Ask HN: How'd you manage the password managers' master password?

[imcotton]

In general, I like to be helped by password managers to do the heavy lifting, but how to make out the best of the master password?

xkcd/936 is OK-ish for educated geeks, but in practice for a large amount of no-tech users, they only have a few candidates of fruits, sports, animals, or city names to pick from, let alone not to mass it up in memory at some point.

For now, the best option seems to store a complex master password in your phone's keychain and protect it with biometric authentication, but it's important to keep your phone safe. If someone steals your iPhone and the passcode, they could wipe out your iCloud account within just a few clicks.

Now shameless plug, I've just posted "accdoo cipher" on Show HN two days ago [1], and if you have one second to spare, here is my pa33w0rd for demonstration [2].

Any other ideas?

btw: I feel relieved that password managers (Bitwarden and 1Password for example) only require a minimum length for your master password. There are no complicated rules to follow, which is great. I hope other companies follow their approach.

[1]: https://news.ycombinator.com/item?id=39115559

[2]: https://accdoo.app/#0118-999-881-999-119-7253#256

[kutenai]

I just memorize it. Write it on a small sticky and hid it somewhere for a period of time until the master is memorized.. then destroy it.

you could write it on that flame paper they use in spy novels.. now that would be cool also. Does Amazon carry that?

[balou23]

Bruce Schneier recommends cigarette rolling papers

> Burning is probably the best method of data destruction available, but think about the paper. Ungummed, rice cigarette papers seem ideally suited to this role. A colleague did some tests with Club Cabaret Width papers, and they burn completely.

> It’s not as difficult to write on cigarette papers as you might think. Using a No. 2 pencil with a fine but blunt tip works well. A No. 3 pencil works better, but it is a bit weirder to be carrying. Pens have a number of problems. First the extremely hard tip of the pen is more likely to leave impressions in the surface below the paper. Also, anything with ink has the possibility to bleed through to the surface below.

> And good cigarette papers are made to burn cleanly and completely. The Club papers burned best when allowed to burn in the free air. That is, lit and released at about chest level. These papers also have the advantage of having very low volume and could be easily eaten if required.

https://www.schneier.com/academic/solitaire/

[idw]

FYI it's called flash paper, plenty of sources online

[roland35]

I have a circle of password managers all storing each other's master password

[philomath_mn]

I hope this is real -- how long is the cycle?

[mortallywounded]

I'm not really sure what it's called, but mine is based on a sentence I have memorized combined with some fixed symbols. I basically take the first letter of each word and keep capitalization and symbols.

For example, if the sentence I memorized is, "I dreamt I was a butterfly! What a wonderful sight it was." my password would be: IdIwab!Wawsiw.

[acheong08]

I’ll be changing my password after this comment but here’s how I did mine:

<nickname unused since 12 years ago><phone number that no longer exists><another phone number but with shift keys><random http status code>

[vipa123]

For some password hardening I take a short random password I already have memorized like abc1oktt and then use my own phonetic change... For example, That one becomes ehbesee1ohcayteaTea... For my master password I take three different of these and just concatenate them together to make a nice long passphrase... Not for everyone, I'm sure. But for me it essentially reinforces and reuses passwords I've known for 25 years... I also convert numbers like SSN or phone with a similar poor cipher... Nein,Ate,Sefen etc..

[Zetobal]

My favorite band has really long song titles so it's rotating between song names with some added numbers.

My last one was "The One Armed Boxer vs. the Flying Guillotine.1234". Numbers changed ofc ;)

[ChoGGi]

That's a movie title (as well), pretty enjoyable one.

[zwayhowder]

I use Diceware. 6 random words with alphanumeric padding. So basically the XKCD, but something like:

correct_2_horse_2_battery_2_staple. In my experience it doesn't take long to memorise the words.

I have two passwords I know off by heart, my password manager and my gmail (just in case). I also capitalise a certain letter in each word, but that pattern is in my head only.

I am of course lazy, so I use biometrics on my phone/tablet/laptop to minimise the need for entering my password. But I wouldn't if I still worked in a high risk industry.

[louwhopley]

What's your thoughts on keeping a separate Gmail password (that's not stored in the password manager, vs keeping it inside the password manager?

Assuming Gmail account is the core email behind majority of services, so breaching that account would allow password reset on most other services.

[4oo4]

You probably want 2FA as a means of separation instead. Not storing it in your password manager makes it more likely to be a weaker password since you have to manually type it in. However keeping your TOTP codes separate from your password manager, or better yet using a Yubikey that can't be phished means you get a long complex password that can autofill, but also means your Gmail can't be breached by just your password manager secrets leaking alone. Also, aside from the idiocy and amateurism of LastPass, password manager breaches/leaks are rare, as long as it's well designed and you have a strong master password.

[zwayhowder]

I have both. But it isn't weaker. To be clear my gmail password and my password manager password are both 40-60 characters long.

I also have TOTP and a Yubikey and a Passkey etc etc.

I was more protecting myself against a situation where my password manager was unavailable AND I needed access to my email urgently. Which has happened at least twice to me in the past.

Though to be fair once was Lastpass about 15 years ago when they reset everyone's password because of suspicious logs in an abundance of caution. That's right there was a time they were a "good" organisation.

[Shatnerz]

Link for the lazy: https://xkcd.com/936/

I came here to post essentially the same thing.

[wruza]

There's an ancient trick to memorize your complex password: enter it twice a day for a week or so.

[account-5]

I don't know the master password for my password manager. I remember the way I type it on the keyboard. Disadvantage being I really need to be in front of a standard keyboard to open the vault.

I also use a keyfile too for added security.

[ssss11]

Multiple words strung together that are important to you…

[Erratic6576]

Song verses are easy to memorise and quite long to type

[blinded]

I just memorize the 20 char random strings.

[patatino]

Printed emergency kit from 1Password in a bank safe so my wife can access everything if I die.

[embeng4096]

It usually shows up as stars so I don't need to worry about other people seeing it, see: hunter2

Jokes aside, I memorize my password manager's master password, and have it written down in a notebook but in a different glyph set (Idk the scientific name). It's not ciphered or anything so can be decoded, but the chances of somebody recognizing Elian script are fairly low, I think, and recognizing something like Royal House of Riftgard script even lower. And if you use something like Elian script it can be obfuscated further by stylistic alterations. That, combined with a rotating cipher, even something like rot13, is probably enough to defeat all but the most determined attackers, in which case I'll have bigger things to worry about, like the XKCD wrench (https://xkcd.com/538/)

[millzlane]

supersecure password X 2

s0 S2oMeThIng Tha! uses words with r@ndom CaPs spaces 123456789s and Spec!@l ch@racters=-!s0 S2oMeThIng Tha! uses words with r@ndom CaPs spaces 123456789s and Spec!@l ch@racters=-!

[ElevenLathe]

Keep it on a piece of paper somewhere safe.

[yoyopa]

Passw0rd!@#$!@#$!@#$!@#$

[_ktnd]

I have three options for you, along with my two cents on each:

1) *Bitwarden:*

I am no longer using Bitwarden since they can delete your account at any time for any reason[5].

2) *KeePassXC:*

For KeePassXC, you need to store your "Passwords.kdbx" (~16 kB) database file somewhere and remember a master password.

3) *Spectre (https://spectre.app/)\\\*

I haven't tried it yet; however, Spectre calculates your password each time you need it. All you need is a name (e.g., your full name), your master password (see Diceware[1]), and the site name, from which Spectre algorithmically calculates your password. If you need to change a site's password, iterate the counter and calculate a new password.

It works offline and is open source. Here's a web app version that runs locally:

[Spectre Web App](https://spectre.pw/)

*Bonus: One-Time Pad + (Layman-ish) Physics:*

There are plenty of reasons to be paranoid[2]:

  - Firmware-wise (e.g., Intel Management Engine, Coreboot, Libreboot, system on a chip)
  - Hardware-wise (i.e., Von Neumann architecture - Code + Data)
  - Operating System-wise
    (e.g., 0-click exploits, remote code execution to manipulate the CPU's instruction pointer,
     stack overflow, Pegasus)
  - Facility-wise (e.g., electromagnetic waves, cell towers, Faraday cloth)
  - You (making mistakes)

Given the above, I would first base everything on "true"[A] randomness (see random.org or roll casino-grade dice). "True" randomness is essentially: "every outcome has the same probability." As long as backward time traveling remains impossible, I would abstain from computers and simply follow the One-Time Pad protocol with a pen and paper, among other things.

  Message: Hello -> ASCII -> Binary

  Key: 5EYES (keep this private, must be random)

  Cipher: <Message in binary format> XOR <Key in binary format> -> convert back to ASCII

The above is just one (i.e., XOR) out of many ways to follow the one-time pad protocol. For 128 characters, you need a random number from 0 to 127. However, you need to ensure that each number has the same probability to show up. Perhaps there is a way to encode or "rename" the numbers from 0 to 127 with a string of digits 1, 2, 3, 4, 5, 6 so that you can roll a die multiple times in a row to randomly get a number between 0 to 127 (see Diceware[1]). One-time pad might be good to encrypt your master password.

*References:*

  1. Diceware, [Wikipedia](https://en.wikipedia.org/wiki/Diceware)
  2. CS155 - Computer and Network Security,
     [Stanford](https://crypto.stanford.edu/cs155old/cs155-spring18/syllabus.html)
  3. [One-time pad - Wikipedia](https://en.wikipedia.org/wiki/One-time_pad)

  4. Animated Explanation of the one-time pad, https://www.youtube.com/watch?v=QVV_bUxxiZ8

  5. https://tosdr.org/en/service/1348

*Notes:*

  A) If you assume determinism (because our current "collective bias" leads us that way),
     then the quote marks are okay; if not, then not.

  Personally, everything seems to be based on assumptions or beliefs anyway (your existence, math, ...),
  so I go by "ignorance is bliss."