
Strong, Unique and Memorable Passwords: a Creative Approach - victor_haydin
http://elekslabs.com/2014/04/strong-unique-and-memorable-passwords-a-creative-approach.html
======
coloncapitald
I didn't find this method very convenient.

What I have been doing for years is remember one single password which would
meet the password requirements of most websites.

For e.g. &<asterisk>I87yuU

This is 8 characters long, has upper-case and lower-case letters, numbers and
symbols (Also if you try typing on the keyboard, it is actually a pattern).

I can remember one such password. Now, I have a formula for any website or app
for which requires me to create credentials. This formula will help me add
website specific information to the password.

Say the website is news.ycombinator.com, I will use second and third letters
of ycombinator which is 'co' and increment both by 1 to make them 'dp' and add
this somewhere in the password, which makes it

&<asterisk>dpI87yuU

Now, obviously unless someone knows my encryption technique, even if they get
to know password of one of my accounts, they can never know the others.

P.S. I feel I have gone too far to explain this. Please don't hack my Paypal.

~~~
chrisBob
I have used something like that before too, but it worries me. If I found that
password here I would immediately notice that the last two characters stand
out, and see the pattern.

------
danbruc
No_one_knocks_off_old_Ton6 is probably _not_ a strong password. See for
example this article [1] to get an idea of what can be broken -
"qeadzcwrsfxv1331", "allineedislove" and "momof3g8kids" are among them.

[1]
[https://www.schneier.com/blog/archives/2013/06/a_really_good...](https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html)

------
reedlaw
The problem with this method is that the example phrase, "No one knocks off
old Tony", yields 3,580,000 Google results. All attackers would have to do is
apply a few simplistic substitutions on common phrases. Any phrase easily
found online or in print doesn't make a good passphrase.

~~~
pelario
That is not very precise. Given a certain length (6 words in the example), how
many "common phrases" (above the threshold in you example) exists? How many
"simplistic substitutions" exists?

I would say that the search space is not as small as you are suggesting, even
though I agree that the transformation of the example is quite simple,
allowing a dictionary attack.

There is a famous example of a technique that takes only the first letter from
each word of the phrase. edit: "Schneider scheme"
[https://www.schneier.com/essay-246.html](https://www.schneier.com/essay-246.html)

" My advice is to take a sentence and turn it into a password. Something like
"This little piggy went to market" might become "tlpWENT2m". That nine-
character password won't be in anyone's dictionary. Of course, don't use this
one, because I've written about it. Choose your own sentence -- something
personal."

~~~
danbruc
_There is a famous example of a technique that takes only the first letter
from each word of the phrase._

That is the problem - people trying to break passwords use the exact same
techniques. Compiling a list of ten million famous phrases is not hard.
Generating a hundred commonly used variants of them is also easy. And checking
one billion hashed passwords - MD5, SHA1 or SHA256 for example - takes less
than one second on a current GPU.

------
chrisBob
Part of the problem is that _everything_ wants a strong password, but probably
doesn't need it. Your bank, paypal, amazon... passwords should be strong ones,
and _probably_ unique. The passwords for random message boards you don't have
a stake in might as well be password123 unless the account somehow links to
something sensitive. For me, part of securing important logins was sorting out
the useless ones. That means your HN password probably shouldn't be
N0_one_knocks_of_old_Tony _HN_ either. Its just not worth it.

~~~
icebraining
Why? If you use a password manager, the cost is minimal.

~~~
chrisBob
A password manager is the exception. I used to discount the idea of a password
manager, but now carrying a smartphone all of the time, and a tablet most of
the time a password manager makes more sense. The comment is more targeted at
people who are conscious of the issue of password reuse, but continue to use
the same password, or slight variations on different services. Similarly I
don't think now is a good time to update passwords from password1! to
passworkd3$.

------
Pxtl
Honestly, I just want to be rid of all these accounts. Either use an oAuth
provider or give me some kind of fast e-mail based auth (like a "reset my
password" thing without actually going through the process of resetting the
password - just log me in when I click the link in my e-mail).

------
acron0
I use a combination of a master password (12 chars, only known to me, not
written down) and a seed to generate gibberish passwords for websites. In most
cases, the seed is the service or website it's for ("netflix", "reddit.com").
So, in the case of "netflix" my app gave me "qnQTs0-QO-9osX-me4)M". The
benefit being that the passwords aren't stored anywhere, and I can retrieve
them by simply visiting my web app.

(I didn't just leak my Netflix password, btw ;)

~~~
hucker
Interesting.. I hope the generator function is non reversible? I.e., if you
know the password ("qnQTs0-QO-9osX-me4)M" in this case) and your policy, could
you find the master password?

~~~
icebraining
You can use a cryptographic hash on it. It's how SuperGenPass works:
[http://supergenpass.com/](http://supergenpass.com/)

(Personally, I use an homegrown script that runs outside the browser, but does
something similar)

~~~
mhaymo
Am I wrong to be turned off by the fact it uses MD5? Still far more secure
than anything I could do in my head I suppose.

~~~
nicwolff
Yeah. I wrote the password-hash generator that SuperGenPass and most others
credit as their inspiration, and I moved mine
[http://angel.net/~nic/passwd.current.html](http://angel.net/~nic/passwd.current.html)
on to SHA-1 years ago.

------
ss64
A memorable password is almost certainly not going to be unique, lines from a
book or a movie are very likely to be in cracking dictionaries. Simple
transformations adding underscores or numbers at the end are well known
techniques.

There are no shortcuts to creating genuinely high entropy passwords
[http://ss64.com/docs/security.html](http://ss64.com/docs/security.html)

~~~
chrisyeah
Instead of well known lines one could use his own story with some figures,
combined with a fictive word.

For example: tree_eating_5surlap_on_bear (with "surlap" as the fictive word)

Somewhere you just (try to) draw a tree with a mouth, which is eating 5
question marks (representing the fictive word), standing on a bear.

However, I personally prefer mixed incoherent characters and numbers.

------
yaddayadda
I have three base passwords that were randomly generated, one has lots of
funky symbols, capitalization variety, numbers, etc. the other two are more
simple. I've used these so long that I couldn't write them down, it's all
muscle memory at this point. For example: "h*0A$23d!W", "Eg4mRk4", "PdurMca"

Based on the site and their password requirements I pick one of the three base
passwords. I then algorithmically modify the password based on the site's url.
For example, the first and last letter of the main portion of the url. Thus,
using the medium password for hackernews and gmail I end up with "yEg4mRk4r"
and "gEg4mRk4l", respectively.

~~~
mudil
Great approach: base word and a URL modifier. Memorable and different for
every site. I use the same. I even have a one page site
([http://passmix.com](http://passmix.com)) that teaches people the same
approach.

------
dwaltrip
My current strategy is described below. I have been using it for about a year.
It provides strong, unique, secure passwords with no memorization:

I use passwordchart.com (I am planning to create my own improved version at
some point). It requires a generator phrase to create a "password chart",
which is simply a mapping from each alphanumeric character to a different 1-3
character alphanumeric string. You then type in an easy to remember password,
and it maps that to a far more secure password using the generated chart. I
use the same chart (with a backup printed in my wallet), and apply the same
methodology for every service I use to create my easy-to-remember password. I
read the "how it works" page and it seems pretty secure to me. For all my
password needs I only have to remember two things: the generator phrase and
the method for making the easy to remember password. There is also little
counter party risk (passwordchart.com doesn't know where the passwords are
used, it would be hard to change the chart without me noticing, and I have a
backup). I love not having to think hard when signing up for something new. In
5 seconds, I have an easy to fetch, secure, unique password for any service.
The only real concern is over the shoulder snooping, but I just ask people not
too look.

------
crashandburn4
I remember reading some articles on hacker news that seemed to imply that this
wasn't the best approach[1]. Possibly the modifications (not sure about the
adding of capitals but maybe the number) might make this a solution that is
more stable but I guarantee that as soon as some cracker (e.g. Yiannis
Chrysanthou) reads this article they're gonna modify the methods given to take
account of most of the simple versions of this technique (as in the ones
published here).

[1]
[http://arstechnica.com/security/2013/08/thereisnofatebutwhat...](http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-
turbo-charged-cracking-comes-to-long-passwords/)

------
keehun
I would love to read this article but look:
[https://www.dropbox.com/s/82c9bxlrmsmj3bt/Photo%20Apr%2011%2...](https://www.dropbox.com/s/82c9bxlrmsmj3bt/Photo%20Apr%2011%2C%2010%2024%2015.png)

Are you serious?

------
wodzu
I thought I will share my idea of unique, memorably passwords. I have a custom
in-head hash function that I use to create a unique password for every single
website where I have an account.

It works as follow, let's assume this is the domain we try to generate the
password for:

www.example.com

The hash process:

1 - take first letter, move 2 in alphabet, capitalize - 2 places after e in
alphabte is g ("abcdefg"), capitalize - G

2 - calculate number of words in domain, x2 = 7x2=14

3 - use standard salt - eg. tlpWENT2m

4 - take last letter - e

That leads to a password: G14tlpWENT2me

Which is both easy to remember and allows you to have a unique hashed password
for every website around.

Have fun with discovering your own hashing method.

~~~
AliAdams
How does this work with cross-product passwords where the login can be used
across multiple web apps?

~~~
wodzu
Usually with cross-product applications you have some central domain that
stands behind all of them. Just use that central domain. Eg. gmail, calendar,
etc. are all behind google.

------
AliAdams
The worst situation is where the site _prevents_ submission of a password
containing certain characters or limits password length, ruining any carefully
chosen or algorithmically generated passwords.

------
norswap
The main issue I have is password that I don't use often at all. I usually
can't remember them, or if I can, I cannot associate between password and
website.

~~~
sehrope
> The main issue I have is password that I don't use often at all. I usually
> can't remember them, or if I can, I cannot associate between password and
> website.

Yet another reason I love using a password manager[1]. Besides letting you
have unique passwords for everything ( _which is a must_ ), it solves the "
_What the heck was the password for XZY?_ " issue when you haven't logged into
XYZ in 6 months.

People really should just use a password manager. Yes it's a pain some times (
_mainly using mobile_ ) but that's just something you live with. The rest of
the time though it's way better than trying to remember silly thing like "
_Capitalize the second letter of each word_ " or " _Replace the last letter
with a digit that denotes the number of words in the phrase_ "[2].

Long passwords are a solved problem and the solution is not reinventing the
Caesar cipher, it's to have a single long diceware password and use a password
manager for the rest.

Oh and enable two-factor auth everywhere that allows it and vote with your
wallet to choose businesses that do. For example, if your bank doesn't support
it, find a new bank.

[1]: I suggest KeePassX:
[https://www.keepassx.org/](https://www.keepassx.org/)

[2]: The article suggests things like this to make sure your password
unique/dictionary proof. Forget that and just use the password manager
directly.

~~~
reedlaw
I also like KeePassX but its major flaw is not being able to sync or merge
databases. That has led me to consider using password-store[1]. Has anyone
found a way to overcome the sync problem with KeePassX?

1\. [http://www.zx2c4.com/projects/password-
store/](http://www.zx2c4.com/projects/password-store/)

~~~
mikegioia
I store the keypass database in dropbox so that my phone and other computers
can all access the same db.

if you're worried about the security of that you can even take it 1 step
further and add a keyfile to your login requirements. you could just store the
keyfile outside of dropbox on the devices.

~~~
reedlaw
That doesn't solve the merge problem. What happens when you edit a password on
one computer and then another password on another computer before syncing?

~~~
fractalis
Is there much difference between KeePass and KeePassX? I'm assuming the latter
is a bit more cross-platform friendly?

I use the former, since I'm on Windows, and use VMs for any dev related work.
KeePass seems to have a good system in place for synching versions. Using
GDrive, if I edit my pass on one machine when I try to add a new password from
a second machine I get prompted to either Sync the file first or just
completely overwrite it. I've yet to encounter an issue where KeePass gets
confused as to what's changed and end up losing passwords in the process.

------
onoj
Two cents worth: Write a poem. spend some time. make it relevant, make it
rhyme. Do not put it anywhere digital.

use stanzas of it !without spaces! as a password.

~~~
mhaymo
Exceptionally long passwords can be difficult to type accurately. Probably
most on HN are good typists, but still I find entering long passwords error-
prone and frustrating.

------
username42
I have a paper sheet full of complicated passwords on the wall near my
computer. The access to my flat is protected by a very good physical key.

------
dlsym
correct_horse_battery_staple

Relevant XKCD: [https://xkcd.com/936/](https://xkcd.com/936/)

~~~
jebus989
This is linked within the post, as it is in every discussion of passwords
ever.

