

Ask HN: Alternatives to a password manager? - jkeesh

With the recent post about getting hacked, I was wondering about how everyone on HN manages their passwords. I searched HN history and there have been a few threads on this topic, but with very few comments.<p>It seems that one of these types of post surfaces every month or so, reminding us of the dangers and security issues surrounding passwords/backups/dependence on cloud sites and what happens when things go wrong.<p>The classic tradeoff with passwords is one between security and convenience. I used to use a password manager briefly, but it was too inconvenient (mobile access + access on other computers).<p>Who uses a password manager? If you don't use a password manager how many passwords to you keep? Does anyone use a scheme for keeping passwords?--for example, given the website you can figure out what your password is based on some rule.<p>I'm thinking of switching to that last one--are there any strong reasons not to, or better ways to keep passwords if I don't want to use a password manager?
======
rgregory
I've recently moved to using 1password (prior to that, Lastpass). I was
skeptical at first, but have grown to embrace 1password more and more and find
myself annoyed when sites will not allow my standard, 1pass generated
passwords (50 characters).

That said, two factor for anything of critical importance (in my case, gmail
and work email).

------
Reebz
Use two factor where possible, but for the password, here's an easy format
that I use to generate a strong and (somewhat) unique password per site:

1\. Choose you paraphrase - something like "I like long walks on the beach
after seven"

2\. Take the first letters to give you something like this: iLLwotBa7

3\. Throw a symbol on the end: iLLwotBa7?

4\. Append a 3 letter site name acroym in a similar way to the phrase (I use 3
for consistency): iLLwotBa7?hkn

5\. Throw on another symbol: Append a 3 letter site name acroym in a similar
way to the phrase (I use 3 for consistency): iLLwotBa7?hkn!

That's what I do, so I only have to remember the 3 letter for each site.
Here's some more: Reddit - rdt, Gmail - gml, etc.

~~~
koopajah
I like the approach but why not use the full site name instead of a 3 letter
acronym? It would be easier to remember. Is it just in case of a leak the link
between the acronym and the site is not easily spotted?

~~~
trueneverland
I suppose because its a dead giveaway to that part of the string of the
password and if the point is to make it look random and secure, you don't want
to be using the real site name for obvious reasons

------
kuasha
I use hard copy and do not carry them with me- For most non critical site I
use a simple algorithm to get the password on the fly. For sites that support
openid, I use 2 factor auth enabled two factor I have created-.

