

Fix Your Terrible, Insecure Passwords in Five Minutes - edw519
http://www.slate.com/id/2223478/pagenum/all/#p2

======
m0nty
Another Schneier recommendation is to write your passwords down, just keep the
piece of paper away from people who might misuse it:

[http://www.schneier.com/blog/archives/2005/06/write_down_you...](http://www.schneier.com/blog/archives/2005/06/write_down_your.html)

I have about 30 unique passwords which I keep in an encrypted file, and a
password for "everything else". I have about six passwords I can remember off
the top of my head and two of these concatenated are used to unlock the
encrypted file. I would seriously recommend doing something like this: you'll
feel much happier, I promise.

~~~
weaksauce
Have you tried KeePassX or passwordsafe? passwordsafe was actually created by
Schneier with twofish encryption.

see: <http://www.schneier.com/passsafe.html> or if you are on OS X or windows:
<http://www.keepassx.org/>

Use it with dropbox and it is available anywhere you are.

~~~
dustmop
Also, Password Gorilla, which is java and runs everywhere and is compatiable
with passwordsafe's databases. I do what Joel recommended, keeping the db in
Dropbox so that newly added passwords are replicated and up to date.

------
rabidgnat
> Step 2: Turn your phrase into an acronym. Be sure to use some numbers and
> symbols and capital letters, too

Adding symbols to passwords is a huge inconvenience. Why? Because some of the
sites that I use fairly regularly don't allow the characters. I end up having
a first-class password and a second-class password for websites that are
overly draconian. The last time I used Digg (2 years ago or so) it had this
restriction, and that's the only site I feel comfortable about sharing ;).
Some well-known companies who should know better have the same restriction.

It doesn't seem awful on the surface, but I also switch my password semi-
regularly. If I go back to a website 2 years later, I not only have to guess
all of my primary passwords, but I have to guess my secondary passwords as
well in hopes that it was one of the ones with a bad password restriction.

------
enomar
This is a good way to come up with memorable, secure passwords, but it still
requires either remembering a bunch of different passwords or being insecure
and using the same password for multiple sites.

~~~
roundsquare
Thats especially true given that you want to add in symbols, numbers and
capital letters. You are going to end up needing to write it down anyway.

------
die_sekte
Actually just using that sentence is good enough. And simpler.

~~~
Semiapies
Many systems have (dumb) arbitrary limits on password size and content.

------
Semiapies
I used to use this scheme exclusively. It's pretty good, particularly when you
use semi-obscure song lyrics.

~~~
frossie
_"I used to use this scheme exclusively"_

So what do you do now?

~~~
Semiapies
I'm more into passphrases, now - randomly pull, say, 3 words from a
vocabulary. With even a modest word list a couple thousand strong, you have
billions of combinations, even assuming the attacker has access to the list.
Such passphrases are also easier to tell other people over the phone.

I've been pondering building a 8th grade reading level word list, cleaned of
homophones, commonly-misspelled words, etc. for more general use. That would
be tedious, though...

