If you need assistance, please send an email to forum at 4hv dot org. To ensure your email is not marked as spam, please include the phrase "4hv help" in the subject line. You can also find assistance via IRC, at irc.shadowworld.net, room #hvcomm.
Support 4hv.org!
Donate:
4hv.org is hosted on a dedicated server. Unfortunately, this server costs and we rely on the help of site members to keep 4hv.org running. Please consider donating. We will place your name on the thanks list and you'll be helping to keep 4hv.org alive and free for everyone. Members whose names appear in red bold have donated recently. Green bold denotes those who have recently donated to keep the server carbon neutral.
Special Thanks To:
Aaron Holmes
Aaron Wheeler
Adam Horden
Alan Scrimgeour
Andre
Andrew Haynes
Anonymous000
asabase
Austin Weil
barney
Barry
Bert Hickman
Bill Kukowski
Blitzorn
Brandon Paradelas
Bruce Bowling
BubeeMike
Byong Park
Cesiumsponge
Chris F.
Chris Hooper
Corey Worthington
Derek Woodroffe
Dalus
Dan Strother
Daniel Davis
Daniel Uhrenholt
datasheetarchive
Dave Billington
Dave Marshall
David F.
Dennis Rogers
drelectrix
Dr. John Gudenas
Dr. Spark
E.TexasTesla
eastvoltresearch
Eirik Taylor
Erik Dyakov
Erlend^SE
Finn Hammer
Firebug24k
GalliumMan
Gary Peterson
George Slade
GhostNull
Gordon Mcknight
Graham Armitage
Grant
GreySoul
Henry H
IamSmooth
In memory of Leo Powning
Jacob Cash
James Howells
James Pawson
Jeff Greenfield
Jeff Thomas
Jesse Frost
Jim Mitchell
jlr134
Joe Mastroianni
John Forcina
John Oberg
John Willcutt
Jon Newcomb
klugesmith
Leslie Wright
Lutz Hoffman
Mads Barnkob
Martin King
Mats Karlsson
Matt Gibson
Matthew Guidry
mbd
Michael D'Angelo
Mikkel
mileswaldron
mister_rf
Neil Foster
Nick de Smith
Nick Soroka
nicklenorp
Nik
Norman Stanley
Patrick Coleman
Paul Brodie
Paul Jordan
Paul Montgomery
Ped
Peter Krogen
Peter Terren
PhilGood
Richard Feldman
Robert Bush
Royce Bailey
Scott Fusare
Scott Newman
smiffy
Stella
Steven Busic
Steve Conner
Steve Jones
Steve Ward
Sulaiman
Thomas Coyle
Thomas A. Wallace
Thomas W
Timo
Torch
Ulf Jonsson
vasil
Vaxian
vladi mazzilli
wastehl
Weston
William Kim
William N.
William Stehl
Wesley Venis
The aforementioned have contributed financially to the continuing triumph of 4hv.org. They are deserving of my most heartfelt thanks.
Registered Member #72
Joined: Thu Feb 09 2006, 08:29AM
Location: UK St. Albans
Posts: 1659
Right, that's it, I'm finally overwhelmed with remembering passwords, especially when my kids want me to buy one-off from here or there and the new site needs yet another password.
Like a good boy I use a different password for each site, don't write them down, use a mix of upper and lower case, numbers and squirrel noises (OK, not the last one, that was a Dilbert featuring Mordac the Preventer of Information).
So my spec for a rememberall is portable - I want to be able to use it on various systems transparent to me - I'm dubious about using a browser's password memory function secure against hacking - no unencrypted stuff over the web secure against loss - I could back it up, but would prefer to recreate quick and easy - I want to be able to use this thing
I've just printed out several sheets of random paper and punched a few holes in a plastic mask to make what is effectively a manual hash generator, but it's not particularly random, therefore secure, and very tedious to use.
My notional solution is a hash generator such as SHA1 or MD5, the input string would then be "SiteName_serial#_my_secret_passphrase", the password would be the first few characters of the hash value. My secret passphrase would have nothing at all to do with my Mother's maiden name, sitename is obviously easy to remeber, though serial number may have to be written down per site if they require passwords to be changed. No passwords are stored in the machine, the algorithm is published, so there is nothing to keep secret or back up, except for the one phrase, which is never stored or transmitted, and the serials, most of which would be at 000.
Options include
A palmtop running a hash algorithm - a bit expensive new, I have long pockets and short arms, though perhaps I should look on FleaBay A programmable calculator running a CRC-type algorithm on numbers - need an alpha to numeric conversion first An exe to run on the PC - though I may not always have access rights to run an exe I'd just brought along on a stick, and different version needed for PC, Mac and *nix A Java script to run in a browser window, which could be stored on several mirros and work locally without transmitting anything.
Does anybody have any thoughts, does anybody know of such a script anywhere, or fancy writing one? I'm not thinking that I need military level security here, after all, the result is going with my credit card numbers over the net, but at least I want something better than them all written in clear in my diary, which can be stolen along with my wallet.
Registered Member #30
Joined: Fri Feb 03 2006, 10:52AM
Location: Glasgow, Scotland
Posts: 6706
I believe you get password manager applications that run from a USB flash drive with U3. Your passwords are stored on the flash drive and accessible on any computer you plug it into.
Roboform2Go looks hopeful. It even fills the passwords into Web forms for you.
A selection of others
As usual, if you think you've invented something cool in computer science, just type it into Google. If your idea is any good, 5 people will have thought of it and commercialized it already.
Registered Member #514
Joined: Sun Feb 11 2007, 12:27AM
Location: Somewhere in Pirkanmaa, Finland
Posts: 295
NeilThomas wrote ...
don't write them down
I always remeberize (is that even a word ) all my passwords, but I don't use most of them that often so I can forget them. I keep a small book of all my passwords hidden in my safe, so if I forget them it won't be a problem. I'm not too worried about having them written down, since the likelihood of some random person cracking the safe and stealing the password book is so small.
Registered Member #538
Joined: Sun Feb 18 2007, 08:33PM
Location: Finland
Posts: 181
NeilThomas wrote ...
My notional solution is a hash generator such as SHA1 or MD5, the input string would then be "SiteName_serial#_my_secret_passphrase", the password would be the first few characters of the hash value. My secret passphrase would have nothing at all to do with my Mother's maiden name, sitename is obviously easy to remeber, though serial number may have to be written down per site if they require passwords to be changed. No passwords are stored in the machine, the algorithm is published, so there is nothing to keep secret or back up, except for the one phrase, which is never stored or transmitted, and the serials, most...
The thing that you pretty much exactly described has already been done as a firefox addon IIRC. I'll try to look for the exact name but the addon generated a site specific password for every site generated from a "main" password and the site name.
Registered Member #72
Joined: Thu Feb 09 2006, 08:29AM
Location: UK St. Albans
Posts: 1659
Hmm! have to learn to use Google :-o
Roboform2go sounds attractive, but it doesn't meet the "stuffed if you lose it" and "transparent to me" criteria.
The Magic password generator is almost spot on, so why am I hesitant? It's the transparency, and is it sending stuff over the net? I had a quick try of the password generator and it generates only 7 characters, fairly strong but not exceptionally so.
U3 sounds like it has been set up to sort out your own portable environment when running .exes on a school, library or cafe machine, so maybe that's a good way to sort any problems that come with trying to run your own program off a stick (should there be any problems? I guess I'm thinking that if I were a secure operating system, I wouldn't let somebody shove a USB in me and run something, but then hey, this is windoze we're talking about).
So I reckon the paranoid Luddite that I am will write a front end for the MD5 I already have, and run that from a stick.
Until I get that running, I'm using a small book in the safe!
Registered Member #32
Joined: Sat Feb 04 2006, 08:58AM
Location: Australia
Posts: 549
There are two main threats: * Someone taking your access mechanism (usb stick) and using it * A website phishing your hashed password, cracking it to get your personal password and using that personal password to access all the other sites you use. (It's a common phishing attack already to get people to sign up for a service in the hope they'll use the same password as they do for other sites.)
My implementation would take a hash of
sitename & big salt value & user password
The salt value is just some big random number stored in the usb drive along with the program. This makes it way unfeasible for remote sites to reverse hashed passwords.
The user password is what you type in to generate passwords. This is to stop someone who gets hold of your usb drive from accessing your sites. Same rules for this as for all passwords.
Stuff like this aside, my favourite way to invent passwords is to think of a line from a song the site reminds me of and take the first letter of each word (using capitals and other punctuation in between, with numbers). Eight characters of this is very strong and easy enough to remember. (I touch type so I'm happy to use even more.)
Registered Member #72
Joined: Thu Feb 09 2006, 08:29AM
Location: UK St. Albans
Posts: 1659
Thanks Dago, I recant, actually the magic password generator *is* spot on, at least in its standalone form. I was hesitant about using as a browser add-on, but there is also a link to page there which just contains some trivial I/O and a hash algorithm. The javascript used is so straightforward that even I can figure out what it's doing from my smattering of C and VB. It's quite handy as an example of how to write a simple java application.
Even better, there's a guy in the UK who trades as movable-type, has published JavaScript implementations of SHA-1, TEA, AES etc, and makes them available under LGPL. Google for "movable type sha1 javascript".
Registered Member #72
Joined: Thu Feb 09 2006, 08:29AM
Location: UK St. Albans
Posts: 1659
Ok, so maybe hacking JavaScript was more tedious than I thought. What do people think of this effort? Download and delete the .txt bit of the name ]1200498033_72_FT0_neilpass.htm.txt[/file]
It seems to work, but more by luck than judgement. I pulled up lots of different examples, and they all seemed different, whether script code went in head or body, whether a form had all the boxes in or just the outputs, whether boxes were accessed as form or document relative. Certainly the Magic Password Generator and the SHA-1 man did things totally differently. When I did find some docs that said "do it this way", it invariably stopped working if I tried to follow (debug's a bit primitive!), no doubt through a completely peripheral case or punctuation error, so this is the point where it's stopped changing for the moment. I may yet delete the "sequence" rubbish, but at least the focus behaves itself.
Registered Member #72
Joined: Thu Feb 09 2006, 08:29AM
Location: UK St. Albans
Posts: 1659
It's been a few years now since I've been using this form sucessfully.
It's pretty obvious how it works, please feel free to modify details. One obvious improvement is to run the SHA-1 thing multiple times eating its own output, to make it more expensive to brute force the password, that's if you were protecting state secrets. For the odd gas account password, it really doesn't matter.
This site is powered by e107, which is released under the GNU GPL License. All work on this site, except where otherwise noted, is licensed under a Creative Commons Attribution-ShareAlike 2.5 License. By submitting any information to this site, you agree that anything submitted will be so licensed. Please read our Disclaimer and Policies page for information on your rights and responsibilities regarding this site.
Password rememberall
) all my passwords, but I don't use most of them that often so I can forget them. I keep a small book of all my passwords hidden in my safe, so if I forget them it won't be a problem. I'm not too worried about having them written down, since the likelihood of some random person cracking the safe and stealing the password book is so small. 
