The "best" authentication is something beyond passwords but until we get there, the "best" passwords are probably something randomly generated. This of course makes them hard for the human mind to remember thus they are stored somewhere. My current scheme involved taking some binary file - I have no idea what it was and UU encoding it to produce a file of printable characters. I parsed 10 columns from this file and it became my password source. I stored the resulting file on an encrypted partition and as I use each 10 byte string as a password I record the web site next to that string so I do not reuse it. For convenience I save most web site passwords in the Firefox password manager - locked with a master password.

For those cases where I want more security I have come up with a new scheme. I would appreciate any feedback good, bad or indifferent.

The SHA246 sum for a file is a supposedly unique string 64 bytes in length. It dawned on me that this might make a decent password/phrase provided that the resource being accessed will accept it. Here is how it might work in practice...

I select a file which I will remember. For example I have a scan of the album cover of Pure and Simple by Joan Jett. I can produce the sha256sum for that file and use it as a password/phrase. The "hint" for that resource might be Jet P&S which would remind me to find the original image file and re-run sha256sum if I needed to recover the password/phrase.

This might be a bit cumbersome to do on a large scale but for a few high value resources... might be worthwhile if it is a valid approach to the problem.

Any thoughts, comments?

TIA,

Ken

p.s. Need to remember to delete .bash_history after doing this so as not to leave traces behind

I've used commands like uuidgen to create long passwords. Or, preferably keepass (not very scriptable). However, that's just for logging into services. I wouldn't ever go through that pain to encrypt large amounts of files.

I would use GPG. I have GPG scripts (scripts start with gpg_*) designed to encrypt large amounts of files individually. One big advantage is the only password I have to remember is my GPG key. Another really big advantage is being able to encrypt files so that multiple people can decrypt them. No need to share passwords or keys. Each person uses their own key.

My scripts keep track of the checksums as well as can sign the checksum files. They allow you to verify the integrity of all files and can guarantee none have changed since the checksum file is signed. This is useful for hosting encrypted files on a 3rd party service such as Dropbox.

GPG is the way to go I think.

There are many ways to do this. I use more than one. For websites, I use LastPass to generate random passwords. I've used KeePassX, but it's more cumbersome, although possibly more secure. But I'm not all that worried about website passwords being broken for the most part. For passwords I need to be able to remember, I often use a transliteration of a phrase in a language with a non-Roman alphabet. You can also use a string of non-related words. It's not necessary, IMO, to use truly random character strings, just something not easily guessable or broken by dictionary attacks. A longer phrase with actual words is stronger than a shorter one with random characters, and is much more easily remembered. See Diceware website for a fuller explanation.

Thanks sag47 but I am not sure where the issue of encrypting large amounts of files. For that I have established encrypted partitions using cryptsetup luksOpen. I mount those partitions as needed and store the files on the encrypted partition. I have also used these utilities to create encrypted files which can me mounted and used as storage containers. I used TrueCrypt for many years and I guess I got used to the idea of putting my files in an encrypted container rather than encrypting the individual files.

Thanks sgosnell. For most web sites, such as this forum, I am not too worried. I don't speak a language with a non-Roman alphabet so transliteration would work for me. It does remind me of an episode of a TV show from many years ago - Kojack I believe it was. There were some documents in Greek which no one could figure out. It seems that they were actually English typed on an IBM Selectric typewriter in which the writer had substituted a Greek typeface ball.

Ken

Yeah, after rereading I realized you were just talking about website passwords and not passwords for encrypted files. Not sure where I got that but decided to leave the post anyways.

I highly recommend KeePass (and derivatively KeePassX which is cross platform) for password generation. It's easy to copy/paste passwords out of a password database and just call it a day.

Interesting concept for preventing brute force password attacks, however on most systems the password hash is the actual target of most hackers. For example on websites, the password hash is stored on a SQL database of some sort and mist get retrieved through a SQL injection exploit. Why brute force a single account when they can hack every account on the system?