Creating and remembering strong passwords

So how do you guys remember your passwords? Do you have them encrypted in a container or do you have ways of remembering them? Also what do you do when a service does not allow you to have alpha numeric characters for your accounts?

Other urls found in this thread:

KeepassX. The easiest way to do long, secure passwords is to take something you know well by heart (quotes, speeches, song lyrics) and use it as a reverse mnemonic. Like
the more you switch it up, the better. Password crackers typically try common substitutions like s/$ and i/1 so get creative.

Don't use it. They clearly don't give a flying fuck about their security.

Man, you DON'T remember passwords, don't be stupid. You use a single very secure password and then a password manager, I would had never made strong passwords for 100 accounts and remember them all, they would had been small variations of an original, not secure.

Use keepass 2

I use "password" as my password for everything. Nobody thinks I'm stupid enough to use that as a password.

Write them down in a code I know, so they're useless to anyone who isn't me, and I can decode them at a glance.

I love how all bank cards still uses a 4 digit code


ayy lmao

Even in a completely FOSS system, there is still a binary blob, protip; the blob is the person using it


i will fuck you up

Completely free and open-source humans when?

How's this for retarded? AT&T used to let people use alphanumeric codes that had to be verified when visiting a store, logging into the website, or even calling in. They forcibly changed it to NUMERIC ONLY, saying that it was more secure.

A former coworker of mine was fired after arguing for months with a manager. The argument? His position was that 1/xth of an unknown total that changes daily should not be hard-set as 0.5%. The audacity, right? The person he was arguing with? Woman.

Maybe your friend shouldn't have been a mansplaining shitlord who verbally raped a woman :^)

pwgen -cnsy1 32 | tpm insert apps/grindr

single point of failure.
stupidly insecure as fuck, well at least you recommended FLOSS software.

strong and memorable passwords that don't need to be stored anywhere outside your brain boils down to using on of two competing methods:

the Diceware method:
It basically consists of concatenating normal dictionary, easily-breakable words that together form a combination that is very hard to break but easy as fuck to remember. For instance:
or even better
The password could also be a not-so-common phrase to keep it more memorable, yet very likely to be out of a dictionary. The downside is that you'll hit password length limits in many retarded websites like (I hope you don't use it) that restricts passwords to 16 characters.

Then there's Bruce Schneier's scheme, this is the one I use:
In a nutshell you also have to learn a normal phrase by heart, from a song, a movie, whatever. It's best if the phrase contains punctuation or numbers, because you are going to make your password of the first character in each word/lexeme in the phrase. For instance:
There you have 15 characters of very high entropy.
The phrase isn't random to you and it's in natural language so it's easy to remember and type on the fly (with little practice), but in reality your input to the system looks very much like random bunk that will never be found in a dictionary.
In that article Schneier criticizes the Diceware method, but I'm skeptical that dictionary attacks can handle the combinatorial explosion introduced by the Diceware method.

Whatever method you pick the password basics still apply:
*High entropy always depends on randomness and length. Use varied characters and keep shit long.
*Never hint details about your secret. Telling how long your password is alone halves the time of a bruteforce attack.
*Don't reuse passwords. Don't create single points of failure

In that article Schneier also explains how to use different passwords without having to remember many of them. The secret is in Kolmogorov complexity: Only remember one or a few good root passwords derived from the schemes above, then device a small mental algorithm that will make a few deterministic changes to your root password depending on the site you are visiting (for instance, combining your root password with the domain name). Try to make at least one change/addition at the beginning of the password, somewhere in the middle and at the end. This increases the chances the effective password is actually different even if it gets trimmed before being hashed. Never tell anyone what precise algorithm you use.

I do all of these, up to this point in my comment. It only takes a few days of practice then it will become smooth as butter yet secure as fuck. I have also dreamed of using my modified root passwords as input to a hashing algorithm and then using the output hash as the password itself. This would make my passwords even more different and random-looking, and minimizes the chances that leaking/cracking one of them will reveal any details about my root password and my password modification algorithm; but it also means relying on software to produce the hash and dealing with possible leftovers in memory, your command history, who knows. It also deprives you of accessing your accounts if you don't have access to the checksum tool. Authenticating with devices you don't own or running software you don't trust is always a bad idea anyway. I think the ideal solution would be to perform the hashing on a practically zero-knowledge hardware solution, for instance a portable USB keyboard where you type your modified root password which then processes it and outputs the hash as though you had typed it. Or while we are at it, deprecate passwords and change all Internet systems to authenticate with public-key crypto.

It has never happened to me. I have only encountered ridiculously low character limits that good passwords are likely to hit. Apart from weakening security this can also make the service highly unusable when they forget to also enforce or remind you of the limit at the input fields; because now you also have to remember how long was the password you entered when signing up.

I see also mentioned Schneier's

I think there's a GNU CLI sort of password manager package that does exactly this.

I'm fond of using names and phrases from books I've read for passwords, especially if it's a longer phrase. Most of the time that's for stuff I don't access on a daily basis like banking and investment accounts.

For online games and shit I use simpler passwords that I've used since I was a wee lad.

Haven't encountered that yet, chances are I'd just not use the service if they're going to make things this annoying.

Something you can pronounce and cut in several parts (marked by capitalization) like this:


The “Remember password” check box is a meme.

But user, god did give us the source, but
1. We're not smart enough yet to know the language completely
2. Muh crimes against humanity.

Don't store passwords on internet connected devices.

Any method of generating passwords that doesn't use crypto grade randomness is flawed.

Use a password generator that concatenates six or more words, including common names. This makes the passwords easy to type in.

Store passwords on a handheld non-networked device. The device should encrypt passwords using a key which you should memorise, and should use automation-resistant input, like apple has for their phones.

Or you can write passwords down, which is still better than storing them on your computer even if you are using a master key to encrypt them. If you can't into physical security, require what you have written down to be hashed with a key you memorise to produce the actual passwords.

I use post-its. Much safer than any online form of password and no weaknesses exploitable by people that see the plaintext. If you break into my house then I assume all my accounts are compromised anyway and rotate passwords.

a nice pocket notebook is nice to have instead of a pile of post-its

Passwords are a pain, I made a little script that creates a password. That way you only have to remember one relatively complex password and add text to identify the site or service.
I have no skills though so my script was just trial and error.

I had that issue with American Express. I nearly closed my account right then and there, but I believe they allow special characters now.