIF directly HERE
You can do whatever you like with this image, rar it under password, or publish it: Hiding in plain sight. You can split it in two parts, for an extra security layer (be sure to add some junk text in the part you do know is not relevant to hinder any potential thief's "job"
I know it's not the most secure you can get, but even a little amount of encryption can go a long way
You can do substitution cipher (Caesar cipher) like the one @renzoarg mentioned here
www.rot13.com
Rot(number n) just replaces letters with the letter that is n distance from it. This particular website doesn't seem to work for numbers, but once you get an idea, you can program one yourself with similar or any custom algorithm you can come up with and run it on the ASCII values of characters, it will work flawlessly for any character you may type on your keyboard
Yes, I only placed caesar's as a simple example, there's several "old school" cyphers that can be used as extra "layers", all the owner needs to know, is in which order he used them (I'd be VERY BAD to forget that! but a memory aid can be added as a "sidenote" in the paper, with another, simpler code).
My personal favorite is the ADfGVX, I wrote about it a long time ago here: The most famous Field Cipher: ADfGVX - And its important Role during WWI - Steemit
Good advice.
it makes sense what are you talking! you are one and only who is responsible for your safety!
Thanks )
Hello. Thanks for sharing your idea. :)
I am not sure why you consider lastpass unsafe. I thought that it encrypts all data and to decrypt it you need to know the master password. To do that someone would have to hack in to my computer. I do not use my admin account to log in. I thought that keeps things save. Am I wrong about this and if so could you explain why? Cheers. :)
Because one thing is what is "says" it does, another what it really does. Can you verify the code yourself? Are you sure that some employee did not place a backhole orifice in it as an "insurance" measure that he could use later to blackmail his boss (or at least get him in a lot of trouble)?
Plus downside, those programs tend to use a "master password", you "protect" all your passwords with a single one... given the eventuality... you're VERY screwed!
HERE you can check how many time those programs were "insecure" until they fixed the issue. Is one of them. Someone not-so-honest that found such vulnerabilities would test them with several victims before reporting them!
There's no guarantee that there's not another similar "bug" (quotes, because most are left there on purpose).
Thanks for your response. I apriciate you taking time to write it. I will check out the link when I am back from camping. I have limited acess right now. :)
A good question, always deserves a good answer; besides: I kind of forgot to mention the reasons behind that statement of mine.
Yes people should just "use their frikkin' brains" :D
Wow, embedding a ciphered password into an EXIF? That's pretty bad ass. I memorize all my passwords and so can you. With memory techniques you can remember very secure and long passwords. Today I posted about a new free ebook from a memory coach friend of mine. Follow me for more about memory and get the book as long as it is free: https://steemit.com/security/@flauwy/new-ebook-free-for-limited-time-the-hack-proof-password-system
I have been into this issue for quite a while and ended up finding keepass which I personally recommend people around me. As simple as encrypted key database on your computer, with additional security as key files. Combined with the live sync backup it make life on the wires much more secure and quite easy! @bluudz
Please, the main point of this post is NOT TRUSTING third party tools to safeguard your funds. Seriously, if you WANT to be willing to take the risk, do not pretend to justify your stupidity by passing it into others.
So what about the encrypting with winrar? How is that not third party tool and how is that different to keepass or truecrypt? And how about keepass and truecrypt being open source tools which many people reviewed? Sorry, but if you don't know the tools that doesn't immediately means they are not good. Do your research before pointing to other peoples stupidity please :)
Did you even read the post? I cover that! Or did you come to advertise some doubtfully honest software that accomplishes the task anyone with two fingers of forehead can do with a piece of paper?
No I came to add my cent into the topic, but you seem to be expert here having all covered. No worries, no point into talking to wall. Good luck and have a good day.