
How to create unique passwords you won't have to memorize - m00s3
I just heard this on the radio. I was appalled.<p>http:&#x2F;&#x2F;www.cbc.ca&#x2F;radio&#x2F;thesundayedition&#x2F;how-to-create-unique-passwords-you-won-t-have-to-memorize-1.4579765
======
tptacek
Don't do this. Submit a story the normal way, not with a blank URL. Stories
with blank URLs are penalized (or were at one point) but, more importantly,
submissions to HN are community property, and the person who happens to submit
a link first is not entitled to a special commentary at the top of the thread.

~~~
swyx
while I agree with you, you could go a little easier on OP. this is the OP's
first submission. Words like "entitled" and "obnoxious" are a bit much.

~~~
tptacek
Thanks; in retrospect I'm unhappy with the last sentence, which I think I
wrote (unreasonably) anticipating a snippy response, so I deleted it.

------
UncleMeat
This is dumb but not that dumb.

The method is (mostly) fine given most people's threat model. It solves
password reuse and the generated passwords are resistant to dumb brute force.
You lose a lot of entropy if people know the method or even know that
characters are more likely to be pulled from the domain name but given a good
enough seed (the article has seven characters) you are still generally fine.

If you are high value target it is obviously awful since you are worth the
time for a human to reverse the pattern and break your other passwords.

The real reason this is dumb is because it doesn't allow you to change your
password, not because your passwords have lower entropy.

------
kazishariar
Not to give too much away. But I think most of us use similar password
methods, on top of whatever inlay password provider/manager you're using. e.g.
Lastpass autogenerates, saves,syncs and fills. -
[https://helpdesk.lastpass.com/generating-a-
password/](https://helpdesk.lastpass.com/generating-a-password/)

------
hprotagonist
like a fair few other people, particularly on HN, my process is:

1\. Pick an extremely good, very long master password.

2\. Make my password manager generate maximum-allowed-length random line noise
for every site I have an account on.

3\. Never know or care what these passwords are.

4\. For edge cases like workstation logins and "forgotten password hints", use
diceware to generate easily typed nonsense phrases.

------
fgeiger
I used to have a similar scheme for passwords. It only works well as long as
one uses the same pattern for all passwords though.

This starts to break once you want to or need to change a password. I had to
abandon the scheme once haveibeenpwned.com noticed me of a breach including
one of my passwords. I could either remember a new pattern for that one site
or change passwords of all my sites.

I chose to do the latter and used random passwords created by a password
manager. That way I avoided running into the same problem again.

------
iambateman
Password management remains a big problem for people, who tend to blame
themselves for the trouble they find in remembering passwords.

Giving them tools, however unwieldy, doesn’t seem terrible to me?

bSSCmp9; scores 38 bits of entropy, and if someone decides that SSC ought to
be their personal password pin, I think it’s better than repeating the same
password over and over again.

To me, password managers are the best option, but I struggle to convert my
less savvy friends.

------
emerged
Just use an incredibly strong password you couldn't possibly ever forget and
use it for email. Then use password reset with a randomly generated string
every time you have to login somewhere.

Because really, email is effectively the only password which matters.

------
philipwhiuk
I mean it's bad but it's not that bad really. Obviously if everyone used the
same sequence it would be very terrible.

It's marginally better than pure password reuse.

But compared to Troubador ([https://xkcd.com/936/](https://xkcd.com/936/) )
it's not really worse.

It slightly mitigates the 'humans are bad password generators' trap.

Really it mainly falls down because passwords are terrible and the best
industry standard solution is a shit version of OAuth where the OAuth
mechanism is 'copy and paste from <InsertPasswordProvider>'.

