Analog way of encrypting passwords & account numbers?

How do you carry and secure your sensitive data? I'm trying to de-digitize but the one thing my PDA does perfectly (not to mention holding my 400+ contacts) is hide passwords and account numbers in a small password protected program. When I was paper based in the past I'd put my house number in front or behind account numbers, spell PINs backwards, list certain account numbers backwards or put fake alpha characters in them, etc.

Syndicate content

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

abbreviate

I guess I mainly abbreviate my passwords in a way that only I would know what it means. I have a yahoo email address, so if that is the user ID, I just put a "y". Most of my user ids and passwords are relatively similar (I know, probably not good), so abbreviating seems to work for me!

Interested in what other people do...
nay nay

Aliases

Hi.

You can use aliases if you like to use a single password at low-security sites, for example. If I have four or five standard passwords I use at low-sec sites, I can make an alias for each one, like "nick" for the password that includes my nickname or the color of Nick's hair, or some other reference to what the password contains. Some sites require longer versions of passwords, so you might also see "nick + extra" in those.

For passwords that have to be complex, frequently changed, or are for higher security sites, well, you can still use the alias concept, it's just a little trickier. I've seen some hints about making phrases into passwords by subbing numbers for words, etc. If my password was "Ig0b4U" then my alias might be "me first" or "me1st" if I want to be cagey.

I confess, I give up. Some of the frequently changed passwords in my book ARE the real passwords. Most of them, though, are not.

You can come up with a set of substitution rules for almost anything. You can even write down your subrules elsewhere in your planner, especially if you use things like reference charts, conversion lists, etc. If you know baker's substitutions, like subbing applesauce for oil in certain recipes, you could even use stuff like that.. Or write "tablespoon" instead of Tbsp or just T. ..and on and on. Editorial marks are good for indicating strange capitalization, insertions or deletions of characters, etc.

There's a million ways, you just have to come up with one you can remember.

shris

Patterns

How do you carry and secure your sensitive data?

I have a convention for writing passwords down. Nothing that would inform even the most determined cracker what these are. Because only what that convention is I can leave the information in plain sight without fear of anyone guessing what's a password and what's a one-word note.

However, more commonly I use pass-phrases for passwords or initial letters of those pass-phrases, which then look to be random strings of letters/numbers. These initialised pass-phrases are known to my finger muscles that I can type them in my sleep; helps that I touch type so the physical keys are hidden by my hands.

Account numbers and associated PINs I memorize; those never get written down. And the original notification from the bank, or credit/debit card company shreded.

I keep passwords in a

I keep passwords in a PocketMod or 3x5 Card Stuffed in My Wallet.

I wouldn't worry about it too much

I wouldn't worry about the method, and just do something that at first glance isn't obvious to anybody but you: adding dummy letters/words, reversing passwords etc. You could even just write them down normally. The important thing is to treat that piece of paper like your credit card and keep it in your wallet, or like your passport and keep it in the household safe if you don't need to refer to them on a regular basis.

If someone gets hold of your wallet, you have bigger things to worry about than a few passwords, and you can change the passwords just after you cancel your credit cards. I also wouldn't worry about people looking at your wallet and copying the passwords down, unless you also worry about people looking at your wallet and copying down your credit card number too.

Analog encryption

How about using a simple transposition cipher? Keep the key somewhere safe, and completely flummox anyone who snags your hPDA or planner! :-D

Cheers,
rf

Memorize a poem.

Then use random lines from it as your password. So if your poem was that old 'Roses are red' you'd just write down 'Amazon 3' and you'd know your Amazon password was "sugarissweet"

Or use a song the same way, with one number corresponding to the word where that password begins and a second specifies how many letters long.

Or use several numbers to use disconnect words. For example, if you used 'The Star Spangled Banner", then ebay 5-10-15-6 turns into 'seelighthailedby.'

Easy!

Great ideas

Great ideas everyone and that was interesting reading, Rollafool. It gave me the idea to create my own code. I now have my code key in my wallet which is separate from where I'll put my encoded info. If someone found my code key they'd never know what it is and it's separated from the data it could translate. Thanks again !

Thanks for the code ideas!

Rollafool, thanks for the coding link -- you've reminded me of a code I developed in grade school using the "mysterious symbols" I found on the back of an old notebook I found somewhere. I thought my "language" looked like writing Arabic, or something! I now realize the old notebook I found was a steno pad and the "mysterious symbols" were a shorthand key to common symbols, but I still think it was a cool code and I think I'll try and resurrect it for encrypting my passwords and such. You've given me something fun to research this weekend. :)
Mary Ann

Password Maker

Try http://passwordmaker.org/ . It's free. I've used it for some time and been very happy with it. You only have to remember ONE password.

From the website:

"What if you could use passwords that are as unique as fingerprints for each and every one of your accounts, yet not have to remember them? PasswordMaker allows you to do just that. By using complex mathematical formulae, called hashing algorithms, PasswordMaker outputs the same unique passwords for you each and every time, provided you give it the same input. And these passwords are unique across the globe (providing they are of sufficient length).

"Don't write them down on sticky notes for others to find; no, PasswordMaker calculates them for you over and over again -- as needed -- without storing them so they can't be stolen. And if you use more than one computer (for example, one at work and one at home), it's child's play to synchronize them. There's even an on-line version for times when you are at a public computer and can't install any software."

Passmaker for the 'deskbound'?

Unless I misunderstand that's only useful if you're deskbound at a computer all day. I'm a field sales rep and to now this is where the PDA has been helpful. I have no trouble creating passwords (nor memorizing a few) but the problem is one site wants 6 characters length, the next 7 and it has to be alpha-numeric, the next site gives you a password and you can't change it, etc., etc. Then there are some that have 2-3 levels of stuff to remember like unique usernames, security questions, yadda. "So, why would you need your passwords during the day away from the PC?" Needing to phone the bank, retailer, money market fund, etc. or having to go online with a public access PC or PDA at are wireless site. (Can't seem to shed this PDA !)

""So, why would you need

""So, why would you need your passwords during the day away from the PC?" Needing to phone the bank, retailer, money market fund, etc. or having to go online with a public access PC or PDA at are wireless site."

You're right. This password would only be useful when you're at a computer, any computer. There's an online version for use at public computers, but this won't help when you're on the phone with no computer...

Memorize!

Hey what's with you people? Do you read the literature and missives written by security professionals?! You're only safe if you memorize your passwords - all of them, yeah, from your safe with your mortgage to your DIY Planner blog password. What you have too many? Oh, don't share them - that's not optimally secure. If you put your password in an electronic file, then that's only one password for the evil people to crack to get all your passwords. If you put them in your notebook, then all it takes is a baddie stealing your notebook. Me? My method - I put my passwords on post-it notes on my computer monitor. :-)

Code?

I mean, a code may be more complicated than you want to get, but...

I usually disguise 4-digit PINs as phone numbers. You know, like if the PIN is "1234" then I'll write down "205-1234" or something.

Passwords

I've gone back to paper for all personal organisation, but passwords are the one thing that I've left digital.

I use a password tracker on my Palm called 'splashId', which I also have on my home Mac and work PC... the Palm syncs with both, so they're always up-to-date. The passwords are blowfish encrypted, and require my master password for access, which no one knows but me, and no-one will ever guess (it's a random string used for nothing else but the password master-key).

Passwords should obey a few important qualities. They shouldn't be words or names; these are prone to dictionary attacks. You shouldn't share them (otherwise a nefarious forum owner may begin monitoring your email because the forum and mail share the same password). Ideally, they should be randomly generated strings.

As I have around 80 sets of credentials, I see no effective way of storing this on paper. This is probably the only personal organisational task where computers beat paper hands-down; at least for me.

Plus, the password file (encrypted, of course) gets backed up with my normal computer backups, so it's fairly fail-safe too.

Complicated but meaningful

At work I have a couple of login accounts that I have to use for different purposes, and our security standards are very strict. If I have to write them down, then I use the 'hint' method. Mostly though, I can avoid that by basing it on something meaningful to me, in two parts, using my own rules. I also use the same basic password on each, except that I intentionally misspell the one I use the most. For instance, meaningful concepts might be 'rocket' + 'rabbit', from which I can use:

SAtern-fr3d <-- sample hint: moon+quiet man*
SAturn-fr3d
or
H3rk/jAvA
H3rc/jAvA

Eventually I choose a new concept or two, and I pick passwords ahead of time so I'm not trying to come up with something on the fly. I have to change these passwords every 30 days, and there are all kinds of built in constraints as to what's acceptable and what's prohibited (the above are much too short to be actually used).

I mentioned my own 'rules'. The letter "A" is always capitalized. "L" becomes 1, "E" is 3, oh is zero. A special character separates the concepts.

Yes, it's complicated, but since every bit is meaningful to me, it works.

* The Saturn V was the rocket that took men to the moon. Fred and Java are two of our house rabbits. Fred has always been calm and quiet. The hint makes perfect sense to me, but someone else won't be able to make heads or tails of it, and in fact can lead someone trying to guess off on a wild goose chase. "Quiet Man"... John Wayne movie? Marcel Marceau?

"Herk" refers to the Nike-Hercules, which is an old, very cool looking interceptor missile.

Life of a webdev...

I have an astonishing number of passwords to track. I always have my laptop with me in case of emergencies (I'm a web developer, so any professional emergency will require web access), but there are some things I'd need in the case of a near apocalypse, such as the administrative passwords for servers I maintain and such, in case I have to call someone I work with and have them go reboot for me because I've fallen off the face of the internet and something is broken. Here are some notes on my approach:

Obfuscating a password is *no* substitute for encrypting it. Seriously, some people are stupid, but I always assume I'll have the bad luck to have my planner stolen by someone who isn't.

I minimize the number of passwords I have by using OpenID whenever possible (hint, hint, DIYplanner folks, allowing it on this lovely Drupal site of yours would take five minutes).

I minimize the number of passwords I carry by using secure certificates to log in where possible, and keeping most passwords encrypted on a computer or removable media I can stick in my computer.

I tend not to write out passwords in any usable form anyway, but instead use strange and cryptic clues. Since I have a couple of password generation methods I use consistently, being reminded of the base word or phrase in some roundabout manner is *usually* enough for me.

I never re-use passwords except for extremely low-value targets such as public mailing lists (on which I GPG sign my messages anyway, making the password irrelevant to the issue of someone impersonating me).

My weak point is PIN numbers... they are too short and too simple to create via one of my usual password-generation methods, so the clue method doesn't work well. I used to just trust myself to memorize them, but now I have too many for that to be practical. I've started encoding them rather than encrypting them. (Note: this method is only useful for very short segments of data, such as a PIN, anything longer should be encrypted or clued rather than encoded -- any encoding is trivial to crack with more than a few characters of sample). Here's how:


I thought of ten people, and gave them each a number. To write down a pin, I use a word or phrase about one of those people to represent each digit, and I never repeat the same word or phrase (so that people can't figure out where repeats are, very useful information when decoding data). So, if #6 is my redheaded cousin Fred who works at a Pringles factory and likes cotton candy ice cream (yuck!), 6 could be represented by "Fred" "cousin" "chip" "snack" "cotton candy" or "red" -- anything that let's me know that's Fred.

I came up with this encoding because I had an already-memorized list of ten people for another purpose, so I had a ready-made key I didn't have to carry with me. However, even if you keep a list of your 10 people somewhere, out of order, people looking won't know how you ordered them, so that may provide enough security for those less paranoid than myself.

In the case of a written-down list of people, your list is no longer the key -- the *order* of the list is the key. (The matching of keywords to people is a sort of secondary key in both cases.) This is understandably weaker --

Without knowing who is on your list, and assuming you know (or know of, you could use fictional characters or something) n people, your list would have a complexity of n!-(n-9)! ... if n equals only 20, there are still 670,442,572,800 possible lists.

For a known selection of ten items, there are only 10!, or 3,628,800 lists.

If the attacker knows enough about your ten people, they can probably reduce that to about 20 likely lists (alphabetical, order you met them, age, etc), but they must also figure out your keywords.

However, considering that a 4-digit pin has only 10^4, or 10,000, possible values, and a 6-digit pin has only 10^6, or 1,000,000 possible values, it's still faster to brute-force (try every possible pin) than decode unless the attacker has both your list, *and* enough knowledge about those on it to come up with just a few probable orderings, or to match keywords to people.

If the attacker knows enough about your people to figure out which keyword points to whom, or at least which point to the same person, but cannot figure out how the people are ordered on your list, they are left with:

  • 10!-6!, or 5,040 possible values for a 4-digit pin with no repeated digits
  • 10!-7!, or 720 possible values for a 4-digit pin where one digit is used twice
  • 10!-8!, or 90 possible values for a 4-digit pin where one digit is used three times, or two digits are each used twice.
  • 10!-4!, or 151,200 possible values for a 6-digit pin with no repeated digits
  • 10!-5!, or 30,240 possible values for a 6-digit pin where one digit is used twice
  • 10!-6!, or 50,40 possible values for a 6-digit pin where one digit is used three times, or two digits are each used twice
  • 10!-7!, or 720 possible values for a 6-digit pin where one digit is used four times, or one digit is used twice and another three times

In conclusion, if your list is completely unavailable to your attacker, in this encoding method your pin is harder to retrieve than by brute force. If your list is available, unordered, to your attacker and said attacker does not know the people well enough to match them to keywords, the same is true.

If your attacker can order your list properly, and match at least some of the keywords to people, or if your attacker can match all or most of the keywords to people but can't order the list, or if your attacker can figure out which keywords indicate the some person (but not who it is or that person's number), the attack will be considerably easier than brute force. These type of partial-knowledge attacks are considerably more effective on PINs wherein digits are used more than once.

As I have my list memorized, and do not repeat digits excessively, I find this encoding to be quite sufficient for my needs.

hiding passwords

I use my contacts and websites list and 'hide' unimportant passwords in semi-plain sight.

Fake website names or real website names are good, using standard phone key number replacement for letters. Yes, I know it can be broken in a moment but I am talking about unimportant passwords.

So, if in theory my password for this site was a simple password like "Dog1243", then I could have a reminder of a weblink
www. PlanningLassie.com /celia.htm
Obviously Lassie = Dog and celi = 1243)

My husband uses a similar system

Or even simpler. No encoding at all. He uses 'email address' style passwords -- like JSmith43@AOL.

He comes up with a person (real/fiction/completely invented) whose name he will associate with the website. For example, he knew a girl back in High School who was a fantastic track/field athlete. He uses her name for his Amazon account. Then he put an entry in his address book with reasonable looking but fake info for address & phone & such, and simply puts the password in the email slot.