PDA

View Full Version : Password Generation Strategies



Max™
2014-05-06, 02:48 PM
I was curious what other folks use, I just recently was reading through a wiki page I wandered across and saw someone recommend using gestures to generate passwords, but the gestures seemed like they wouldn't be easier to keep track of until it hit me that there is a very easy way to generate them.

Pick somewhere on your keyboard, and pick a word, I'll go with "Cat" in this case and start with "p", then I trace out a natural feeling capital C, lowercase a, lowercase t.

POK<>poklpl;.

Doing different words at different starting points, different overlap patterns, you can make use of capital/lowercase, numbers, and symbols.

It doesn't readily fit a dictionary attack, and you can even stagger each new letter to avoid repetition.

starting at 7 with Cat:
&^TGHiujk0opl

I'm pretty sure that is a very strong password, and though "correcthorsebatterystaple" is easy to remember, so is the action of tracing "C" "a" "t" over the keys.

Is this a thing I'm just reinventing and I missed it, or what? I've tried a few different keywords to look for it but mainly I just find stories telling people to change passwords after heartbleed and whatnot.

Razanir
2014-05-06, 03:15 PM
I'd just like to announce that I've used correcthorsebatterystaple as a password before. I've changed it since then, but I still used it as a secure password I don't care about. (We had to hardcode it into a program)

Max™
2014-05-06, 03:21 PM
Heh, I never tried it but I have used various strings of words before, been mixing them up with the traced letters method whenever I change them now.

TuggyNE
2014-05-07, 12:03 AM
Mostly I just use KeePass (keepass.info/) to generate passwords: 20 characters of random alphanumeric + symbols is usually upwards of 100 bits of entropy, and can't be copied from one site to attack another. (I'm up to well over 400 current entries in my database, and I have no intention of remembering that many.)

However, those that I need to remember separately, such as the KeePass database itself or OS login, generally use a particular scheme, which basically comes down to a one- or two-letter prefix, one or more vaguely mnemonic words, and a monotonically increasing change counter, separated notionally by "whitespace" expressed as some sort of character sequence. So it might be w45correct45horse45battery45staple4500000101: w is the prefix, 45 the "whitespace" (ASCII '-' decimal), the mnemonic words are obvious, and 00000101 is the fifth password used for this site, in one-byte binary. (This is not actually a valid password*, but it's close enough for illustration.) Sometimes I vary this by including suffixes for the whitespace, replacing digits in the counter, or specifying case on the prefix.

So far, this has worked pretty well for about seven or eight years.

*Because my actual password generation system is not something I will ever tell anyone until I'm dead, thank you very much.

factotum
2014-05-07, 02:00 AM
My boss has a system where he uses the initial letters of the lyrics of songs he likes, with various letters changed for numbers etc. Probably as good as any!

Incidentally, with the power of modern dictionary-based password crackers married to GPU power for calculating the hashes, that XKCD password generation method is probably not as good as you'd think.

The Grue
2014-05-07, 03:18 AM
I think the point of the XKCD method is not to generate completely secure passwords, but to find a reasonably secure password and a password that you don't need to write down to remember.

Max™
2014-05-07, 03:19 AM
Yeah, the word string method runs the risk of fast enough cracking methods showing up eventually.

I only gave a couple of three letter tracing examples, but you can go quite a bit longer and keep them fairly easy to remember but stupid hard to crack.

Kinda like a captcha, easy for us to pick out the letters (in theory) but tying the string of digits to what someone chose to use is another matter.

Knaight
2014-05-07, 03:27 AM
Yeah, the word string method runs the risk of fast enough cracking methods showing up eventually.

It compares favorably to other methods which tend to have fast enough cracking methods already available (even brute force works on shorter passwords, as there aren't actually all that many distinct symbols in use), particularly if you have a nice long number you know that you can attach it to, and even more particularly if you use technical jargon or names.

supermonkeyjoe
2014-05-07, 03:35 AM
I have an 8-digit alphanumeric password with symbols that I modify on a site by site basis

say for example the password was [email protected] (it's not) then Amazon would be [email protected] and ebay would be [email protected] that way if the password is compromised for one site it can't be used on any others, and once the initial 8 digits are memorized then it's easily applied to every website by taking the first and last letters and putting them at the start and end.

Max™
2014-05-07, 05:38 AM
Regarding the number attaching, I memorized pi to 80 digits due to the irrational number song, but suffice to say I resist the urge to toss it in because even though the little "password strength" checks will show it as being strong, it's really not the best idea.

Telok
2014-05-07, 06:00 AM
I have two strategies, one for things I have to have a decent password on and another for disposable passwords to be used on stuff I assume is public anyways.

The first I use on household routers, for setting up my in-laws computer, and other places where being hacked is a real nuisance and I don't have to change the password every two months. This method is called "A long sentence with punctuation and a date." These usually end up as 50+ character passwords that are pretty easy to remember or look rather innocuous when written down.

The second is used for my work email system or anywhere that forces number-letter-CAPS-symbol passwords but limits you to less than 30 characters, and especially when they insist that you change the password frequently. Start at the 1 key and pick a pattern, two over and two down, chess knight's move, a spiral, whatever. Then shift over one or two numbers and do the same thing holding down the shift key. When it's time to change passwords you just shift the pattern over, start at 2 instead of 1. All you need to remember is your pattern and the starting key.

pendell
2014-05-07, 07:55 AM
A strategy I have used in the past is: Read a book. Take the first letter of each word in the sentence to make your password. Include the trailing punctuation and substitute numbers for letters as needed. It results in gibberish which is going to be hard to crack, but the sentence serves as a memory mneumonic to recall it.

Respectfully,

Brian P.

Zrak
2014-05-07, 12:25 PM
I've done variations on the chess move strategy and pendell's "first letter" strategy before (I typically use a poem and use the first letters of certain stresses, rather than certain words), as well as picked a random starting letter created a password based on joystick motions and button inputs from fighting game moves.

Joran
2014-05-07, 02:24 PM
A strategy I have used in the past is: Read a book. Take the first letter of each word in the sentence to make your password. Include the trailing punctuation and substitute numbers for letters as needed. It results in gibberish which is going to be hard to crack, but the sentence serves as a memory mneumonic to recall it.

Respectfully,

Brian P.

I think of a sentence I associate with the website, like "I for one welcome our new Google overlords, next stop Skynet."

Then go through it, using number to letter substitutions, random caps, or punctuation as desired. So, that phrase leads to this password: "i41wonG0nsSn".

CarpeGuitarrem
2014-05-07, 03:16 PM
My strategy is...not one I'm going to discuss on this site. :smalltongue:

Max™
2014-05-07, 04:00 PM
I have two strategies, one for things I have to have a decent password on and another for disposable passwords to be used on stuff I assume is public anyways.

The first I use on household routers, for setting up my in-laws computer, and other places where being hacked is a real nuisance and I don't have to change the password every two months. This method is called "A long sentence with punctuation and a date." These usually end up as 50+ character passwords that are pretty easy to remember or look rather innocuous when written down.

The second is used for my work email system or anywhere that forces number-letter-CAPS-symbol passwords but limits you to less than 30 characters, and especially when they insist that you change the password frequently. Start at the 1 key and pick a pattern, two over and two down, chess knight's move, a spiral, whatever. Then shift over one or two numbers and do the same thing holding down the shift key. When it's time to change passwords you just shift the pattern over, start at 2 instead of 1. All you need to remember is your pattern and the starting key.
That's basically what I was talking about with tracing words over the keys.

Note that I'm not saying what is the EXACT method you use, just the general ways you try to balance the need for strength versus the ability to recall it.

As for the "I for one welcome..." used to generate "i41wonG0nsSn" as a password.

Tracing "Google" across the keyboard produced:
R$#WSDRytghiujkpol;.,-['\]'

The Grue
2014-05-07, 05:40 PM
A strategy I have used in the past is: Read a book. Take the first letter of each word in the sentence to make your password. Include the trailing punctuation and substitute numbers for letters as needed. It results in gibberish which is going to be hard to crack, but the sentence serves as a memory mneumonic to recall it.

Respectfully,

Brian P.

I believe that's known as a book code.

noparlpf
2014-05-07, 06:33 PM
I use the same few crappy throwaway passwords for most sites because I don't mind too much if somebody gets access to my Facebook or FML or Photobucket. For secure stuff (email, bank) I used to use a 30-character string with a pattern to it, but that was too much hassle. Now I use names of characters that I've never put to paper fully (I don't usually introduce myself by full name at the table, so a character's surname will just stay in my head), with a few letters switched to numbers to add another layer of complexity. That's way easier to remember, can be fairly long, and basically requires a brute force attack to crack because made-up fantasy character names won't show up in a dictionary.

Traab
2014-05-07, 09:51 PM
I use deliberately misspelled versions of fake languages from fantasy novels with letters mixed in. I have like 3 base words, that I have multiple spellings for, and like I said, i include a few numbers as well. I dont do anything very secret or important online, so I dont go too crazy, its just something that stays in my mind easily. Of course, my biggest problem is sites that remember your password for months on end, then suddenly dont for some reason. I can never remember which variant I used for that site and always have to reset the password.

Max™
2014-05-08, 12:40 AM
Yeah, what is worse is when I have firefox remember a password and then at some point wound up changing it without clicking the "update password" prompt and have to figure out what went wrong.

TSGames
2014-05-08, 10:29 AM
When it comes to passwords, I have only two rules.

1) Don't ever reuse a password for anything. This applies to variants of passwords as well. This does mean that I have well over 30 unique passwords that I use on a regular basis which would be problematic for some, but I am quite well adjusted to it.

2)Don't ever share passwords or the methods used to generate them. Especially not on the internet. =P

Knaight
2014-05-08, 01:52 PM
1) Don't ever reuse a password for anything. This applies to variants of passwords as well. This does mean that I have well over 30 unique passwords that I use on a regular basis which would be problematic for some, but I am quite well adjusted to it.

Depending on what it's for, this isn't necessarily a big deal. For instance, it would be really stupid to use the same password on, say, this forum, your email, and Amazon. This forum, another forum, and a third forum? Not so much.

Max™
2014-05-08, 08:50 PM
See, I know that discussion of password strategies might seem like a bad idea, but I could just as easily see why not discussing them would leave one open for attacks on passwords generated by flawed or poorly excuted methods.

noparlpf
2014-05-08, 08:51 PM
I don't really see how anybody's going to crack my passwords just because I've told them that they're long made-up words that literally nobody outside of my head has ever heard. They'd end up resorting to brute force with or without that information.

TuggyNE
2014-05-09, 06:17 AM
2)Don't ever share passwords or the methods used to generate them. Especially not on the internet. =P

I'm pretty paranoid (I routinely use strong crypto in emails and IMs with anyone willing to set it up, use the aforementioned 20-character random passwords, and browse the web with NoScript and RequestPolicy up), but I think that's going a little too far. As long as you provide nowhere near enough information to automatically generate passwords you might use, you're fine.

reaverb
2014-05-14, 04:09 PM
A strategy I have used in the past is: Read a book. Take the first letter of each word in the sentence to make your password. Include the trailing punctuation and substitute numbers for letters as needed. It results in gibberish which is going to be hard to crack, but the sentence serves as a memory mneumonic to recall it.

Respectfully,

Brian P.By the way, this will always have less entropy than the normal sentence (you are removing information) so you might as well just use the sentence. (Unless you're on a site which limits how long your password can be)

Astral Avenger
2014-05-14, 09:11 PM
When I need a really secure password I figure out what the longest password allowed is and then run the following python script:

#Password generator
import random
symb=input("Are symbols allowed? (1/0) ")
a=input("Maximum length of password: ")

alphabet=[]
digits=["0","1","2","3","4","5","6","7","8","9"]
lowercase=["a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"]
uppercase=["A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z"]
symbols=["!","@","#","$","%","^","&","*","(",")"]
alphabet= alphabet + digits + lowercase + uppercase
if(symb==1):
alphabet=alphabet+symbols

password=""
for n in range(a):
password=password + alphabet[random.randint(0,len(alphabet)-1)]

print password
Example:
>>>
Are symbols allowed? (1/0) 1
Maximum length of password: 20
G554uRq79Y0B1#xk7vDY

Dictionary attacks can go die and stop wasting electricity, they ain't gonna work on my secure passwords....

Knaight
2014-05-16, 12:37 PM
By the way, this will always have less entropy than the normal sentence (you are removing information) so you might as well just use the sentence. (Unless you're on a site which limits how long your password can be)

Typing speed also comes into this. I can type extremely quickly if I know exactly what I'm typing and if it's practiced (also if it doesn't have too much in the way of odd symbols), and as such could easily get away with a whole sentence for a book. At 180 WPM (well above generic typing speed, but quite possibly below my password typing speed as those are very practiced patterns), a sentence isn't a big deal*. At 30 WPM, it's a very irritating thing, and I know people who can't type much faster than 30 WPM.

*Though I assume a relatively short sentence, and not something like one of the longer ones in A Tale of Two Cities.

Max™
2014-05-16, 08:18 PM
The entropy largely depends on the length of the string and the possible character sets it is drawn from.

A given length with all lowercase has less than a given length with mixed case which has less than a given length with mixed case and numbers which has less than mixed case with numbers and punctuation which has less than mixed case with symbols drawn from the full ASCII character map.

That's why I suggested trying to trace words which include at least one trip across the number row with and without shift.

Grif
2014-05-17, 05:31 AM
Is it bad I just string together words (and sometimes folder names) together as my password?

Grek
2014-05-17, 06:23 AM
Compose a sonnet, a limerick and a haiku regarding the site in question. Replace all spaces in the sonnet with prime numbered words from the limerick and all new lines with prime numbered letters from the haiku, repeating as necessary. Include punctuation normally and use it as the password. For extra security, translate each letter into their phoneticized elder futhark equivalent. For triple extra security, include an invocation to the Roman God Juno (couplets in iambic pentameter work well here) as a header and footer.

Max™
2014-05-17, 08:00 AM
Compose a sonnet, a limerick and a haiku regarding the site in question. Replace all spaces in the sonnet with prime numbered words from the limerick and all new lines with prime numbered letters from the haiku, repeating as necessary. Include punctuation normally and use it as the password. For extra security, translate each letter into their phoneticized elder futhark equivalent. For triple extra security, include an invocation to the Roman God Juno (couplets in iambic pentameter work well here) as a header and footer.

Interesting if nothing else.

Oh and no, Grif, it's not as bad as simple stuff like swapping O's for 0's and E's for 3's.

Rakaydos
2014-05-17, 11:13 AM
Do Dictonary based attacks include proper names? I tend toward an XKCD style password that includes names of fictional characters from obscure sources.

Ravens_cry
2014-05-17, 11:33 AM
Do Dictonary based attacks include proper names? I tend toward an XKCD style password that includes names of fictional characters from obscure sources.
Normal proper names, probably yes.

noparlpf
2014-05-17, 11:36 AM
Do Dictonary based attacks include proper names? I tend toward an XKCD style password that includes names of fictional characters from obscure sources.

If you use fictional names and replace a few letters with numbers or other symbols you should be fine.

I wonder, do real names (given and surnames) from foreign languages go into the dictionary lists too? The internet is pretty international, so I'd assume so.

Ravens_cry
2014-05-17, 12:02 PM
Not as secure as some, but I tend to use homonym combinations of letters and numbers. I also go the Victor Borge route and advance the number by one.

factotum
2014-05-17, 02:39 PM
I wonder, do real names (given and surnames) from foreign languages go into the dictionary lists too? The internet is pretty international, so I'd assume so.

A competent hacker will tailor his list to suit the target he's aiming at, I would think; the fewer words in the dictionary the quicker the dictionary attack will be, and saving a few hours may well be more important than sniffing out a few extra percent of passwords. Bear in mind a lot of these guys won't be after a specific person's password, or attempting to find every single password in a database, they'll just be trying to get as many usernames and passwords as they can so those can be used in other types of attack.

endoperez
2014-05-18, 12:27 AM
That's basically what I was talking about with tracing words over the keys.

Note that I'm not saying what is the EXACT method you use, just the general ways you try to balance the need for strength versus the ability to recall it.

As for the "I for one welcome..." used to generate "i41wonG0nsSn" as a password.

Tracing "Google" across the keyboard produced:
R$#WSDRytghiujkpol;.,-['\]'

I just realized a problem with your method. AZERTY, DVORAK and international variations of Qwerty, smart phones, touch screens... If you can't reproduce the method, and can't remember the password without a tool, you might be in trouble.

Madcrafter
2014-05-18, 02:56 AM
I just realized a problem with your method. AZERTY, DVORAK and international variations of Qwerty, smart phones, touch screens... If you can't reproduce the method, and can't remember the password without a tool, you might be in trouble.

It is a downside to the method. You could possibly visualize a QWERTY board in your mind and type it out, but it would be laborious and difficult.

I also think it might be hard to remember exactly how to make the letters, since the keys have various offsets row to row. eg. is my 'b' 5rfgtr or 5tghyt? The first produces a more vertically aligned b, but the second looks more like a proper b, if tilted.

Max™
2014-05-18, 05:16 AM
It is a downside to the method. You could possibly visualize a QWERTY board in your mind and type it out, but it would be laborious and difficult.

I also think it might be hard to remember exactly how to make the letters, since the keys have various offsets row to row. eg. is my 'b' 5rfgtr or 5tghyt? The first produces a more vertically aligned b, but the second looks more like a proper b, if tilted.

Ah, but that is exactly why it seems great to me, I can figure out a pattern that drops into muscle memory easily enough, but working out what someone else uses? Pfft, good luck!

As for a b... (IJKO could work, *IK<>?:PO could work, ^TGVBNJHU& could work, what is important is just being able to see it in your head and get the feel of typing it.

Turning Bob into: &YHBNMJI*ok,.;p=[;./' might seem absurd to someone else, but I can see the letters easily enough across the keyboard.

As for the different layouts, true that could be a problem, but how often do you encounter situations where you need to reenter passwords on keyboard layouts which vary from the one you normally use?

noparlpf
2014-05-18, 10:48 AM
Every day. My main computer and netbook have very different keyboards. The keyboards at the computer sites on campus are also slightly different.

Max™
2014-05-18, 07:44 PM
Every day. My main computer and netbook have very different keyboards. The keyboards at the computer sites on campus are also slightly different.
Different enough that one has dvorak and one has qwerty? Cause that's pretty out there man, I'm a bearded linux nerd and I didn't go so far as to invest time in dvorak-dorking it up.

Edit: If it's a password you're regularly entering on multiple systems which you don't own then it is hopefully for less critical sites, so I would just use a two line stagger across the number keys/top row perhaps? I use those for stuff like twitter/facebook/photobucket because by definition those aren't places I would put anything I don't consider public.

noparlpf
2014-05-18, 08:17 PM
They're all qwerty but the size and spacing of the keys is different enough that it takes me a minute to adjust when I switch, and until I adjust I make loads of typos because things aren't where my hands expect them to be. I imagine that would make tracing things out more difficult unless I actually remembered which keys I was supposed to hit during the tracing.

Max™
2014-05-18, 08:21 PM
They're all qwerty but the size and spacing of the keys is different enough that it takes me a minute to adjust when I switch, and until I adjust I make loads of typos because things aren't where my hands expect them to be. I imagine that would make tracing things out more difficult unless I actually remembered which keys I was supposed to hit during the tracing.

Ahhh, well, it would probably need you to really favor the tracing method then to actually go through the time to remember them. I usually just keep track of how far from the f and j keys I moved my hand before I started tracing, as the rest happens automatically now.

I figured I use more muscle memory when remembering which new odd permutation is required to meet the strong requirements of various sites than actual memory anyways, why not remove the need to know the keys from the process entirely?

Karoht
2014-05-20, 10:28 PM
My strategy was formed due a fear of keyloggers. As such it involves a break that I have to be able to click with a mouse to form. I call it the candyland system.

Example: candyland$101

Type In: candyland$101
Key logger reads: candyland$101

Type In: candyland
Click: anywhere in the string that is easy to remember
Continue typing: $101
Should look like this: candy$101land
Keylogger reads as: candyland$101

There are loads of variations you can do on this one. Two click positions rather than one are recommended.
Example: canlandd$101y
And if you want it to be website specific, add another click position with some kind of identifier.

Happy hunting.

PallElendro
2014-05-20, 11:55 PM
https://i.chzbgr.com/maxW500/8171730432/h7390D602/

Max™
2014-05-21, 12:27 PM
Nice gif, and yep, that's what I was trying to do, find a way to get a long complex string which I can remember readily enough to be useful and secure.

I like the candy101$land idea, but I use a ps3 controller as a mouse, so it gets kinda awkward to switch around through keys like that, usually involves spidering my fingers over the analog sticks/face buttons real quick if I have to move the cursor while typing and can't simple tab+shift hop it around.

factotum
2014-05-22, 02:05 AM
I agree that a longer password is better than a short one, but there are some things which actively make it difficult to do that--for instance, banking websites often ask you to enter certain letters from your password rather than the whole thing, and that becomes a real pain if you have a long password. I know they do this to prevent keyloggers getting hold of the whole password, but I reckon that's probably a less likely attack vector than hackers being able to crack the shorter password you picked so you can easily count letters!

Balain
2014-05-22, 03:05 AM
It's late so I hope I get my thoughts out right.

The idea of using some algorithm. Say for example the sites name with every second character replaced with "1dr4z". Generates one good password. That is say someone gets your password for some site and then for some other site also gets your password they could figure out your algorithm and and now they have access to any site you go to.

Following some pattern on the keyboard could also be figured out in a similar way.

This is a bigger concern if someone is targeting you. It is not totally impossible that they would notice a pattern from different sites with the same user name or e-mail address though.

The problem with replacing letters with numbers is that is the first thing anyone thinks of and bad guys know it so all those combinations are tried first.

I read something ( I am fuzzy on the details but it went something like this) I guy went through people's comments on youtube or posts on some forum. Taking the words and how the person types he generated passwords combined words how the person typed them, and then replacing common numbers with letters. I don't remember the number of people he tried it on per site but it was something like 40% of the passwords were found in not very much time.

Balain
2014-05-22, 03:10 AM
The key logger thing made me think of a question. If you use say a Dvorak keyboard would that screw up a key logger. I would guess most key loggers assume you are using a qwerty keyboard?


Edit: hmm probably not because you have to set what type of keyboard you use in the os. So guess it depends if the key logger checks that or not.

Max™
2014-05-22, 05:37 AM
It's late so I hope I get my thoughts out right.

The idea of using some algorithm. Say for example the sites name with every second character replaced with "1dr4z". Generates one good password. That is say someone gets your password for some site and then for some other site also gets your password they could figure out your algorithm and and now they have access to any site you go to.

Following some pattern on the keyboard could also be figured out in a similar way.

This is a bigger concern if someone is targeting you. It is not totally impossible that they would notice a pattern from different sites with the same user name or e-mail address though.

The problem with replacing letters with numbers is that is the first thing anyone thinks of and bad guys know it so all those combinations are tried first.

I read something ( I am fuzzy on the details but it went something like this) I guy went through people's comments on youtube or posts on some forum. Taking the words and how the person types he generated passwords combined words how the person typed them, and then replacing common numbers with letters. I don't remember the number of people he tried it on per site but it was something like 40% of the passwords were found in not very much time.

Doing the same pattern each time would start to run the risk of being figured out once someone knew what to look for, but the number of different combinations and whatnot make it a lot harder to crack than it is to remember what you were doing when typing them out.

&*(IK7ujikoiklol;piujkm7ujik (Though) jmu6yhntyu (it) uygbniuhnmkgbhnjmjhbnmyhnjmhjuygbn (makes) gfvb (a) yhnuikjjhnloijm,yghjnyghjntgyv (pretty) gtyhbviuhnmkpoik,.;kjm,ki (good) uygbndcefredcdfrescfdc (cipher).

AgentPaper
2014-05-26, 04:47 PM
I have 4 levels of passwords, used for various levels of security.

The first level is simply 1234321. As you can guess by the fact that I flat-out posted it here, this is a throwaway password for stuff I really don't care about.

The second level is a set of ~4 patterns on the keyboard that gives you stuff like 4rT%6yU&. This is what I use for most things, which I'd rather not have someone access, but am not worried about anything so dedicated as a hacking attempt, like forums or online games.

My third level is to pick a word, a number, and another word, capitalizing the second word. For example, goat77REEF. I use this for moderate protection on more important stuff lioe my email or hacking-prone games like WoW.

And then, of course, there's the password for my bank account, which has no real pattern and I simply memorized ages ago. All I can say about it is that it's quite long and not vulnerable to any kind of attack I'm aware of.

Max™
2014-05-26, 04:52 PM
That 4rT56yU7 is kinda like the word tracing I do actually.

Eldariel
2014-05-26, 06:02 PM
An easy, old one: Pick a song. Take e.g. the first (or the last or w/e) letter of N first words from it. Add few random numbers (could match the appropriate tunes or whatever for ease of remembering). You're done. You'll never forget it since you can just think through the song again, and it's bound to be fairly solid.

Also, number/letter sequences I remember by heart, be it from movies, old passwords or whatever, I make plenty of use of those. Of course, add few letters; right now my old 7-sign email password is 12 signs and used in a completely different place for instance (and obviously is made of no dictionary words, capital & small letters, numbers & other signs).

Jeff the Green
2014-05-27, 08:32 PM
I go with sentences mostly. For example, if I had an EBay account, the password might be "I h8 logging on 2 EBay because I always buy tons if stupid stuff." I've been meaning to move to a password manager, though.

My dad still uses the same password for several accounts that he came up with over ten years ago. He's head of IS for a significant corporation. :smallannoyed:

SteveMB
2014-06-04, 06:12 AM
My boss has a system where he uses the initial letters of the lyrics of songs he likes, with various letters changed for numbers etc. Probably as good as any!

Incidentally, with the power of modern dictionary-based password crackers married to GPU power for calculating the hashes, that XKCD password generation method is probably not as good as you'd think.

The "initial letters" method is generally a good one. It doesn't quite generate a random string of letters (some initial letters are more common than others), but it's close. I posted some calculation results (http://forums.xkcd.com/viewtopic.php?f=7&t=73384&start=760#p3455018) on the xkcd forum; the upshot is that this sort of acronym has 86% of the randomness (technically, bits of entropy per letter) of true random text.

Improved password cracking means that you might need a longer password no matter which method you use to generate and remember it, but it doesn't affect the issue of which methods are good and which ones are not so good.


A competent hacker will tailor his list to suit the target he's aiming at, I would think; the fewer words in the dictionary the quicker the dictionary attack will be, and saving a few hours may well be more important than sniffing out a few extra percent of passwords. Bear in mind a lot of these guys won't be after a specific person's password, or attempting to find every single password in a database, they'll just be trying to get as many usernames and passwords as they can so those can be used in other types of attack.

"I don't have to be faster than the bear...."

SteveMB
2014-06-04, 06:39 AM
When it comes to passwords, I have only two rules.

1) Don't ever reuse a password for anything. This applies to variants of passwords as well. This does mean that I have well over 30 unique passwords that I use on a regular basis which would be problematic for some, but I am quite well adjusted to it.

The simplest way to do that is to use a password manager; then you only have to remember one master password.


2)Don't ever share passwords or the methods used to generate them. Especially not on the internet. =P

Obviously, you shouldn't share passwords. Sharing the methods used to reveal them is fine -- if the methods are sound, revealing just the method doesn't compromise security; if not, you want other people to notice the problem and warn you.

samanthabramle
2014-06-04, 07:12 AM
Before you decide on your single password generation rule, keep in .... But this got me to start phasing out my one-password-for-all strategy.

catalogues with bad credit (http://www.cataloguesnocreditcheck.co/bad-credit-catalogues/)

Max™
2014-06-04, 09:16 PM
Obviously, you shouldn't share passwords. Sharing the methods used to reveal them is fine -- if the methods are sound, revealing just the method doesn't compromise security; if not, you want other people to notice the problem and warn you.
This is my thought, it's surprising how many ways to generate a password that seem fine there are, and how counterintuitive some of the stronger password types can be. The xkcd comic being an example, the intel gif posted on the first page was another.

There are people who don't realize that simple letter -> number substitution strategies with dictionary words are ridiculously easy to crack, it's good to see what others thoughts are, can help you improve your own methods.

Karoht
2014-06-06, 03:40 PM
"Run You Clever Boy And Remember 1-2-3"

Avilan the Grey
2014-06-18, 02:55 AM
I am bad. I use a password that is closely related to my my most used username online. Because I don't bother, it's a hassle.

Max™
2014-06-18, 06:43 PM
I am bad. I use a password that is closely related to my my most used username online. Because I don't bother, it's a hassle.

Ha ha, my dastardly scheme finally comes to fruition, now it is I who shall be posting as your accounts, not you, BWAHAHAHAHAH!

Gnomvid
2014-06-24, 08:43 AM
Sound familiar?

Creating a Password

-cabbage

-sorry the password must be more than 8 characters

-boiled cabbage

-sorry the password must contain 1 numerical character

-1 boiled cabbage

-sorry the password cannot have blank spaces

-50****ingboiledcabbages

-sorry the password must contain at least one upper case character

-50****INGboiledcabbages

-sorry the password cannot use more than one upper case character consecutively

-50****ingBoiledCabbagesShovedUpyourArseIfYouDon'tG iveMeAccessImmediately

-sorry the password cannot contain punctuation

-NowIamGettingReallyPissedOff50****ingBoiledCabbage sShovedUpYourArseIfYouDontGiveMeAccessImmediately

-Sorry that password is already in use.......

Avilan the Grey
2014-06-24, 04:33 PM
Where is the damned like button? :smallbiggrin:

I think we already concluded (by actual, scientific tests) that too complicated demands on passwords only make users write them down and keep them in the room, making the security WORSE.

Max™
2014-06-24, 06:43 PM
Where is the damned like button? :smallbiggrin:

I think we already concluded (by actual, scientific tests) that too complicated demands on passwords only make users write them down and keep them in the room, making the security WORSE.

░░░░░░░░░█░░░█
░░░░░░░░░█░░░░█
██████▄▄█░░░░░██████▄
▓▓▓▓▓▓█░░░░░░░░░░░░░░█
▓▓▓▓▓▓█░░░░░░░░░░░░░░█
▓▓▓▓▓▓█░░░░░░░░░░░░░░█
▓▓▓▓▓▓█░░░░░░░░░░░░░░█
▓▓▓▓▓▓█░░░░░░░░░░░░░░█
▓▓▓▓▓▓█████░░░░░░░░░█
██████▀░░░░▀▀██████▀