
The only secure password is the one you can’t remember - tortilla
http://www.troyhunt.com/2011/03/only-secure-password-is-one-you-cant.html
======
dinde
An even bigger problem than password reuse, in my opinion, is secret question
formulas to reset your password. My banking site requires a strong password,
which of course means that I often forget it, which means that resetting my
password has become a regular part of the login process. The site allows me to
reset my password directly from the site after answering my secret questions
correctly. It does not send an email link to reset.

If a password can be reset by answering a series of secret questions, then the
password itself is moot and the account is only as secure as its secret
questions. Which in many cases aren't very secure to anyone who might know the
person (What is the color of your first car? What is your first pet's name?).

Given the choice between being allowed a "weak" password that I might actually
remember, and a "strong" password that I either have to write down or reset
every time I log in via answering a series of questions that are even less
secure than a weak password, I would take the weak password.

------
elbrodeur
I have a pretty simple way to generate a unique password for each site I use.
I start with a strong password:

aw3#rTT

That will not change from site to site.

Then I insert site specific data into that password. You can also append,
prepend or insert. The point is to have a site-specific password that uses a
formula that is hard to guess. There are a number of ways to do this. You
could use the company name, login name, domain name, url of the login page or
any other site specific rubrik.

Let's say my formula is to use the first and last character, the last
character always being capitalized. Let's use the domain name:

gmail.com -> gL -> gaw3#rTTL

Or, you could take the first and last characters and insert them after a
specific character in your password. Say, the pound symbol:

facebook.com -> fK -> gaw3#fKTTL

Or take last two characters of the domain (or last two, etc) and prepend them
to the password:

twitter.com -> Er -> Eraw#rTT

~~~
tzs
That would be a little too easy to figure out if the bad guy got to see 2 or 3
of your passwords, which could happen if 2 or 3 sites you use got compromised.

A better scheme in the same spirit as yours but with better security would be
to take your master password and append the name of the site, say
aw3#rTT:gmail.com, an then hash this, and then use a base 92 encoding to map
that to letters, digits, and punctuation, and take as many characters of the
resulting string as the site allows.

I started to design and build a simple password manager based upon something
like that. It would store in a file a list that looked something like this:

    
    
        0:*.amazon.com
        0:*.ycombinator.com
        ...
    

When you ask for the password for a given site, it would look through the file
matching the URL against the patterns on the right, until it found a match.
The input to the hash would be the matching line and your master password.

The prefix number is a password revision number. Since the whole line is part
of the hash input, changing the revision number changes the generated
password.

Then I got 1Password as part of MacHeist, and my simple password manager
project pretty much died.

~~~
elbrodeur
That's certainly a vulnerability, though a pretty small one. Most huge
credential compromises that result in other accounts being hijacked are done
programmatically: It's not like the script that's checking if your gawker
password matches your gmail password will try permutations after first
attempt.

I really like your mechanism for secure passwords. Though it's definitely more
time intensive.

1Password has been praised highly by a couple coworkers and I've been meaning
to try it -- the problem is, you should still have strong passwords for
individual services even if you're strong them in a single repository like
1Password. I think my formula is decent, though by no means totally secure.

~~~
tzs
1Password (and most other password managers, I believe) are happy to generate
strong passwords for you. I generally actually have no idea what my password
is at most sites, as I let 1Password deal with that.

Here are a few samples. I've asked it for 16 character random passwords with 2
digits and 2 symbols, repetition allowed and ambiguous characters allowed:

    
    
        xQO3<hCnp^uKh7mP
        t0ee4uHIsQv'Kk<Z
        zXS;DY3)U3OzAebT
    

It also lets you ask for pronounceable passwords, although you generally then
nead longer passwords for good strength. Here are some examples:

    
    
        cac-kon-eg-voil-eng-es-
        rhook-bea-say-rou-hen-h
        ju-cadd-irv-iaf-moif-do
    

I'll use that kind if I'm using 1Password just for storage, not automatic
entry (for example, the login password for a game client). You can also ask
for digits instead of dashes in the pronounceable passwords, like this:

    
    
        ho9swap4cyat6lold9us6bu
    

or no separators (requiring you ask for a longer password for the same
strength), like this:

    
    
        mitalwebshefrufegbiheagdihet

------
tomelders
I'm porting over all my passwords to a formula. The basic gist is that I have
a set of rules that dictate what my password should be based on something such
as the the name of the website or service I'm using.

so let's say we're talking about hotmail. I don't have a hotmail account, but
the formula could be something like.

Take the first, third and fourth letters of "hotmail"

"htm"

now the letters 3 spaces to the left of each of those in capitals (wrap to the
right of the keyboard if you run out of space)

"htmDWV"

and sandwich in between the upper and lower case letters the numerical value
of the last three numbers

"htm42322DWV"

And so on until I have a formula that I like that generates suitably obscure
and difficult passwords.

I plan to build an app or a script that processes "hotmail" according to my
formula, copies it to the pasteboard ready to be pasted.

100% secure? No. But it'll do for me.

~~~
wewyor
I use keepass with something like a 30 character password that I can remember
with numbers and special characters, it already has things like autotype and
copy paste and generates random secure passwords for sites I use which are
then encrypted.

My eggs may be all in one basket but at least that basket is heavily protected
while your solution seems less good than the alternatives that already exist.

~~~
jwegan
I use a similar technique (although I didn't make a script for it). I fail to
see how it is "less good" [sic]. My password for every website is unique (15+
characters, mix of character cases, special characters, etc), it is not stored
anywhere other than my brian, and the pattern is not easily discernable.
Furthermore I have two different patterns, one for high value sites and a
different one for social networks/forums/other low value sites.

With keeppass, someone with a keylogger on your machine can compromise all
your passwords in one fell swoop.

------
yummyfajitas
It's not that hard to have secure passwords.

    
    
        $ mkpasswd
        -tJ6yfcO5
    

Write it down on a postit note. Put that in your wallet. 2-3 weeks later you
have a secure password that you remember. Discard the postit at this time. Do
this for your bank, gmail, and a couple more high value targets.

Don't use the same password for gawker/plentyoffish/facebook.

~~~
eof
1\. mkpasswd

2\. write on postit note

3\. ???

4\. Secure, memorized passwords for your high value accounts.

~~~
yummyfajitas
3\. Use it over and over again until it enters muscle memory.

(Just in case, I also have a list of important passwords in a truecrypt
folder.)

~~~
eof
Are you using _one_ high entropy password for all of your 'high value'
accounts?

~~~
yummyfajitas
That would defeat the purpose, no? I admit, this scheme might not scale if I
had more than 3 high value accounts that I access more than once a year. But
all I have is gmail + 2 banks.

I also have a few rarely accessed accounts (retirement fund from past job and
similar things) with random passwords that are stored in the aforementioned
truecrypt folder.

------
r00fus
The article ignores an even bigger problem with bad server password encryption
(ie, not salted) - rainbow tables.

No expensive compute time required; cracker can easily decrypt most passwords
without even blinking an eye (the tradeoff is storage space vs. compute time).
<http://ophcrack.sourceforge.net/tables.php>

HBGary was cracked using rainbow tables... which then led to the rootkit.com
social engineering crack.

1Password and it's like can move us closer to eventually just doing PKI since
once the passwords become unrecognizable they are quite effective.

btw, I love and promote 1Password and KeepassX (1pwd has better usability and
security since it's autofill will stop phished logins by matching the domain
exactly not visually... KeepassX's autofill is experimental right now).

~~~
troyhunt
Actually, the article explicitly mentions that problem:

"Undoubtedly, much of this problem is related to poor security implementations
on websites. It’s very, very easy to build websites with fundamental security
flaws."

But obviously this is not within the control of the end user.

------
karzeem
1Password was a godsend for this problem.

------
berryg
Came across this solution last week <http://16s.us/sha1_pass/index.php>. You
come up with a sentence you can remember and you take the base64 version of
the SHA1 hash of this sentence as your password.

~~~
wewyor
If you can remember sentences and maybe a few numbers and characters added in
that would work just as well for a password as the base64 version of an sha1
hash.

Example:

My c@ sleeps 7 hours every day!

(Sorry I can't think of anything smarter)

------
16s
Use SHA1_Pass and never store, synchronize or remember a password _ever_
again. Comes with full source code and _no_ proprietary encryption. Full
disclosure, I wrote the software and am the number one advocate ;)

------
dustingetz
google docs + chrome bookmark sync + password generator

screen shot[1], and step-by-step instructions with transition plan [2]

[1] <http://cdn.lts.cr/files/0d78b2c391b8a6b52b75/creds.png>

[2] [http://www.dustingetz.com/password-security-the-free--
easy-w...](http://www.dustingetz.com/password-security-the-free--easy-way)

------
georgieporgie
<https://www.pwdhash.com/> allows me to use the same, simple password with a
lot of websites, with no fear of it being compromised by poor website design.

Also, I keep my comprehensive list of passwords in a gpg-encrypted file. You
need the file, my password, and the gpg key to decrypt it. When on a long
trip, away from my computer, I printed out this password list after permuting
the passwords in a memorable way (e.g. move the last character to the
beginning, then tack on an extra character). The gpg-encrypted file lives in
my Dropbox folder, so it's up-to-date across my machines.

For security questions, which are always B.S. anyway, I use the PC Tools
Secure Password Generator to make a three or four character string, then add
it to the aforementioned encrypted file.

<http://www.pctools.com/guides/password/>

------
phlux
I have a different approach, I use visual patterns on the keyboard.

azlm)O!Q(I@W

ZX)(!@MN

(J&G%D$S

GH)!JS93

I have been doing it for years -- it makes it damn near impossible to recall
the PW without a QWERTY KB though.

I have particular patterns I use for various things.

I modulate the shift key to get upper and lower case. My passwords are all
typically >10 character.

------
u48998
What's the difference between using these password managers and a plain old
spreadsheet file?

~~~
metachris
Basically that password managers

(a) store the passwords encrypted and require a master key to see them

(b) generate random, long, secure passwords for you

(c) allow you to group passwords in folders and subfolders

...

~~~
nickknw
(d) can integrate with the browser in a convenient way

