

Schneier on Security : Password Advice - billswift
http://www.schneier.com/blog/archives/2009/08/password_advice.html#comments

======
ZachPruckowski
This advice is the "how to make the safest password possible" advice. In
general, Schneier focuses not just on "maximum security", but also the
security/utility trade-off.

Individual passwords for every site are probably overkill for many sites. For
sites where no money is involved, you may as well share a password. If someone
who knows my facebook password can access my slashdot account or my
arstechnica account, that's not world-ending. Similarly, if someone has my
Bank of America password, I'm just as screwed as if they knew my Amazon
password or my PayPal password, so if they were the same, it wouldn't matter
much (they not in my case).

I think the easiest way to generate a secure and memorable password is through
transformations. For instance, if we reverse my name (Zachary), use symbols
for the As and a 4 for the H, we get Yr@4c@z (no, this is not my password
anywhere). Similarly, if you go one letter at a time from parent's names, you
get something like JEolhinzaanbatehatnh (which could similarly take a
letter->number or letter->symbol transformation) _. You get a secure password,
and all you need to remember is the transformation algorithm.

_ \- My parents' names are not Johnathan and Elizabeth, this is an example
only.

------
billswift
Primarily a link to another site; the interesting thing is that Bruce says he
regularly violates 7 of the ten password rules he lists.

~~~
ZachPruckowski
I think that Bruce has in the past said he sticks his passwords in his wallet
on a piece of paper. Which works, I guess, since if you lose your wallet
you're fairly hosed anyhow.

~~~
sriramk
I think Bruce's point is that getting people to remember long, frequently
changing pieces of weird text is hard. The risk of everyone picking
'password123' is much higher than everyone writing their passwords on a
wallet. It is highly improbable that someone stealing your wallet knows what
that piece of text on a paper is for

------
decode
She recommends using a password manager, presumably one that stores your
passwords in it. I've recently started using PasswordMaker, which I like
better, because your passwords are never stored anywhere. Instead, I have it
generate a SHA-256 hash of a combination of a master password and the site's
domain name. The Firefox plugin makes it easy to use, and works on any OS you
can run Firefox on.

<http://passwordmaker.org/>

A bonus of this scheme is that you can use their JavaScript generator page if
you're not at one of your computers.

<http://passwordmaker.org/passwordmaker.html>

~~~
mattyb
So you know, Bruce Schneier is male.

~~~
ZachPruckowski
The author of the original content Schneier quoted is female. I assumed that's
what he was going for.

------
maximilian
One recommendation I thought was good is to use phrases as passwords. Like a
quote from a book you like, or whatever.

No dictionary attacks are going to have the phrase you like. Also, phrases are
easy to remember and easy to type usually. For simple sites like this,
mypasswordatycombinator would probably work.

