
Ask HN: Password best practices? - ryanklee
My password practices are an unsystematic mess. I keep different passwords of varying strength across all of my accounts.<p>I&#x27;m ready for a total overhaul with best practices in mind.<p>How should I go about this?
======
Piskvorrr
Use a password archive (e.g. KeePassX) encrypted with one really, REALLY good
password you'll memorize (plus a keyfile, should you feel paranoid).

Each password for a service is then randomly generated and stored in the
archive; you don't need to remember them, you just need to access the archive.

For default, I have chosen 60-character password length, upper-lower-numbers-
spaces-special characters mix (as a rule of thumb, a longer password is
preferable to a more complex password).

For whatever reasons, some services refuse this combination - and that's a
huge red flag: if the service at least hashes the password, it should get a
uniform, eminently storable string out. If they care what characters go in ...
well I ain't saying they're storing the plaintext, but it's close enough to
arouse suspicion. One of the worst offenders seems to be Skype, with its
"maximum password length: 20 characters, no weird characters allowed." If that
happens, well, you can override the default and generate a weaker password for
that one service, or vote with your feet and not provide your account details
to such a suspicious contraption.

~~~
T-hawk
What do you folks using password managers/archives do for access from other
machines that don't have the password tool and database? Cloud-based password
storage (either in a Dropbox-like service or built in with the password
manager) doesn't feel kosher. This is what's stopped me from adopting a
password manager so far - I want to always have access to things like my
webmail and forum accounts from any internet client without a dependency on a
stored database.

~~~
yen223
Ain't nothing wrong with using KeePassX + Dropbox. In any case, if the
attacker can crack KeePassX's encryption, he can probably crack your forum
accounts directly.

------
Walkman
Just use LastPass [1], 1Password [2], Keepass [3] or whatever password manager
software you like and forget it. I prefer LastPass for seamless syncing and
multi-platformity. It can also check existing password if you use them
multiple times!

1\. [https://lastpass.com/](https://lastpass.com/) 2\.
[https://agilebits.com/onepassword](https://agilebits.com/onepassword) 3\.
[http://keepass.info/](http://keepass.info/)

~~~
reuven
I completely agree. I used to have systems upon systems for remembering
passwords, but I inevitably had accounts with the same password, and
remembering them was impossible after a while.

I started to use 1Password (for my Mac) about two years ago, and it probably
sat, unused, for the first six months. I knew that I was doing the wrong thing
by not using 1Password, but I was also frustrated by the thought that _every_
time I went to a Web site, I would need to click a few more times, instead of
letting my browser fill things in.

At a certain point, I realized that the only way to use good passwords was to
embrace the 1Password way of doing things. I slowly but surely changed all of
my passwords, and I feel much, much more secure nowadays. Each site has a
different, long, impossible-to-remember password -- but that's OK, because the
whole point is that the password shouldn't be possible to remember.

It takes time to use such systems, but they're incredibly worthwhile. And
after a while, their use becomes quite painless and natural.

~~~
Walkman
You can set up LastPass even to log in you automatically, so you don't even
have to click submit or login buttons if you want!

~~~
jagermo
You can but you shouldn't, since there might be the chance of someone
listening in. [0]

[0]=
[https://news.ycombinator.com/item?id=6944929](https://news.ycombinator.com/item?id=6944929)

------
Oculus
Personally, I use a self devised algorithm for each service. In comes the
service's name, out comes a password.

An example of an algorithm could be the first two letters, the last two
letters and place those around the name of the person who created the service.
This is a poor and somewhat weak algorithm, but the main idea is given the
service's name you are not only able to derive the password, but each service
has a unique one.

~~~
deletes
I tried that once, but it is hard to determine what the name is actually.
Especially after you forget it and have to reconstruct it.

Is it? = "Hacker News", "HackerNews", "Hacker news", "ycombinator",
"news.ycombinator.com"... you get the idea.

Even if you have a 100% way to determine the name. Then the main problem why
this doesn't work, is that the name might get changed slightly and ruin your
scheme. And you can't remember the password because you didn't visit the site
for 4 months.

Example: Hacker News -> News for Hackers, or the domain you used for name gets
slightly changed.

Then what?

~~~
Oculus
I've yet to encounter a scenario where the name of the service changes. I
guess in that case you could always use something like internet archives to
see what the name was previously? The approach's success is in following a set
of rules unquestionably and for all services. So for example for all multi-
word services, you use camel case.

------
jcutrell
While I like the idea of using LastPass, I think the danger lies at wherever
your weakest link is, and the moment you choose to index your passwords
somewhere other than your brain, you are creating the potential for a
weakness.

Specifically, if someone gains access to your physical computer and they
figure out your LastPass password, what happens next?

If you choose to use LastPass, make sure you do it with a fantastically long,
entirely random password.

Example: "3BA^h<VQgj+nL%KP$ (this was completely randomly generated at
[http://passwordsgenerator.net/](http://passwordsgenerator.net/))

For a little reasoning, look into how passwords are generally hacked. Usually,
hackable passwords consist of words or l33t words (l!k3 th!5) that are
somewhat related to the person. A massive number of people use the same words
or patterns for these things, so a brute force attack informed by a l33t-smart
dictionary (minus the definitions) often is the cause for a hack like this.
Furthermore, in different languages, there are more frequently used letters
and spelling conventions, which can inform the dictionary's ordering or choice
of words. (Think: colour vs color)

However, if the person does indeed use a random sequence of characters, the
average person doesn't usually go outside the alphanumeric range. If the
password is only lowercase, that's 32 characters. If it contains uppercase,
that's 62 characters.

So then, we can take that information and use it to understand the complexity
of a brute force algorithm based on possible permutations and other info.

Take a look at this:
[http://www.passwordmeter.com/](http://www.passwordmeter.com/)

(Disclaimer: I do not hold any type of CS degree or formal training in
cryptography. I've listened to a few classes online though.)

~~~
Piskvorrr
Solid advice - except for three issues: 18 characters, in 2014, is not
"fantastically long" at all. The choice of lcase/lcase+ucase only gets you a
single bit per character typed - password length matters most, everything else
is just icing on the cake: nice, but non-essential. Also, password meters are
mostly harmful - the author takes some arbitrary rules and turns them into a
measurement - that's okay for weeding out horribly weak passwords, though.

~~~
Darkmyst
If the password is truly random (and uses the entire keyspace -
upper/lower/number/symbol) then 18 characters is fantastically long. At 1
trillion guesses per second it takes ~1.3 Trillion _Centuries_ to exhaustively
search the 18 character key space that uses all four things
(upper/lower/number/symbol)

------
citruspi
I used to use 1Password, but I've switched to pass[0]. I prefer it because
it's written for the command line and works really well. Your passwords are
encrypted with your GPG key. Check out the man page for usage and examples[1].
(It's available on Fedora via yum and on OS X via brew and there's also an iOS
app).

[0]: [http://www.zx2c4.com/projects/password-
store/](http://www.zx2c4.com/projects/password-store/)

[1]: [http://git.zx2c4.com/password-
store/about/](http://git.zx2c4.com/password-store/about/)

~~~
revasm
I'm quite stumped why there aren't more good password tools. Pass, vim-gnupg,
and SublimeGPG are all I've found. The application managers are atrocious --
not only the UIs but data format interoperability as well. Browser managers
are insane.

On another note, the pass documentation recommends a filesystem layout that
doesn't remember usernames. I used this scheme before going back to vim:

    
    
      www-website-com/id/username
      www-website-com/id/password
      www-website-com/id/other_field

~~~
citruspi
I generally organize stuff like I did in 1Password. So I have stuff like this:

    
    
        /logins/<domain>/<username>
        /servers/<hostname>/<username>
        /databases/<type>/<host>/<username>
    

Then I can do stuff like

    
    
        pass /logins/<domain>/<username> | pbcopy
    

and the password gets copied to my clipboard.

------
prav
I store the random passwords generated by tools like pwgen in a encrypted text
file (Vim ":X" feature configured for blowfish) which is encrypted with a long
complex password. The file is then kept in Truecrypt volume in cloud. I still
worry about plain password in clipboard when do copy/paste from the file.

I tried using tools keepass and dashlane. They are good, and work most of the
time, but irritant with few sites, enough for me to not use them.

------
andrewaylett
I use Keepass, KeepassX, KeepassDroid and Dropbox to sync them all together. I
usually generate my passwords with `pwgen` rather than the purely-random
strings that come out of Keepass, as sometimes I'll want to type the password
by hand -- pwgen`s passwords are much easier to copy as they avoid ambiguous
characters.

I recently went looking for a passphrase generator that supports the
[http://xkcd.com/936/](http://xkcd.com/936/) scheme, and failed to find one I
thought I could trust. So I created [1], which is about as simple as it can
get, is loaded (from my own server) over SSL and doesn't rely on anything
server-side or use any frameworks, so you can easily verify it by hand. It
does rely on Firefox at the moment as Chrome doesn't have the crypto functions
it needs yet. I intend to clean it up and publish it properly, but I'm all out
of tuits, let alone round ones.

[1]: [http://ares.aylett.co.uk/pw/](http://ares.aylett.co.uk/pw/)

~~~
kerkeslager
Just as a note, the [http://xkcd.com/936/](http://xkcd.com/936/) password
scheme has issues. See the discussion in the comments here:
[https://www.schneier.com/blog/archives/2012/09/recent_develo...](https://www.schneier.com/blog/archives/2012/09/recent_developm_1.html)

~~~
zokier
I don't see any valid issues raised in that discussion beyond the question if
44ish bits of entropy is enough. And it is quite easy to bump the complexity
if necessary. Wordlist of 10000 words (instead of 2000) and 5 (instead of 4)
words and you get 66 bits of entropy (log2(10000^5)), which should be enough
for most uses.

edit: some numbers for scale: oclHashCat claims 2500M tries per second for
plain SHA1 with single HD7970 GPU. That would mean that 4 of 2000 word
passphrase would be cracked in 1.5 hours and 5 of 10000 word passphrase would
take 1268 years.

------
zokier
Most important stuff is already mentioned, but I'll add one important detail:

Consider which are most important accounts (email would be prime candidate)
and have the login details for them written up on a physical paper stored in a
secure place. This is to prevent catastrophic data loss in the situation where
your primary way of managing passwords fails for one reason or the another.

~~~
AGKyle
I do a few things with this type of mindset.

I copy my 1Password keychain onto a USB drive, space is cheap so a 16gig USB
drive contains backups going back like 6 months. This drive also includes
other bits of data, like tax returns.

There are now two of these drives. Once every two weeks, or after significant
changes are made, I rotate them in and out of a safe deposit box.

At home I have the other in a fire safe.

One of my notes in my keychain is also instructions on what to do in case of
my inevitable demise :) What credit cards I have, what services I use, all of
that type of information.

The master password is stored in a safe location that only immediate family
know about. Along with location they know how to handle my affairs if
something were to happen to me.

It's a great backup system, but also helps handle taking care of things when
I'm gone as 1Password stores data about whatever you want and keeps it secure.

Hope that helps with some more ideas for how to use your password manager to
make your life easier.

Kyle Swank

AgileBits

------
waterhouse
For several online accounts, I am using a cryptographic hash of [the site
name] + [a secret phrase] to generate the password.

~~~
danielhughes
What do you do when the site requires that you change your password? Do you
use a different secret phrase? And if so how do you keep track of those?

~~~
waterhouse
Heh heh--uh, fortunately I have not encountered a site that ordered me to
change my password and forbade me to use an old one. If I had to deal with
that scenario... I guess I would create a file that had, on separate lines,
"[site name] [number of resets]", and would change the main script to take a
hash of [site name] + [secret phrase] + [output of "grep '^'$SITE_NAME' '
[that file]"].

Also, if I wanted this to work with multiple accounts on a single website, I
would have to include [account name] in the input to the hash function.

~~~
danielhughes
The forced password change seems to be popular with enterprise software
managed by a corporate IT department. A favorite policy they enforce is
something like the following..."You must change your password every 30 days.
Your new password must be different than your last 8. It must contain at least
one number and a mix of upper and lower case letters. It cannot be more than N
characters in length." It's kind of ridiculous and counter productive in that
it destroys an otherwise sensible strategy like the one you proposed
(referring to your first comment) and in its place you get employees doing
silly things like making their passwords Password1, Password2, Password3, etc
with each successive forced reset.

~~~
waterhouse
Gah, that's unfortunate, and perverse. My scheme has indeed been defeated by
the DMV's website capping the length of the password at 20, and there are a
couple I know it wouldn't work for because they require at least one non-
alphanumeric character.

On the plus side, all this brain-damage does seem fairly easy to incorporate
into an automatic scheme. Have another file that has a list of cutoff lengths
for each site that has them, and another file with special characters to
insert. Then the scheme becomes: hash [domain] + [secret] + [resets (if any)],
add special characters to the start (if any), and cut off the end of the
string (if necessary).

~~~
zokier
The primary (or even only) advantage of hash-based password management is it's
stateless nature. Once you begin to introduce files (ie extra state) to
support the system you might as well use fully randomized passwords stored in
file.

~~~
waterhouse
You have a point. Another advantage is, all that state other than the secret
phrase is insufficient to derive the password, and could be passed around
insecurely, while the secret phrase could be memorized. But I suppose one
might achieve the same thing with a GPG-encrypted file of randomly generated
passwords. Still, if you lose all relevant files, you should be able to
reconstruct the hashing scheme and recreate all passwords that didn't require
state. Whether this matters is up to the reader.

------
antr
I use the combo of OnePassword for password management + Leemail to have a
unique email address for every service/website I use. Leemail also makes it
easy to block any emails which gets leaked to spammers or companies that
ignore unsubscribe requests. i.e. one unique email and one unique password for
every service I use.

~~~
danielhughes
How many devices do you use 1Password on? I tend work on two macs, a windows
PC, an Android phone, an iPhone and an iPad. Maybe that's a bit excessive but
it's certainly common to have at least a few devices. I keep getting turned
off by 1Password's licensing model which requires separate software purchases
for each device. It's not the total cost that bothers me but rather that the
model suggests to me that using 1Password across a lot of devices is going to
be a hassle. I'm curious if that is your experience.

~~~
rickyc091
I'm using mine on one Mac, one PC, iPhone / iPad and I'm not really having
issues with the licensing. I'm actually having issues with syncing the data...

~~~
AGKyle
Hi there!

Please contact us at support @ agilebits . com, no spaces. We'll be happy to
help get things working. You're free to mention my name and someone will pass
it along to me personally.

Include each device (like above) along with what syncing method you are using
(Dropbox, wifi, iCloud).

This goes for anyone who has trouble. You're welcome to contact us for
support, we do everything we can to help support our users if they run into
trouble. Please don't hesitate to contact us.

Kyle Swank

AgileBits

------
DanBC
The easy answer is a god quality password manager. You use that to generate
passwords that are as long and complex as the sites / services you use will
allow.

You then generate a Diceware passphrase. It's easy enough to learn a 6 word
passphrase.

You can combine a passphrase with a Yubikey for 2FA.

There are risks and problems.

We don't know how secure password safes actuLly are.

It's hard to maintain these across multiple platforms.

It's hard to integrate them with existing software flows - Chrome remembering
passwords or OSX keychain for example.

Yubikey is almost brilliant, but the small miss means it's actually very
crustratig to use.

Edit: this also doesn't cover what happens if you suffer a brain injury or
die. You need some mechanism so people can admin your affairs in those
situations.

Edit2: you might want to use a spycoin if you travel across international
borders.

------
zdw
Use very complex, unique passwords for everything. Generate these passwords
with a tool like pwgen, the OS X keychain, etc. This contains a password leak
to only the systems that share the same password.

Use a encrypted storage for your password, protected by a master password.
This can be as simple as text files on encrypted volume, or a more complicate
password manager.

When you can avoid using passwords, do so. For example, key based SSH auth
prevents you from having to re-enter passwords all the time, and is generally
more secure.

When given the option of 2-factor authentication, take it. 2FA + a weak
password is usually better for security than a strong password without 2FA.

------
gmuslera
Have 2 kinds of passwords. A small set for passwords that could retrieve
others (mail, password manager that you must have, computer/phone,
offline/offcomputer ones) that must be easy to remember/rebuild for you, but
very hard to break in practice (if you want, generate them using your
variation of the xkcd approach). And the rest to be basically random, long,
with a big charset, all different for each site and generated and kept in a
password manager (that should have an offline storage, like KeePassX, even if
you sync them on your devices using dropbox/google drive/etc)

------
mburgosh
I've always been attracted to use a password archive service, but there is one
use case that I encounter very often, maybe you can help me by answering how
you deal with this.

What do you do when you need to connect in a PC that is now yours? This
happens to be very often in parties when people want me to use my spotify.

Also do you keep your rsa passphrase in the archive?

As for what I do now: I integrate the service name in my password in different
ways depending on the name. The combination is long enough and has enough
entropy that I feel comfortable against bruteforce attacks, but is quite a
mind juggle to find my password sometimes.

------
bdesimone
It's less complicated than what I'm reading here.

* Use a passphrase of at least five random words.[1]

* Keep that passphrases secret.[2]

* Use a password manager like 1Password or Keepass to generate and manage all other passwords.[3]

[1]: Good passwords have high entropy and are easy to remember. For that
reason, passphrases are preferred to passwords.

[2]: It's ok to write down your passphrase, but keep it somewhere safe -- like
your wallet.

[3]: Password managers prevent password reuse and make life easier. Sync
passwords across devices.

for more: [http://bdd.io/security](http://bdd.io/security) , with linked
justifications.

------
data-cat
I like to take a long phrase (usually some lyrics from a song) and convert it
in to a mnemonic. By combining the first letter of each word in the phrase,
and converting some of them in to numbers or symbols, I am left with a
relatively secure password that it easy to remember.

For instance...

"Cause I know that time has numbered my days And I'll go along with everything
you say"

Becomes...

ciktthnmdaigaweys

Becomes...

c1k77hnmd41g4w3y5

I use this system for all of my passwords. I try to use a different password
as often as possible and never have to write them down. Frequently used
passwords have gotten to the point where inputing them is an exercise in
muscle memory.

~~~
shawabawa3
ugh that looks horrendous. I tried this out at one point with a song lyric
that was around 7 words. Took me about 20 seconds each time to type the
password (had to sing the song in my head every single time).

Now I just use the xkcd method. e.g. forest monkey jump truck

I have a different password for everything, which is something like 50
different passwords. I know around ~15 of them by heart - the rest I almost
never use (I store them on google drive behind 2FA for when I need them)

~~~
data-cat
Lol yea passwords that are not frequently used can take a while to input. I do
sing the song in my head almost every time.

What I would really like to do is program a simple command line application
that would generate and store all of my passwords. I started on one a while
ago but never finished it; its on my to do list.

------
JimmaDaRustla
I use lastpass with yubikey.

Password to lastpass is long and completely unique - not used anywhere else.

lastpass generates and maintains passwords for all sites - they are all 16
characters long (long passwords are key for preventing bruteforce typically),
unique, and they all contain numbers, upper and lower case characters, and
symbols.

The thought process is - if one of the passwords is compromised (hacked site,
brute force, etc.), the same password will not be usable on other sites. I had
this happen in my WoW days.

Edit: I have the lastpass app trusted on my phone so I have access on the go.

------
tomnovis
To be different from the other comments, here are different examples:

You could use a password card[1]. Just print an keept it on a safe place (your
wallet :-D).

or

Get a long and complex Password you can remember (there are lots of techniques
to create and remember a passwort). After that add a site-specific phrase to
your password. For example: [YourLongAndComplexPasswort]H4ck3rn3w$ As you can
see, H4ck3rn3w$ is the site-specific phrase for the hacknews-website.

[1] [http://www.passwordcard.org](http://www.passwordcard.org)

~~~
Darkmyst
"[YourLongAndComplexPasswort]H4ck3rn3w$"

This is not a good approach. The problem arises when some thrid aprty stores
your password in clear text or some easily reverisible format that allows
hackers to easily get this "[YourLongAndComplexPasswort]" part thus reducing
your password to the easily predictable suffix.

If your unique Hack News suffix is H4ck3rn3w$ it's a fairly safe bet that
$l4shd0t, R3dd!+, Gm4i! will also be easily predictable

------
Phoenix912
You should use KeePass, with automatically generated passwords and expiration
dates. 60 characters is far too much, 16 is good with numbers, letters and
special characters.

I don't use any american solutions due to Snowden's revelations. I don't want
NSA on my passwords. Prefer an open source program.

If you want a cloud system, with keepass on your smartphone automatically
updated, I think you should create your owncloud server.

~~~
Piskvorrr
Why does it matter to the user how many characters are in the password? Xe
never interacts with that string directly anyway; and password _length_
strongly correlates with password _strength_. 16 is way, way too low - the
rainbow tables for this size are already widely available, and most sites
still go for the lowest security possible (single password hash, unsalted).

~~~
Suitov
I go for 64 as a default length, but it's surprising how many sites respond
with "No! You can't havee more than 8/10/12 characters or I'll sulk!" Makes me
extremely suspicious re: just how they're storing them.

------
nulluk
Good timing on this post, recently decided to shape up my own practices.

I'm currently storing everything in a separate OSX keychain with a strong 20+
character password but there seems to be very little out there describing how
OSX encrypts the notes. I can only find articles from a few years ago staging
it's 3DES but I would like to think its been upgraded since then.

------
thrush
There has been a lot of research done at CMU recently regarding how to pick
passwords. This paper is a good starting point:
[http://www.cs.cmu.edu/~agrao/paper/Effect_of_Grammar_on_Secu...](http://www.cs.cmu.edu/~agrao/paper/Effect_of_Grammar_on_Security_of_Long_Passwords.pdf)

------
cerberusss
I use a password that I keep in my head for my bank and creditcard. Another
for Amazon, GMail, Apple ID and my Linux server.

And for the rest of the bunch, I switched to 1Password. It doesn't support
Linux, but that's okay for me. I do most of my browsing on iPad and MacBook.

~~~
larrik
I would strongly recommend having your GMail password be different than all of
your other passwords, plus with 2-factor authentication. Getting access to
your GMail means that someone could easily get access to any service you use
that account on.

Yes, this means your GMail password security is likely more important than
your bank's.

------
jagermo
I switched to Lastpass a few years back and never want to go back. Recently I
upgraded it with a yubikey ([http://yubikey.com/](http://yubikey.com/))

