
Write Down Your Password - rayvega
http://www.schneier.com/blog/archives/2005/06/write_down_your.html
======
DeusExMachina
I use an algorithm to have different high security passwords for different
websites and still be able to remember them following rules I adopt for every
website. I mix my username, the website url, a known token and some
punctuation.

Example: let's say that I need a password for hacker news.

\- Let's say that I like dolphins, so my chosen token will be Dol

\- I decide to take the second letter from each word in my username: exa (D
_e_ usE _x_ M _a_ china)

\- I decide to take the third letter from each word in the domain name: wom

\- I then choose some punctuation to mix in the password: #&%

Now I'm ready to assemble my password: Dol#exa&wom%

If I have an account on www.yahoo.com with ginger.roger as username, the
password would be Dol#io&whm%

It's long enough (but I can making it longer, if I want), uses capital letters
and special characters (you can also throw in some numbers, this was just an
example) and if someone looks into a database the password is not
distinguishable from a random one.

~~~
tjogin
I use a similar method; the "algorithm" is different of course, but I too use
a unique password for every account I have anywhere, which I calculate in a
similar fashion.

My algorithm is a bit simpler than the one you described though, I can figure
out a password I don't remember in just a few seconds. That also makes it less
secure of course, I just think its _sufficiently_ secure.

------
harisenbon
I still enjoy the method I picked up from patio11: a sentence with a few
numbers thrown in and maybe a mispelling that only I'll remember. This works
exceedingly well as I also speak Japanese and throw in wrongly transliterated
japanese words into the mix. I can have 2-3 passwords (throwaways and "OMG
never use this outside of the most secure sites") and remember them all
easily.

Ex: howdoyoudoandwhatdidyoudohavetodayfordinner?345

------
chronomex
My solution: random passwords for everything, in a file in my ~/. Each line
contains:

    
    
      <site> <username> <password>
    

And ~/bin/psw:

    
    
      #!/bin/sh
      cat $HOME/passwords.gpg | gpg --decrypt | grep $1
    

Simple, done.

~~~
wizard_2
Simple and elegant, that really sells it for me. I user SuperGenPass which is
great as long as you can run javascript when you need your password. The
latest trouble I've been having is on my android device when logging into
applications. It's enough to make me want to learn how to write an input
method for android/supergenpass.

------
sliverstorm
I break it down like this:

Short, low security (simple passwords, e.g. a mashup of 2 words or an uncommon
word with a typo/1337 edit): Memory

Very very long, or very very infrequently used: Paper slips. Stored somewhere
less obvious than a wallet.

Lastly, my favorite: Long/High security: My hands. No joke. The muscle memory
in my hands currently knows about 5 complex passwords that my brain has
partially forgotten. The only way I can give someone the password is to
pretend I'm typing on a keyboard and tell him what I'm typing.

~~~
patio11
I lost one of my best passphrases, to Bank of America, because after eight
years of having it in muscle memory I became unable to recall it. Two days
after getting it reset (to something far less secure, of course) I was typing
it accurately again...

Pah, I'm getting old.

------
wisty
Here's a twist - write them all down, but have a common prefix, suffix or
replacement that you use. So every password on the paper is followed by
"pi43?".

------
derefr
My last password (now changed everywhere it was used) was "I once had a
giraffe named Benjee. He was a mightily large fellow!"

Happily, nothing ever said "maximum length exceeded" when I registered that. I
think, like our move away from IE6, the short password days are mostly over.

------
petercooper
Thankfully systems like 1Password have made this process automatic and still
secure, across multiple devices. You can even put all your passwords on your
iPhone :-)

That said, for things like PIN numbers for credit cards, etc, you can come up
with some reasonably secure but still not easily guessed systems, such as
using the last digit of each quad of digits on the card or two pre-decided
groups of two. Different PINs everywhere, hard for anyone else to guess, and
not hard for you to figure out :-)

------
steveplace
I do this, but I leave it on a sticky note behind a piece of furniture, or in
a file folder related to the account. But I don't put the actual password on;
rather, my passwords consist of a "leetspeak" word, and the sticky note has a
fairly simple hint one to two degrees out-- but if you even guessed the
answer, you would still have to figure out the numbers in combination.

For example, if I used 5p0ng3b0b, I would write "who lives in a pineapple
under the sea?" or "Patrick"

------
wkdown
Not to plug my own blog entry, but I think I came up with a pretty good way to
have secure, jibberish passwords that you can still remember ...

[http://blog.wkdown.com/2010/04/easy-to-remember-secure-
passw...](http://blog.wkdown.com/2010/04/easy-to-remember-secure-passwords/)

... or maybe I'm missing how this would be easy to break? Dictionary wouldn't
work, brute force would take too long, and idk enough about rainbow tables to
know their time frame.

------
zalew
Writing on a piece of paper is exactly what I do. With one difference, that I
find having them in the wallet a really stupid advice. The ones I use the
most, I remember, and just in case I have them securely written at home along
with lots of other ones, in a place only I know. Why would I carry them around
where there's a chance someone can look at them (even when obfuscated) and I
won't even know that they have been copied?

~~~
derefr
I take it you leave your credit cards at home as well, then? There's
definitely "a chance someone can look at them (even when obfuscated) and I
won't even know that they have been copied."

------
dugmartin
Or you could print out a password chart:

<http://www.passwordchart.com/>

~~~
leftcoaster
this is awesome but for the annoying number of sites that demand short
passwords.

------
isleyaardvark
I strongly disagree with the idea of keeping passwords in your wallet. Do I
really need my PayPal password in my wallet? No. If I'm doing something that
requires a password I'm probably at home or the office and I should have a
relatively safe place to keep passwords at either location.

------
bartl
That's what I've been doing for years. If it's good enough for my credit
cards, then it definitely will be good enough for my passwords, won't it?

~~~
philh
If your credit cards get stolen, you can cancel them. If they're used before
you get a chance to cancel them, you aren't liable for those charges.

If your password gets stolen, you _might_ be able to change it. But if the
attacker gets there first, all you can do is get in touch with the website and
say "my password got stolen and changed, please return my account" and hope
they comply.

If you don't write down what your password is for, you're probably safe (but
keep a backup, especially for email) - but only as long as most people don't
do this.

------
hackermom
Bit by bit, people will memorize long passwords, too, after repeated exposure
and handling, and at that point they will stop using the piece of paper with
their long, hard-to-guess password scribbled down on, and it will have turned
into one more memorized password.

The one single _long_ password I have is 28 characters long; a random password
I tapped on the keyboard and then wrote down on a piece of paper, used to
administrate my ADSL modem's NAT/wifi/etc. which sadly can't be configured to
allow only local login, hence the need for an "unguessable" password -
however, not only have I _inadvertently_ , from typing in the password many
times, memorized the full password by the character, but I've also
inadvertently memorized it _motorically_ , and can without thinking repeat it
on the keyboard in a second.

I agree fully on Schneier's advice, though, as the longer and the more random
the password, the lower the chance for a dictionary or brute force success,
but I'd store the piece of paper somewhere else than in my wallet :)

------
mdg
I take my passwords straight out of the obscure underground hiphop lyrics I
listen to everyday.

