I didn't find this method very convenient.<p>What I have been doing for years is remember one single password which would meet the password requirements of most websites.<p>For e.g. &<asterisk>I87yuU<p>This is 8 characters long, has upper-case and lower-case letters, numbers and symbols (Also if you try typing on the keyboard, it is actually a pattern).<p>I can remember one such password. Now, I have a formula for any website or app for which requires me to create credentials. This formula will help me add website specific information to the password.<p>Say the website is news.ycombinator.com, I will use second and third letters of ycombinator which is 'co' and increment both by 1 to make them 'dp' and add this somewhere in the password, which makes it<p>&<asterisk>dpI87yuU<p>Now, obviously unless someone knows my encryption technique, even if they get to know password of one of my accounts, they can never know the others.<p>P.S. I feel I have gone too far to explain this. Please don't hack my Paypal.
No_one_knocks_off_old_Ton6 is probably <i>not</i> a strong password. See for example this article [1] to get an idea of what can be broken - "qeadzcwrsfxv1331", "allineedislove" and "momof3g8kids" are among them.<p>[1] <a href="https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html" rel="nofollow">https://www.schneier.com/blog/archives/2013/06/a_really_good...</a>
The problem with this method is that the example phrase, "No one knocks off old Tony", yields 3,580,000 Google results. All attackers would have to do is apply a few simplistic substitutions on common phrases. Any phrase easily found online or in print doesn't make a good passphrase.
Part of the problem is that <i>everything</i> wants a strong password, but probably doesn't need it. Your bank, paypal, amazon... passwords should be strong ones, and <i>probably</i> unique. The passwords for random message boards you don't have a stake in might as well be password123 unless the account somehow links to something sensitive.
For me, part of securing important logins was sorting out the useless ones. That means your HN password probably shouldn't be N0_one_knocks_of_old_Tony<i>HN</i> either. Its just not worth it.
Honestly, I just want to be rid of all these accounts. Either use an oAuth provider or give me some kind of fast e-mail based auth (like a "reset my password" thing without actually going through the process of resetting the password - just log me in when I click the link in my e-mail).
I use a combination of a master password (12 chars, only known to me, not written down) and a seed to generate gibberish passwords for websites. In most cases, the seed is the service or website it's for ("netflix", "reddit.com"). So, in the case of "netflix" my app gave me "qnQTs0-QO-9osX-me4)M". The benefit being that the passwords aren't stored anywhere, and I can retrieve them by simply visiting my web app.<p>(I didn't just leak my Netflix password, btw ;)
A memorable password is almost certainly not going to be unique, lines from a book or a movie are very likely to be in cracking dictionaries. Simple transformations adding underscores or numbers at the end are well known techniques.<p>There are no shortcuts to creating genuinely high entropy passwords
<a href="http://ss64.com/docs/security.html" rel="nofollow">http://ss64.com/docs/security.html</a>
I have three base passwords that were randomly generated, one has lots of funky symbols, capitalization variety, numbers, etc. the other two are more simple. I've used these so long that I couldn't write them down, it's all muscle memory at this point.
For example: "h*0A$23d!W", "Eg4mRk4", "PdurMca"<p>Based on the site and their password requirements I pick one of the three base passwords. I then algorithmically modify the password based on the site's url. For example, the first and last letter of the main portion of the url. Thus, using the medium password for hackernews and gmail I end up with "yEg4mRk4r" and "gEg4mRk4l", respectively.
My current strategy is described below. I have been using it for about a year. It provides strong, unique, secure passwords with no memorization:<p>I use passwordchart.com (I am planning to create my own improved version at some point). It requires a generator phrase to create a "password chart", which is simply a mapping from each alphanumeric character to a different 1-3 character alphanumeric string. You then type in an easy to remember password, and it maps that to a far more secure password using the generated chart. I use the same chart (with a backup printed in my wallet), and apply the same methodology for every service I use to create my easy-to-remember password. I read the "how it works" page and it seems pretty secure to me. For all my password needs I only have to remember two things: the generator phrase and the method for making the easy to remember password. There is also little counter party risk (passwordchart.com doesn't know where the passwords are used, it would be hard to change the chart without me noticing, and I have a backup). I love not having to think hard when signing up for something new. In 5 seconds, I have an easy to fetch, secure, unique password for any service. The only real concern is over the shoulder snooping, but I just ask people not too look.
I remember reading some articles on hacker news that seemed to imply that this wasn't the best approach[1].
Possibly the modifications (not sure about the adding of capitals but maybe the number) might make this a solution that is more stable but I guarantee that as soon as some cracker (e.g. Yiannis Chrysanthou) reads this article they're gonna modify the methods given to take account of most of the simple versions of this technique (as in the ones published here).<p>[1] <a href="http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/" rel="nofollow">http://arstechnica.com/security/2013/08/thereisnofatebutwhat...</a>
I would love to read this article but look: <a href="https://www.dropbox.com/s/82c9bxlrmsmj3bt/Photo%20Apr%2011%2C%2010%2024%2015.png" rel="nofollow">https://www.dropbox.com/s/82c9bxlrmsmj3bt/Photo%20Apr%2011%2...</a><p>Are you serious?
I thought I will share my idea of unique, memorably passwords. I have a custom in-head hash function that I use to create a unique password for every single website where I have an account.<p>It works as follow, let's assume this is the domain we try to generate the password for:<p>www.example.com<p>The hash process:<p>1 - take first letter, move 2 in alphabet, capitalize - 2 places after e in alphabte is g ("abcdefg"), capitalize - G<p>2 - calculate number of words in domain, x2 = 7x2=14<p>3 - use standard salt - eg. tlpWENT2m<p>4 - take last letter - e<p>That leads to a password:
G14tlpWENT2me<p>Which is both easy to remember and allows you to have a unique hashed password for every website around.<p>Have fun with discovering your own hashing method.
The worst situation is where the site <i>prevents</i> submission of a password containing certain characters or limits password length, ruining any carefully chosen or algorithmically generated passwords.
The main issue I have is password that I don't use often at all. I usually can't remember them, or if I can, I cannot associate between password and website.
Two cents worth:
Write a poem. spend some time. make it relevant, make it rhyme. Do not put it anywhere digital.<p>use stanzas of it !without spaces! as a password.