I don't understand why people jump through so many hoops and complexities when it comes to passwords. Like "seasonal" passwords described in this article. Multiple friends have told me they have an "algorithm" they use to derive their password for any website (it's basically a manual mental hash of some base password and the website name). Other friends have told me they keep a rotation of 3-5 passwords and have a rule for which to use for certain types of websites.
Like, I really don't get it. Why not just use a password manager. I always tell these people to just sign up for a password manager and they always resist and say no. I must be missing something obvious.
Just use a password manager! Basically all password managers will generate a random string for a password when you add a new credential. You never even have to look at it or know what it is.
A password manager relies on a single point of failure secret (master password), while the website-hash approach relies on a single point of failure secret (master key derivation algorithm).
It's really no different, so I think there must be some human biased thinking at play. Except the password manager requires a central or synchronizing computer system, while the in-head key derivation approach requires no such thing.
The trade off is that pass mgnrs give more convenience, but have slightly more failure modes (not knowing the master password, not having access to the synchronization or master vault, not wanting to log into a pass mngr on a potentially compromised computer when you only need a single password you are willing to sacrifice) while the in-head approach has a single one: not remembering the derivation method.
ETA: both are sensitive to sites changing names or URLs. But password managers more so (requiring extra searching and clicks) while in a mental key derivation context, you would probably remember "oh, it's protonmail." without explicitly needing to distinguish "login.proton.me" from their old URL. But, that does make the key derivation approach slightly more susceptible to phishing. Not seeing the password autofill at least gives mental pause.
Hash method is prone to websites that rotates passwords, have limits in passwords, have certain rules known passwords.
Also, if website database is breached then you may want to create a different password.
Plus, username needs to be stored as well sometimes.
Your mental password-generation scheme is equally susceptible to the “master password” being lost or forgotten. Why do you assume you can remember a bunch of rules plus a password, if you can’t remember the password itself?
Synchronizing is easy, put it in a network share or Dropbox/google drive/iCloud. If for some reason it’s inaccessible, keepass/dropbox will synchronize any local changes the next time you open the manager while you’re at home. This is a solved problem.
You missed a few glaring failure modes in the mental model one - one of the most extreme is if someone pops your password on two sites, they can likely derive all your other passwords.
I'd go further and point out that derived secret systems put all your future passwords at risk. Whereas a password manager is only your current and past passwords.
No. I will never put all my passwords into some black box, no matter how it is pitched to me, and certainly I won't pay for that "privilege". I have all my passwords written down in a sheet of paper slightly obfuscated to make them pretty much worthless even if someone found them (actually I have multiple copies, stored in multiple places). They are all mnemonic to begin with. So if my computer dies, for example, my life continues just like before.
I don't have "real" social media accounts to begin with, so my life won't be ruined even if someone cracked all my passwords. Mostly it's just accounts for various online shops I've used during the years. I really don't care if someone hacks those. And access to my bank is pretty much worthless if you don't have my phone and the pin code sheet too. Well I don't have big money in bank anyway, so the crime doesn't pay well in any case.
> I will never put all my passwords into some black box […]. I have all my passwords written down in a sheet of paper slightly obfuscated to make them pretty much worthless even if someone found them (actually I have multiple copies, stored in multiple places).
Well, his sheets of paper could be obtained by 10s to 100s of people with physical access who then might figure out the obfuscation (or burn down in a fire, but copies mitigate that).
Some fancy password manager service can be attacked by anyone with a network connection or the budget to buy the company. And there's an actual incentive to attack the password service because it doesn't just have parent's passwords, it has many passwords.
I think the only downside to the sheet of paper is that people with physical access are probably more likely to be specifically interested in you, and therefore willing to put in the effort to figure it out. But they'd probably figure it out anyway if they're that interested (install a keylogger or camera or something).
> I always tell these people to just sign up for a password manager and they always resist and say no. I must be missing something obvious.
Maybe they don't want to be relying on a random third-party for all their passwords?
Rather than getting them to sign up for a password manager, what about getting them to install a password manager? I use https://www.passwordstore.org/ - it encrypts your passwords with GPG, and shares the storage via a Git repository for synchronisation between different machines.
> Like, I really don't get it. Why not just use a password manager. I always tell these people to just sign up for a password manager and they always resist and say no. I must be missing something obvious.
Simple, I don’t trust a cloud service to keep the data secure, and I don’t trust myself to self host and keep the data safe (and not get corrupted) while simultaneously getting that data on all devices and synced.
The flaw of password managers is that you don’t know the passwords you’re using for your sites. That is, if the data was lost, you’d have to do an account recovery, which for some sites is fine, for others it can be a nightmare though.
Alongside this, it is a hard problem to have to simultaneously get all of these copied-pasted passwords on each device without inherently putting them on the Internet (albeit with a password in front of them). Given a threat model of password managers being inherently valuable targets, data going in and out of them is inherently vulnerable for when an exploit is inevitably found.
I’m not saying any of these problems makes mental hash algorithms or rotating passwords better, but password managers do have inherent flaws that make them still an unideal tool.
Also, I find it ironic in the modern day that a simple sticky note next to your computer is probably one of the better solutions to password management, if people invading your physical space isn’t part of your threat model (which is usually the case).
> The flaw of password managers is that you don’t know the passwords you’re using for your sites. That is, if the data was lost, you’d have to do an account recovery, which for some sites is fine, for others it can be a nightmare though.
It's typically a 5-minute process, which I know because services regularly force password resets quite often.
> …I don’t trust a cloud service to keep the data secure.
Fair enough, there are definitely shady SaaS vendors. My password manager is a SaaS with a long history (2006), which has no access to my account passwords or Secret Keys and could not reset or recover them for me if I asked. I'm personally satisfied with that.
Have you considered the benefits? For example, I know I currently have 1,161 account logins on various sites/services, 278 of which have "fantastic" passwords, and 144 which have "fair" passwords that I should really go back and update (surely from my pre-password-manager days). I know there are 5 accounts that now support 2FA, and many more which now support passkeys. I know when I've last used each so I can easily close old accounts, which I gradually do.
That kind of awareness/security hygiene enablement would be tough (if not impossible) to replicate manually.
If the endgame of passwords is for everyone to use password managers for their passwords, and never to actually learn their passwords, then why bother with passwords at all? It seems to endgame would be for every service to give up passwords, and switch to OTP codes entirely. I'd prefer that world, honestly. Yet I haven't seen many people talk about the possibility, so maybe I'm missing something obvious? I don't know.
> If the endgame of passwords is for everyone to use password managers for their passwords, and never to actually learn their passwords, then why bother with passwords at all?
People in general also tend not to make backups, frequently have computers that get viruses and have to be wiped, and generally just don’t “trust” computers that, in their view, constantly break
I think it would be like suggesting people give their life savings to their unreliable neighbor to hold on to. It might be safe, and might be secure, but at the end of the day they are being asked to bet everything on something they don’t find to be reliable.
In the end, perception is reality and I can’t say I entirely disagree with the perception. I use a password manager, but unless you are running the infrastructure and backups yourself, which a normal person isn’t going to do, you are at the mercy of “corporations” that we know to make mistakes, have data breaches, lose data, change their policies on a whim, break the law, and even cause people’s deaths, all while suffering few if any consequences.
I’d say the average person’s hesitancy toward using a password manager is probably pretty justified, even if it would be far more secure.
I use a password manager, but USED to do that “human hash” of a website.
It’s because password managers are annoying at the worst possible times. The dread of “oh god… this device doesn’t support my password manager/im only going to log in once here, so I have to carefully type out random numbers and letters” is not fun.
Examples: office zoom meeting room tablet. Standalone VR headset. Smart TV. Trying to share an account for video streaming. (Solved by that being mostly impossible now) The wifi password every single person will ask you for when they’re at your home.
That sucks. People immediately imagine those scenarios when you bring it up to them.
One thing you can do is make human readable passwords for sites like Netflix. You can still make it long and save it in the password manager, and it becomes much easier to type out if you need to.
every service on my TV pops up a big QR code for your second device (a phone) to access and log in with
iphones prompt you to share the password when your iphone using friend tries to connect to a wifi network you are on
Regarding VR, hm knowing an Apple Vision Pro will be connected to my icloud account makes me know I wont have to do that stuff. Other standalone headsets I wonder how or if they solve that problem. My Playstation VR headset dual renders on screen so the qr code solution is already there.
Using a password manager means your password are handled by someone else's code and you need to trust them not to fuck up. Also, they are really juicy targets.
Also, here's why people don't want to use a password manager:
I was like this some years ago. My assumption was that nobody can guess my password, because it is not straightforward. Untill someone explained that if someone new one password, he would know them all. Only then did I start using Keepassxc.
Another factor is inconvenience. On the road, most passwords are out of reach for me now. In a way I prefer it that way, I prefer to not be glued to my phone. As a compromise, there are a few passwords in a note taking app on my phone ;)
What if I don't have access to the password manager at some point but I do need to log into some website? I.e. visiting friends house, forgot my phone at home but I need to log in my banking app to do a transfer? Or visiting a foreign country, someone steals my papers and my phone and I need to login to mail at a public cafe to let my family know I am well.
you can read your passwords in a password manager, memorize a couple of them for the risks you think you have
what I typically would do in both of those scenarios is a password reset. I would know my email password and do a password reset of everything else and get that in my email.
privilege escalate on yourself.
realistically, I’ve been at Apple Stores multiple times where I needed to login manually to my icloud account while my phone was being RMA’d. nothing to remind you there.
I think it is important to have a few passwords that have memorized. The most important one for me is Google, cause then can reset passwords with Gmail. I don't store them in password manager.
And one day your managed password manager will get hacked and some smug user on HN will tell you how you should have self hosted it ;). Or you'll get locked out of all your accounts one day.
Let's not pretend like password managers are a silver bullet.
In the 4 or so years I've been using a password manager I can't remember ever having it feel like a burden or require more planning (besides the upfront work). On the other hand, I can't count how many times it has either saved me or been an incredible convenience. So many random websites require accounts these days (eg. health practitioners) and password managers make it infinitely easier to handle.
It's like people way to into conspiracy theories. They want to seem smart. I never don't have my phone. I've been aggressively using a password manager for nearly s decade and it's never once been an issue.
Yeah, I amended my thoughts reading the thread. I left out a pretty important detail. I do have one, other, high entropy password that is memorized for my Google account. I don't use social login, but Google = Gmail = everything.
So yes, I was too dismissive. Given the nature of "security", I think it's impossible to have a silver bullet of secure + easy.
Love the recommendation for diceware style passwords.
You can easily remember 4 to 6 random words. You really will be surprised how quickly it is to memorize and type after a day or two. Mixing them up with what separator (if any) that you use, and if you number/special character substitute that adds dozens of possible permutations on a single password. And just using 4-letter words (over 100,000 in the English language) leads to a 100 quintillion possible passwords without any separator or character substitutions.
The next requirement should be no arbitrary changes to passwords. End users should be able to pick a strong 16 character password (based on uniqueness and the other password strength tools they recommend in the article) and only change it if they forgot it or a breach of their account is suspected.
+1
You can even make proper sentences which makes it easier to memorize them more quickly
For KeePassXC I have something like:
ilikeeatingicecreamonsundaysaftermovies
Much safer than anything like Xak1k99u??.1 which no one can remember efficiently
I usually make up a sentence in my local German dialect. Where I live it's not at all unusual to write texts or chat in it and it oftentimes barely resembles German.
Once while playing Counterstrike 1.6 and using public chat some Germans asked if we were Swedish because of that. It definitely messes up dictionary attacks
Not mentioned in the article, but I bet seasonal/time-related passwords are due to password rotation policies. I work for a company too slow or stupid to have understood how counterproductive such policy is, and all my passwords are an update of the former. Because we humans cannot remember multiple strong passwords.
We had a randomly rotating admin position for security theater and network admin to keep things separate. Legally you can save passwords on the most secure network and realistically only remember one password. You have to memorize a lot of passwords otherwise. No phones.
The NSA password reset questionnaire is hilariously a great life memory quiz.
Almost everyone needs to reset some passwords daily even though we had the phone number keypads with special characters around. How to remember passwords was a routine conversation because certain systems had admin passwords to remember or passwords that would change at odd intervals or single account multiple user passwords.
It came down to “how long after a password reset do you actually need to change the password? Does it check for past passwords?” There were passwords written down in not so secret places because the admin would not always be at work.
Eventually we had to adopt token authorization which is a mess to implement also. I loved the security meetings only to discuss how screwed we were once they started enforcing policies.
Do I understand things correctly if they claim to have cracked 31,200 passwords of which 481 were "TooBlue2022", and they then go on to think that this is a password used by multiple people? (To be more precise, this is not claimed directly for the top 10, but it is implied for the season words.)
Is it nog a bit more likely that there was some duplication in the hashes?
Or that this password is used by one prolific account creator? Or that it is the default password after signup for some blue service?
1. The section beginning with "If you are interested in the respective hashcat masks for the passwords cracked above," is most obviously AI-generated as it makes no sense. Quote:
> <Passw0rd1><Passw0rd2>
>
> Mask: ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1
>
> Explanation: This mask is for a pattern that starts and ends with angle brackets. Inside, it follows a pattern of "Passw0rd" followed by a digit, repeated twice. However, Hashcat doesn't directly support angle brackets in its mask. An option would be to handle these characters separately or use a custom charset (?1) to represent them.
If angle brackets were special characters in masks and had to be represented by ?1 as a workaround, this mask is unrelated to the explanation, since it would match passwords consisting only of angle brackets.
"handle these characters separately" isn't a thing.
The mask doesn't have anything to do with matching "Passw0rd".
Several other masks from the page do not match their accompanying passwords.
Most of them are just showing the uppercase letters, lowercase letters and digits in the password. E.g. "We matched Hello123World with a mask matching 1 uppercase letter, 4 lowercase letters, 3 digits, 1 uppercase letter, and 4 lowercase letters." This doesn't explain why anyone should use that mask instead of, say, 1 uppercase letter, 4 lowercase letters, 2 digits, 1 uppercase letter, and 5 lowercase letters. This is obviously not the mask they used, but an AI working backwards from the password.
2. The password "Cloudy-Envelope-Rainbow-Dinosaur" is 32 characters long, including the hyphens, not 29 as the article says. The password "Sunset$Guitar$Puzzle$Journey" consists of 28 characters, including the dollar signs, not 27 as the article says.
3. The "Conclusion" section smells strongly of AI. Windows was only mentioned in passing, yet the conclusion says the whole article is about Windows. MFA wasn't mentioned at all until this point. Defence in depth wasn't mentioned.
I crack alot of hashes, people pick really bad passwords. Ive had tools running on raspberry pi's crack client passwords in meetings with them... in minutes...
Their network passwords... For what its worth, I dont go in intending to crack anything or I hope not. Its just more work for me when I discover a simple password keeping the network secure.
This reminds me of my teenage years. I used to use passwords that do not rely on personal facts (i.e birthday) or social relationzs (i.e my city..etc) but tried to be smart and relied on creating passwords that is related to what I feel because I thought that it is harder for people to know that. So I had a password "Ihate_My_Math_Teacher" for anything that is related to study for a while.
I tried doing this with "forgot password?" reminders, and ended up getting locked out of an email account in high school, because of course I had no idea what the answer to "who is the girl you love most" was - I set it in middle school! Not only was that a few years ago, that answer probably changed on a weekly basis!
I always wonder why employers don't just set passwords for their users and only give them the option to randomize them. Seems like an ideal solution, if using passwords is a requirement.
You lose nonrepudiation if more than one person has knowledge of your employee's passwords. Typically, that's how it works though from what I've seen. An organization will set a users initial password and the user will have to change it on next login. There are some solutions that will look for known compromised hashes and weak combinations and alert on them or force the user to act, though.
True, but why would the organization need to store the password? Wouldn't it be simpler to just generate a random 4 words (or something similar) then treat it the same as a user supplied one.
There's been more than a few times where I've been annoyed because a site or employer refuses to allow randomly generated passwords or allow me to copy/paste into the password field.
I firmly believe the safest option is a local password manager with randomized passwords that you maintain local backups of.
Passkeys are still very rough around the edges and not widely supported but a first-class onboarding and management experience for public key cryptography as account passwords a la FIDO2, webauthn, and/or Passkeys will be amazing for solving the issues with phishing and weak passwords.
This is generally way easier for employers, since they can pick a FIDO2-enabled SSO platform, and then tie everything to that. So you don’t need each service to have sane FIDO2 support, you just need them to support SAML/OIDC/etc.
You also get mostly out of the key management business, because you can say “if you get locked out, call the help desk”, vs personal usage where backup keys / account recovery requires a per-service recovery flow.
Maybe it would be fine if it was random 4 words like in the XKCD, but otherwise it would cause people to plaster sticky notes everywhere and hardcode it in their computers, no?
Agreed though I'd argue sticky notes happen even with user supplied passwords. When I worked at a university, I cannot tell you how often I found a sticky not on the bottom of a keyboard with a list of passwords.
But then imagine once in a while they have to go out to work, they might have to take this along with them and then both laptop and the sticky note together are vulnerable for either accidental theft or intentional.
It's something like 50trillion sets of looks-random strings. That's quite a lot, but if the list could be narrowed very significantly to get some likely results by selecting locations in:
1) cities where a company is physically located
2) large capital & global cities
3) significant landmarks
I see sysadmins using the tool all the time as a temporary password generator.
I tried to do this, but vaultwarden wouldn’t let me set it up because I wasn’t using https even though it’s a local network only accessed via WireGuard. Any tips on how to set that up?
I run vaultwarden in docker and use jwilder/nginx-proxy and jrcs/letsencrypt-nginx-proxy-companion to add an SSL proxy.
It is nice, because it has the option to keep http open on the subdomain for doing let's encrypt stuff, but the actually SSL site will be internal only.
My personal favorite method for passwords is come up with a passphrase I can remember, encode it to base 64, and use the encoded string as the password. If its not too long, the encoded version is usually not hard to memorize either.
Thanks, I'll add base64 as one of the trivial transformations to my ongoing brute-forcing effort of all your passwords, multiplying total search effort by a tiny constant.
I'm joking. But what if I weren't? Especially if you're going to announce this on the internet, it sounds far more effective to add 1 character to the end of your passphrase instead, since each exponentiates any brute force effort, and isn't defeatable by a simple pattern.
(Or announce on the internet that you're doing something far more complex, like running bcrypt on all your passphrases to generate your passwords. That would make an attacker's life significantly more difficult than base64.)
(Or always lie on the internet about how you generate your passwords. I hope that's what you're already actually doing.)
I personally can appreciate multiplying an attackers standard dictionary with a transformation. I find the decoded passphrase is already high entropy so it just adds a little bit of trouble. I might consider bcrypt, thanks for the idea.
If anybody is curious about what the account commented, this is the other comment from the same account:
---
I created a portfolio with Mrs Marlena she has awesome trading strategy and it's been a life-changer for me! If you want to level up your trading game and start making right speculation on trading gains, sign up by following her on INSrTA g ram @** and we'll both get some sweet perks. Let's conquer the market together!
Like, I really don't get it. Why not just use a password manager. I always tell these people to just sign up for a password manager and they always resist and say no. I must be missing something obvious.
Edit: And just as I posted this comment, another bizarre personal strategy for creating passwords: https://news.ycombinator.com/item?id=39335853
Just use a password manager! Basically all password managers will generate a random string for a password when you add a new credential. You never even have to look at it or know what it is.