

You have exactly three passwords, don't you?  - FSecurePal
http://www.pcmag.com/article2/0,2817,2386533,00.asp

======
arjunnarayan
Yes. This is why I use a password hash function. The exact Hash function is in
my head (and only my head), although it requires a lookup table for random
bits. The lookup table is typically a poem, (when I was younger, I would use
digits of pi, but I consider that insecure now), but can really be any
sequence of words about 50+ that I can reproduce pretty much instantaneously.

The exact hash algorithm is my secret, but the input to the hash is the url of
the website that I log into. So, we have

    
    
      f (the hash function, which is secret).
      url
      poem (think of this as the "secret key").
    

so at each password login I compute f(url, poem), to get my unique password.

This is secure against prefix attacks and other guessing attacks, although not
cryptographically so (unfortunately, I am unable to memorize a 128 bit
pseudorandom string and the algorithm to SHA2, so this will have to do.)

But I'm still paranoid, so my google account uses a completely different
password that has nothing to do with any of the above, because access to my
google account is protected by 2-step verification and my android phone, and
it is a very weak link. If you compromise my GMail account, you can pretty
much use "I forgot my password" on every other account of mine. (While 1 of my
banks requires email AND phone, since my google account relies on 2-step there
is an unfortunate correlation in the failures there. So GMail really is
account-vulnerability-complete for me.)

~~~
lazyjeff
How do you deal with the url if it can change?

For example, you register for example.com on <http://register.example.com> and
then login on <https://login.example.com> and in the future they may change it
to <https://examplelogin.com/auth/>

Or what if the company changes name? For example, I used to log into my bank
on <http://wamu.com> and now they are bought by Chase so it's
<http://chase.com>

~~~
tedunangst
You remember what the url used to be. This happens to work much better than
browser plugins which are unaware of such changes.

------
DieBuche
Is there any reason for the often-repeated advise to change pws regularly? If
I have a unique password like vdknzB4XoAiJIpjlN3PGf for every account, what
would changing it protect me against? Hardly keyloggers, because then changing
it twice a year is probably too late.

~~~
Xurinos
Yes. Very often, administrators and victims do not know _when_ their password
is compromised. The policy of changing it is to cut present access off from
those who already obtained it. It is just an additional safeguard over
intrusion detection systems.

------
AndyKelley
I thought the second part of his conclusion was a bit hasty:

"... and change all your logins every six months at least."

Does he have _any_ idea how impractical this is? If I could even remember
every login I ever made, it would probably take more than 12 hours to do the
manual labor of changing the password for them. No thank you!

~~~
city41
Forced changing of passwords every x months is pretty common in the workplace,
especially if the company is Windows based.

The problem is it's so easy to make your passwords be <root>+1, then <root>+2,
etc. I've worked at places that detected that pattern and didn't allow it, so
I would just hold down the shift key and iterate anyway, yielding <root>+!,
then <root>+@, <root>+#, etc.

So even forcing your users to change their passwords will most likely cause
them to find a way around it. IMO the problem is passwords are inherently a
flawed concept. We need something better. Hopefully biometrics can truly solve
this problem one day.

~~~
bluesmoon
biometrics will still require a fallback for any general purpose system. For
example, you can't require fingerprints because there's a chance you'll get
users without fingers. You can't require retinal scans because there's a
chance you'll get users without eyes. You could probably ask the user to spit
and check their DNA, but there's a higher chance of spreading disease that
way. Eventually you'll need a fallback of a password/key, and if I were an
attacker, I'd always attack the fallback (it's often the least well thought
out part of auth).

~~~
sesqu
Also, fingerprints erode with certain professions and are susceptible to
environmental things like sweat and dirt. Retinas change with disease and
pregnancy. DNA is far too expensive to use daily, unless you restrict their
accuracy to populations.

~~~
JoeAltmaier
...and biometrics are not authentication, just simple access control. Many,
many of us have the same biometrics - its a hash. Its hardly better than a
garage door opener.

------
jbk
I use one password per account.

I have a common shared suffix like "HuRf!z0" and then I prepend a prefix
depending on the website, like "gm" for HN.

So far, this has been quite simple to use, even when I am not in front of my
machine.

~~~
reemrevnivek
Isn't this vulnerable to someone guessing the prefix if the password is
compromised? This assumes that you're up against identity theft, not automated
spamming, but the algorithm you're using to hide the prefix isn't very robust.
Does this matter to you?

~~~
jbk
This isn't the actual algorithm I am using, but was just an example to make my
point.

But true, this isn't perfect, but just makes one step more complex, without
having to use an external password manager...

~~~
orofino
I do something similar, however I take a portion of the site name an
intersperse it throughout the stronger password in set positions. I could
modify case of the site name snippet, however I do not currently.

While this is certainly relying on obscurity, it at least makes it much more
difficult to figure out what is going on. I'd think you'd need access to two
of my passwords in plain text in order to really figure it out.

My lastpass password is a 29 character password comprised of 3 parts, one of
which is this pattern, the other two are 'secure' passwords i've used in the
past but haven't been compromised to my knowledge.

Even with all of this - if one password was compromised in plain text I would
likely abandon all of my passwords and try again with something new.

------
krakensden
The problem with password managers is, when you're away from whatever machine
you managed to get the thing set up on, you're locked out of all your
accounts.

~~~
code_duck
Do browsers sync these yet? I know Chrome, Firefox et al. have various syncing
options, but I've never looked into how they work exactly.

Edit: looked into it, and the situation for password sync is

\- Chrome: built in since V. 11

\- Firefox: available through add-ons/extensions (XMarks)

\- Opera: since beta 11.5 (the latest as of right now)

\- Safari: available through extensions/other services (mobileme? not sure)

\- IE: unclear

~~~
sid0
Firefox 4 and up have built-in password syncing (along with bookmarks, history
etc). Everything's encrypted client-side, so you never have to worry about
unauthorized access to them.

~~~
code_duck
Thanks, interesting that this didn't show up in my brief research.

------
zargon
The bank managing my 401k requires a password between 6 and 8 alphanumeric
characters. Non-letter, non-digit characters are not allowed.

~~~
Macha
My bank is worse. They state alphanumeric, their form enforces alphabetic. 6-8
letters. Oh, and did I mention its case insensitive? The card number provides
more security than the password.

I can only hope that the case insensitivity is because they're running it
through the COBOL equivalent of .tolower() before hashing it, bit given the
track record? It's more likely than not they're storing it in plaintext. Just
as well I'd not reuse a weak password like that anywhere else.

~~~
jjcm
Out of curiosity, what's keeping you from switching banks? If my bank did
this, I'd switch immediately. Any bank that shows that level of concern for my
finances doesn't deserve to be controlling them.

~~~
waqf
If you work in the US, you tend not to have that luxury with your 401k. Your
employer picks the financial institution and you're stuck with it. See also
health insurance.

~~~
georgieporgie
Mention your concern to your employer. It may come to nothing, but if another
provider was offering better terms anyway...

------
billybob
I have a unique, random password for nearly every account I have (with a few
throwaway exceptions). I store them all in a file, encrypted with a master
password, and sync that file to all my machines using Dropbox. I open and
modify the file with Password Gorilla on Mac and Linux and PasswordSafe on
Windows.

Both programs read/write the same file format and allow you to create any
internal hierarchy you want (eg Stores > Electronics > NewEgg, or News >
HackerNews). Password Gorilla's UI is pretty bad, but workable. Both let me
copy and paste a password without displaying it on screen.

Works great. I got the idea from Joel Spolsky:
<http://www.joelonsoftware.com/items/2008/09/11b.html>

~~~
nametoremember
Do you go into the file, look up the website/account and then copy the
password to paste it into the password field on the website - every time?

I don't think most people are willing to do this. I know I'm not.

~~~
wladimir
Nope. I just click "remember password" in my browser after the first time.

At least for most sites. For banks and really important stuff I usually do
memorize the password myself or copy it from the encrypted file.

------
pavel_lishin
Some systems don't require a complex password. I don't care if someone breaks
into the game center thing on the iphone because my password is prettypony2 -
what are they going to do, erase my high scores on Tetris? I'm sure as hell
not copying and pasting a 16 character password between the LastPass app every
time.

~~~
lambada
Given that the gamecenter password is the same as your iTunes / Apple account
password, they could wipe out your account balance by buying / renting things.
If you have any card details stored then they could go onto the Apple Store
and order using those. They could see your billing address, and so intercept
your mail, thus gaining more documents to eventually steal your identity.

Of course, if you only buy using the pre-paid cards you can buy in retail
stores then all they can do is wipe out the balance.

I'm sure your response was partly flippant, but the implications because of
Apples one universal account means that someone determined could do a lot of
things.

~~~
terinjokes
Not entirely true, Game Center can be setup to use a separate Apple Account
than the rest of the phone…

~~~
lambada
Really? Hmm, mut have missed that option when setting it up; although I
suspect the vast majority of people dont realise that either.

------
troels
Nah, I have 4. My email account has a unique med-level password, because if
that ever gets compromised, by proxy so is everything else.

------
FilterJoe
I'm the person who wrote the comment on Troy's blog about the common 3
password approach, which I suppose inspired the title. What PC Magazine did
not write was that I describe how hackers easily exploit it, here:

[http://www.filterjoe.com/2010/05/14/the-usual-way-to-
manage-...](http://www.filterjoe.com/2010/05/14/the-usual-way-to-manage-
passwords/)

It's part of a password series with the following central advice for typical
home users:

"Use a password manager to assign unique, random 15 character passwords for
all accounts, protecting them with a strong master password."

This guide gets them started:

[http://www.filterjoe.com/2011/04/14/passwords-guide-
without-...](http://www.filterjoe.com/2011/04/14/passwords-guide-without-
distraction/)

While I'm sure the typical Hacker News community member practices far-above-
average password security, the vast majority of people don't see any reason
why they should - or if they do, they get overwhelmed by too many complicated
rules. From feedback I get, the above referenced guide works for the "average
Joe."

------
loup-vaillant
My preferred solution: <http://blog.jgc.org/2010/12/write-your-passwords-
down.html>

For those who don't want to write code, I shared an implementation of that
here: <http://www.loup-vaillant.fr/projects/password-generator> (please tell
me if I made any error)

------
lulzmcgee
I ran a cracking forum for a few months and found similar stats. Even in a
community whose members should know better. I modded the vBulletin software to
store passwords in plaintext. Roughly fifty percent of members registered with
an e-mail address that was also registered with Paypal. Of those who had,
roughly 75% of them had matching passwords for both the forum and Paypal.

------
barrkel
I have perhaps 6 passwords:

1) My email password, which is randomly generated but memorized, and reused
nowhere.

2,3,4) A handful of passwords, call them grade A, B and C, which are used in
conjunction with SuperGenPass to generate passwords specific to a website.
Only the top level domain is used; for rare cases where the URL changes but
the password doesn't (like amazon.co.uk vs amazon.com) I have chosen one TLD
as the canonical one. The ratios of usage of A, B and C are approximately
1:2:50. No website I log in to ever shares its literal password with any
other.

5) Computer account login password, this is changed every 3 months.

6) Encryption keys passphrase. Should I have anything that I want to keep
private and not leak anywhere, or signing keys etc., I use a combination of
letters, numbers and symbols, over 40 characters long.

Bank passwords (actually more usually numbers) and the like I have written
down, unlabelled, in secure locations and memorized from frequent use.

------
dfischer
I wrote up an interesting comparison of Password Managers on this very thing:
[http://blog.danielfischer.com/2011/05/12/its-time-to-
start-u...](http://blog.danielfischer.com/2011/05/12/its-time-to-start-using-
a-password-manager/)

------
JoeAltmaier
So many sites require passwords that shouldn't. I feel jerked around - Jump
thru this hoop! Make up a better password! Bark like a dog!

I say, screw you. I use a lame password for all that, and a lame username too.
It makes me feel better.

For real security, I can use a better password. But somebody explain how
constraining passwords improves security? IF the hacker Knows it contains
special characters or whatever, doesn't that Simplify the password space?
Sure, simple combinatorics says there are more passwords if you use a larger
alphabet. But you simultaneously Remove the space of all possible passwords
that didn't happen to have 'special' characters.

------
plainOldText
I'm a bit different. I have approximately 10 important passwords that are only
in my dead and are between 20-40 characters long. They are completely nonsense
phrases with numbers. I noticed that if I make them nonsense I tend to
memorize them better. For the rest of non-important stuff I use a password
manager.

Funny note* Once I decided to change my passwords for 2 encrypted drives and a
couple of days later I forgot them, so I lost all the information. I recovered
some of it cause I also stored it on some non-encrypted drives but still, I
learned my lesson. The brain has its shortcoming too. :)

------
27182818284
I started using pwgen for passwords. These are long passwords containing
symbols, letters, and numbers and nothing resembling a word.

What I find interesting is that I don't know what any of the passwords
actually are. Instead, I simply have the muscle memory to type them. This is a
problem if I have to remember that same password for the website's new app on
my phone. In that case, I have to sit next to an actual keyboard to recall the
password and type it into my phone.

~~~
chrishenn
I also use pwgen to generate passwords, but I tend to throw in a special
character (like -, *, or #).

pwgen's ability to generate pronounceable yet random passwords is why I use
it. As you said, they just seem to be easy to remember.

------
zedpm
Good grief, no. I have dozens of passwords. The 10 or so that I use regularly
are committed to memory, the rest may require me to consult a legal pad or
KeepassX, the latter being protected by an extremely long and complex password
unique to it. I do of course reuse some of the passwords, given that there are
only a couple dozen of them and probably 100 or more accounts which use one of
them.

------
nt
I use password composer
[http://jlpoutre.home.xs4all.nl/BoT/Javascript/PasswordCompos...](http://jlpoutre.home.xs4all.nl/BoT/Javascript/PasswordComposer/)
which hashes your password with website url. There is a convenient
greasemonkey script that works on firefox and chrome.

------
reve
I don't want to store my passwords anywhere, so I write a password maker for
myself, Every time I need a new password or forgot an old password, run the
tool input master key and some other hints then I get what I want.

------
pnathan
4-6 base passwords, combined with a sequence of standard variations.

Would be nice to have pubkey authentication with the pubkey stored on a
distributed system online which I could revoke/regenerate at will.

------
karolist
I have 165 personal passwords, and around 50 related to corporate stuff.
Stored in KeePass in a TrueCrypt container on Dropbox, that way I'm able to
access all of them across my linux/win/osx machines.

------
mmahemoff
Federated login is becoming more prevalent all the time. Open ID started the
trend and yesterday's Apple-Twitter integration is the latest example.

We'll need less passwords in the future.

------
forsaken
I use 3 passwords: One for my email, one for my computer's login, and one for
my password managers master password.

------
greyfade
Hm. I have 8. 13 if you count the ones I haven't memorized yet. :P

------
lachyg
They had me nailed! Sort of embarassing.

------
cwp
No. I have exactly 146 passwords.

------
georgieporgie
I used to keep a list of individual passwords in a GPG-encrypted container.
Then I would copy-pasta them around, as needed. I realized this is just a huge
security hole, particularly since I use ClipX (multi-clipboard tool, shows a
clipboard history on Ctrl+Shift+V). Also, GPG would mysteriously eat the file
on one machine every now and then.

Now I mostly use pwdhash.com and three or so tiers of passwords. Works well. I
still have the GPG file, but I use it mostly for keeping track of my gibberish
answers to dumb security questions ("who was your senior prom date/where did
you meet your wife").

