Write your passwords down

[16s]

I've been doing this:

echo -n "A long sentence I can recall. site_name" | sha1sum

I use the sha1sum from that as my password.

site_name may be hackernews, slashdot, home, etc. I can break them in half (20 chars) or quarters (10 chars) if the site can't accept a 40 char password. Also I can add a period on the end if the site requires special chars. These are strong passwords and unique for each site. Works great on Windows Linux and Macs. All I need to do is recall my sentence (with proper punctuation).

[crux_]

Not to be snarky, but isn't your master password now sitting there, plaintext, in your command-line history? (Worse: when you accidentally do this in a terminal that's remoted somewhere.)

[16s]

See my reply below. I seldom do it in a terminal and when I do only on my home machines. The command above is for explanation. If I showed you my app without that explanation, it wouldn't be the same.

[Jach]

Your approach is great, I think I'll use it too.

My current method for secure passwords on sites that have a max around 8 or 12 or so is to think of some song lyrics I know, pick n words, camel-case them, l33+-translate a couple letters, and add shift+numeral special characters to either side.

[16s]

Thanks. You can cut and paste the passwords. Write an app like I did or if you trust others, download one. I like it because it's portable (no secret encryption crap) and easy to recall. Also, if one site is compromised, like gawker, and they happen to crack the password, they won't be able to use it anywhere else and won't know what your secret sentence(s) are.

Edit: One other neat thing about this approach is that you can honestly say that you don't know what the password is (if you are ever asked). You know how to create it, but you have no idea what it is. That may matter in some situations.

[Jach]

Your last point about claiming to not know the password is interesting... If I had a mustache I'd be stroking it by now. ;)

I ended up writing a simple shell script using sha256sum and dicing it several ways, a GUI app seemed a bit clunky for me.

    read -s p
    hash=`echo -n $p | sha256sum | sed -e 's/-//' | sed -e 's/ //'`
    echo '64: '$hash
    echo '40: '${hash:0:40}
    echo '20: '${hash:0:20}
    echo '16: '${hash:0:16}
    echo '12: '${hash:0:12}
    echo '10: '${hash:0:10}
    echo '08: '${hash:0:8}

[zcid]

While my method isn't as secure as your most likely is, I prefer a simpler algorithm based upon the site name. I can perform my algorithm in my head and enter a password quickly and without having to refer to a terminal or another program.

Btw, do you ever worry that your command history might be accessed to discover your passwords?

[16s]

I use an app I wrote to do the sha1 so the sentence is not hanging around in bash history, but I do rely on the cmd prompt at times on computers at my house. Here's a screeshot of the app: http://i.imgur.com/tz255.png

No one but me uses it. So it's bare bones.

[agraddy]

You mentioned adding a period for special characters but what do you do for passwords that require capitalization?

[kree10]

I suppose you could get that with base64 encoding rather than a hex digest. Something like:

    echo -n 'Secret sentence Sitename' | openssl sha1 -binary | openssl base64

[16s]

Good idea. Lot's more space too when compared to hex encoding. I added it to my app: http://imgur.com/EcqZ1

[matclayton]

This reduces the search space massively though as we now know you only use 0-f as characters, probably brings it closer to being brute forceable for the sites don't accept 40chars! And dont have rate limits.

[16s]

16^20 = 1,208,925,819,614,629,174,706,176

The very best GPU crackers do about 1 billion guesses a second. Good luck.

[mirkules]

There are also a number of apps for both android and iphone that will give you sha/md5 sums. The downside is you have to carry your phone and have enough batteries.

[dekz]

echo -n "A long sentence I can recall. site_name" | openssl dgst -sha1

For those with openssl.