I just heard this on the radio. I was appalled.<p>http://www.cbc.ca/radio/thesundayedition/how-to-create-unique-passwords-you-won-t-have-to-memorize-1.4579765
Don't do this. Submit a story the normal way, not with a blank URL. Stories with blank URLs are penalized (or were at one point) but, more importantly, submissions to HN are community property, and the person who happens to submit a link first is not entitled to a special commentary at the top of the thread.
This is dumb but not that dumb.<p>The method is (mostly) fine given most people's threat model. It solves password reuse and the generated passwords are resistant to dumb brute force. You lose a lot of entropy if people know the method or even know that characters are more likely to be pulled from the domain name but given a good enough seed (the article has seven characters) you are still generally fine.<p>If you are high value target it is obviously awful since you are worth the time for a human to reverse the pattern and break your other passwords.<p>The real reason this is dumb is because it doesn't allow you to change your password, not because your passwords have lower entropy.
Not to give too much away. But I think most of us use similar password methods, on top of whatever inlay password provider/manager you're using. e.g. Lastpass autogenerates, saves,syncs and fills. - <a href="https://helpdesk.lastpass.com/generating-a-password/" rel="nofollow">https://helpdesk.lastpass.com/generating-a-password/</a>
like a fair few other people, particularly on HN, my process is:<p>1. Pick an extremely good, very long master password.<p>2. Make my password manager generate maximum-allowed-length random line noise for every site I have an account on.<p>3. Never know or care what these passwords are.<p>4. For edge cases like workstation logins and "forgotten password hints", use diceware to generate easily typed nonsense phrases.
I used to have a similar scheme for passwords. It only works well as long as one uses the same pattern for all passwords though.<p>This starts to break once you want to or need to change a password. I had to abandon the scheme once haveibeenpwned.com noticed me of a breach including one of my passwords. I could either remember a new pattern for that one site or change passwords of all my sites.<p>I chose to do the latter and used random passwords created by a password manager. That way I avoided running into the same problem again.
Password management remains a big problem for people, who tend to blame themselves for the trouble they find in remembering passwords.<p>Giving them tools, however unwieldy, doesn’t seem terrible to me?<p>bSSCmp9; scores 38 bits of entropy, and if someone decides that SSC ought to be their personal password pin, I think it’s better than repeating the same password over and over again.<p>To me, password managers are the best option, but I struggle to convert my less savvy friends.
Just use an incredibly strong password you couldn't possibly ever forget and use it for email. Then use password reset with a randomly generated string every time you have to login somewhere.<p>Because really, email is effectively the only password which matters.
I mean it's bad but it's not that bad really. Obviously if everyone used the same sequence it would be very terrible.<p>It's marginally better than pure password reuse.<p>But compared to Troubador (<a href="https://xkcd.com/936/" rel="nofollow">https://xkcd.com/936/</a> ) it's not really worse.<p>It slightly mitigates the 'humans are bad password generators' trap.<p>Really it mainly falls down because passwords are terrible and the best industry standard solution is a shit version of OAuth where the OAuth mechanism is 'copy and paste from <InsertPasswordProvider>'.