

Ask HN: secure password creation - jaysonelliot

I'm trying to select a personal password policy that will actually be memorable and strong. If any security experts could weigh in, I'd really appreciate it.<p>My plan is to use a eleven character password - it's made of upper and lowercase letters, numbers, and special characters, no dictionary words or repeated characters, and the final character is changed depending on the site.<p>This password would be used repeatedly, except for the final character, which would be variable.<p>Would this be secure?
======
pwg
Instead of doing something like this, why not give Password Gorilla (
<https://github.com/zdia/gorilla/wiki> ) a try? It will let you create
completely random unique passwords for each site instead of having one fixed
component (which if it ever gets out allows someone to quite easily guess the
remaining passwords).

Plus if you use multiple computers, it will let you keep your passwords file
synchronized between the multiple computers.

~~~
jaysonelliot
I don't like to use password storage systems - not because I'm worried about
their security, so much as being worried about not having access to them.

If I am using someone else's iPad, let's say, and need to get into a site, I
want to be able to remember my passwords.

I've thought about something like a Vigenere cipher on a piece of paper that I
keep in my wallet, but I can't imagine remembering passwords without resorting
to the "cheat sheet."

~~~
pwg
But, keep in mind that if you are using someone else's computer, then you are
totally at the mercy of their security or lack thereof. If they happen to have
a trojan key-logger on their system, then you've just been owned. If they
happen to have installed a key-logger for the purpose of obtaining your
password, you've just been owned.

------
slater
IANASE, but it feels pretty secure to me.

Me, I rely on my growing up in the Swiss-German speaking part of Switzerland.
Swiss-German is not a written language, so basically any way you could write
your (region- and dialect-specific) password variant means there's no
dictionary attack available :D

~~~
pwg
IANASE, but it feels pretty secure to me.

It is not as secure as it seems. Think it through. There is an 11 character
identical portion and a one character changing portion.

Which means that each password differs from each other password by only one
character.

If the 11 character identical portion were to ever be revealed (i.e., think
site that stores passwords in the clear having their password DB exposed) then
I only have to try a very small number of possibilities to guess all the
possible passwords from the 11 character stub.

Not very secure at all, because the security of all the possible passwords
depends entirely on that 11 character portion remaining a secret... Yet that
11 character portion is going to be handed to every site that requests a
password. It is not a secret anymore once it is given to the first website.
Therefore, not very secure at all.

~~~
jaysonelliot
That is the crux of my concern.

If a cracker were using an automated method of trying passwords that had been
compromised, I would expect that they might simply get a failed attempt and
move on. In a file of, say, a couple hundred thousand accounts, would they
bother having an automatic retry with different characters?

If it were someone getting the password and trying it manually, however, I
could definitely see them figuring out that all they needed to do would be to
change the first or last character, particularly if it were an obvious one,
such as the first letter of the website or something.

Clearly, I need to have a way to alternate multiple characters in a method
that I can reliably remember.

~~~
pwg
What you have just described is exactly how the Jack-the-ripper password
cracker program works. It starts with a set of "words" and then creates even
more test words by doing just that, adding a character, deleting a character,
etc. Not a problem for a computer.

