Write Down Your Password

I use an algorithm to have different high security passwords for different websites and still be able to remember them following rules I adopt for every website. I mix my username, the website url, a known token and some punctuation.<p>Example: let's say that I need a password for hacker news.<p>- Let's say that I like dolphins, so my chosen token will be Dol<p>- I decide to take the second letter from each word in my username: exa (D <i>e</i> usE <i>x</i> M <i>a</i> china)<p>- I decide to take the third letter from each word in the domain name: wom<p>- I then choose some punctuation to mix in the password: #&#38;%<p>Now I'm ready to assemble my password: Dol#exa&#38;wom%<p>If I have an account on www.yahoo.com with ginger.roger as username, the password would be Dol#io&#38;whm%<p>It's long enough (but I can making it longer, if I want), uses capital letters and special characters (you can also throw in some numbers, this was just an example) and if someone looks into a database the password is not distinguishable from a random one.

I still enjoy the method I picked up from patio11: a sentence with a few numbers thrown in and maybe a mispelling that only I'll remember. This works exceedingly well as I also speak Japanese and throw in wrongly transliterated japanese words into the mix. I can have 2-3 passwords (throwaways and "OMG never use this outside of the most secure sites") and remember them all easily.<p>Ex: howdoyoudoandwhatdidyoudohavetodayfordinner?345

My solution: random passwords for everything, in a file in my ~/. Each line contains:<p><pre><code> &#60;site&#62; &#60;username&#62; &#60;password&#62; </code></pre> And ~/bin/psw:<p><pre><code> #!/bin/sh cat $HOME/passwords.gpg | gpg --decrypt | grep $1 </code></pre> Simple, done.

I break it down like this:<p>Short, low security (simple passwords, e.g. a mashup of 2 words or an uncommon word with a typo/1337 edit): Memory<p>Very very long, or very very infrequently used: Paper slips. Stored somewhere less obvious than a wallet.<p>Lastly, my favorite: Long/High security: My hands. No joke. The muscle memory in my hands currently knows about 5 complex passwords that my brain has partially forgotten. The only way I can give someone the password is to pretend I'm typing on a keyboard and tell him what I'm typing.

Here's a twist - write them all down, but have a common prefix, suffix or replacement that you use. So every password on the paper is followed by "pi43?".

My last password (now changed everywhere it was used) was "I once had a giraffe named Benjee. He was a mightily large fellow!"<p>Happily, nothing ever said "maximum length exceeded" when I registered that. I think, like our move away from IE6, the short password days are mostly over.

Thankfully systems like 1Password have made this process automatic and still secure, across multiple devices. You can even put all your passwords on your iPhone :-)<p>That said, for things like PIN numbers for credit cards, etc, you can come up with some reasonably secure but still not easily guessed systems, such as using the last digit of each quad of digits on the card or two pre-decided groups of two. Different PINs everywhere, hard for anyone else to guess, and not hard for you to figure out :-)

I do this, but I leave it on a sticky note behind a piece of furniture, or in a file folder related to the account. But I don't put the actual password on; rather, my passwords consist of a "leetspeak" word, and the sticky note has a fairly simple hint one to two degrees out-- but if you even guessed the answer, you would still have to figure out the numbers in combination.<p>For example, if I used 5p0ng3b0b, I would write "who lives in a pineapple under the sea?" or "Patrick"

Not to plug my own blog entry, but I think I came up with a pretty good way to have secure, jibberish passwords that you can still remember ...<p><a href="http://blog.wkdown.com/2010/04/easy-to-remember-secure-passwords/" rel="nofollow">http://blog.wkdown.com/2010/04/easy-to-remember-secure-passw...</a><p>... or maybe I'm missing how this would be easy to break? Dictionary wouldn't work, brute force would take too long, and idk enough about rainbow tables to know their time frame.

Writing on a piece of paper is exactly what I do. With one difference, that I find having them in the wallet a really stupid advice. The ones I use the most, I remember, and just in case I have them securely written at home along with lots of other ones, in a place only I know. Why would I carry them around where there's a chance someone can look at them (even when obfuscated) and I won't even know that they have been copied?

Or you could print out a password chart:<p><a href="http://www.passwordchart.com/" rel="nofollow">http://www.passwordchart.com/</a>

I strongly disagree with the idea of keeping passwords in your wallet. Do I really need my PayPal password in my wallet? No. If I'm doing something that requires a password I'm probably at home or the office and I should have a relatively safe place to keep passwords at either location.

That's what I've been doing for years. If it's good enough for my credit cards, then it definitely will be good enough for my passwords, won't it?

Bit by bit, people will memorize long passwords, too, after repeated exposure and handling, and at that point they will stop using the piece of paper with their long, hard-to-guess password scribbled down on, and it will have turned into one more memorized password.<p>The one single <i>long</i> password I have is 28 characters long; a random password I tapped on the keyboard and then wrote down on a piece of paper, used to administrate my ADSL modem's NAT/wifi/etc. which sadly can't be configured to allow only local login, hence the need for an "unguessable" password - however, not only have I <i>inadvertently</i>, from typing in the password many times, memorized the full password by the character, but I've also inadvertently memorized it <i>motorically</i>, and can without thinking repeat it on the keyboard in a second.<p>I agree fully on Schneier's advice, though, as the longer and the more random the password, the lower the chance for a dictionary or brute force success, but I'd store the piece of paper somewhere else than in my wallet :)

I take my passwords straight out of the obscure underground hiphop lyrics I listen to everyday.