Prev: Question About Cryptographically Hashing a Hash (SHA-512), ThenHashing That Hash, Etc.
Next: Fallout 3 crypto?
From: unruh on 8 Jun 2010 19:02
On 2010-06-08, Matthias <arnd-matthias.langner(a)arcor.de> wrote:
> On Tue, 08 Jun 2010 14:50:34 -0700, Paul Rubin wrote:
>
>> Matthias <arnd-matthias.langner(a)arcor.de> writes:
>>> I am looking for a 'wallet vault' that allows me to carry the pin codes
>>> ... I convert it two digit wise into hexadecimal format, yielding 38
>>> 4E.
>>
>> Seems way too complicated. Who are you trying to protect these numbers
>> against? What kinds of attacks do you think they can use? The usual
>> situation with an ATM card is if you guess the wrong PIN three times in
>> a row, the machine confiscates or invalidates the card.
> My imagined opponent is a clever thief. I read the story of an elderly
> lady in my newspaper, who wrote down her pin codes as fictitious phone
> numbers in her notebook. It took the thief only several phone calls to
> get a clue ....
>
>
>>So it's likely enough to do something very simple and then keep the
>>method to yourself.
>
> Security by obscurity is not always a good idea. My assumption was: The
> thief has my wallet with all the credit and ATM cards along with the slip
> of paper with the enciphered pin codes. He has an idea which information
> this slip of paper might contain and which algorithm I may have used, and
> he has - as you mentioned - three tries per card.

No an arbitrary number of tries per card. You just go to different atms
and do two tries and then cancel. I have not tried it, (well I have) but
I do not think that 10 bad tries on 5 different machines will trigger
the confiscation routine.

>
> Of course it is obvious that trivial passwords (first names or birth
> dates of wife or kids ...) are insecure in this scenario. I assume a not
> too easy to guess passphrase.
>
> I accept 'way to complicated' if it implies reasonably secure, but this
> is a logical non sequitur. Complicated is not necessarily secure. This
> was the point of my question.
>
>
> Matthias
>
>
>
From: Maaartin on 8 Jun 2010 19:09
On Jun 9, 12:27 am, Matthias <arnd-matthias.lang...(a)arcor.de> wrote:
> >So it's likely  enough to do something very simple and then keep the
> >method to yourself.
>
> Security by obscurity is not always a good idea. My assumption was: The
> thief has my wallet with all the credit and ATM cards along with the slip
> of paper with the enciphered pin codes. He has an idea which information
> this slip of paper might contain and which algorithm I may have used, and
> he has - as you mentioned - three tries per card.

In fact, it's nearly always a very bad idea for the following reasons:
- The algorithm may leak from a computer.
- The algorithm don't get enough scrutiny.

But it can't leak from my head and the problem is simple enough, so I
can trust myself to get it right. I didn't even hesitate to write the
ciphertexts directly on the cards.
From: rossum on 9 Jun 2010 06:49
On 08 Jun 2010 21:15:36 GMT, Matthias <arnd-matthias.langner(a)arcor.de>
wrote:

>I am looking for a 'wallet vault' that allows me to carry the pin codes
>of my diverse credit and ATM cards safely with me on a slip of paper and
>decipher them without the aid of computers or pocket calculators in a
>simple paper and pencil operation in a matter of minutes in case I forgot
>one of them.
Playfair.

rossum

From: Datesfat Chicks on 9 Jun 2010 11:22
"Matthias" <arnd-matthias.langner(a)arcor.de> wrote in message
news:4c0eb2f8$0$6874$9b4e6d93(a)newsspool2.arcor-online.net...
>
> Now a simple to remember passphrase comes in, assume it to be
> THEMADHATTER.

Your proposed scheme seems to be a variation of OTP encryption.

I think you've made it a bit too complicated. I think it will be enough to
choose a passphrase meaningful only to you. If you speak any foreign
languages, perhaps a sentence that is meaningful to you in a foreign
language. Or maybe a line from a movie that is memorable to you.

But if you have a strong passphrase (meaningful only to you), I think the
encryption could be modulo 256 and somewhat simpler than you've proposed.

It would be incredibly difficult for an attacker to guess such a passphrase
out of the sea of possibilities.

Besides, if I wanted your PIN code and it was a matter of life and death, I
wouldn't go after the encryption -- I would go after YOU. YOU are the
weakest link. I actually had this happen to a friend in Detroit. A couple
of guys confined him in a car. One was in the back seat, and had a wire
around his neck (my friend was in the passenger's seat) and was applying
pressure and threatening to strangle him if he didn't give up the PIN. The
driver got out and used his ATM card. He honestly believed he was going to
die.

You might also download a program such as Keepass and keep everything there
(although this eliminates the possibility of figuring out your pin until you
get home).

A second possibility is to just choose your PINs to be some numbers that
only have meaning to a mathmatician. Take the 10th prime number (don't know
what is), and use the digits of the square root, the cube root, the fourth
root, etc. (Or, better yet, if you've only got a cheap calculator
available, the square root, 4th root, 8th root, etc.).

For example, choose 101 as the prime and just keep pressing the square root
key on a calculator. 1004 might be your first PIN, 3170 the second, 1780
the third, 1334 the fourth, etc.

Datesfat

From: Greg Rose on 9 Jun 2010 11:47
In article <4c0eb2f8$0$6874$9b4e6d93(a)newsspool2.arcor-online.net>,
Matthias <arnd-matthias.langner(a)arcor.de> wrote:
>I am looking for a 'wallet vault' that allows me to carry the pin codes
>of my diverse credit and ATM cards safely with me on a slip of paper and
>decipher them without the aid of computers or pocket calculators in a
>simple paper and pencil operation in a matter of minutes in case I forgot
>one of them.

What I used to do for this situation is to have a
random array (say 12x12) of digits, and overwrite
some of the digits with the digits of the PIN(s)
in some memorable pattern. The "three strikes"
rule is more than enough to avoid problems if the
paper is lost. No calculations necessary.

Greg.
--
First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4
Prev: Question About Cryptographically Hashing a Hash (SHA-512), ThenHashing That Hash, Etc.
Next: Fallout 3 crypto?