Passwords hit-and-run
Lots of people are raving about this algorithmic trick to avoid memorising passwords.
It gave me a start, because it's close to a system I used to use before I made the shift to a password manager.
It's an algorithm you can do in your head (if you have that sort of head) that generates a unique password for any site you happen to visit, using the site's name plus a random base password you can re-use for many sites. It's essentially a more sophisticated version of using Passw0rd1Amazon, Passw0rd1Google, Passw0rd1Snapchat, and so on, that doesn't suffer from the problem of making it easy for someone who hacks your password for one site to guess what you use on another.
One benefit is this: "Asked recently by his wife for his password on the REI website, for instance, 'I could honestly say, I don't know if I'm registered at REI, but if I am, then my password is....'"
That's also one of the main problems. If that site requires you to change your password (e.g. it's been hacked, or has a data loss, or whatever), you now need to remember some alternate base password and/or scheme. So after making the mistake of trying to memorise site-specific alternatives (which gets you back where you started with trying to memorise too many passwords), I came up with an alternate system ... and then needed an alternate alternate, and then an alternate alternate alternate. Beyond that I was in real trouble, because any decent site will lock right down if you make three mistakes.
Oh, and all of these schemes have problems if the site changes its name, for rebranding or takeover or because you were previously using a side product and it is helpfully consolidating all user accounts in to a helpful single sign-on system. And you need some way of being
Another issue is with different password requirements. Some sites have different minimum and maximum length passwords - some even silently enforce a maximum length. Some require a particular mix of upper and lower case letters, some require numbers, some don't allow numbers. Non-alphanumeric characters are the worse: some require them, some reject all of them, most require at least one from their own special snowflake set. Some of them won't allow the same character twice in a row (which if your algorithm is any good should happen from time to time). And most of them won't tell you what their policy when you are trying to enter your password. Some don't even tell you precisely what their requirements are when they tell your password doesn't meet them. No single algorithmic system can cope with this diversity: password requirements are mutually contradictory.
Password managers are way better. You can generate a full-on random password meeting the precise snowflake requirements of each site ... and have it back whenever you want. And they also let you store those dreadful password reset questions so you can remember them. It's really hard for me to say who my best friend in school was, so you might get different answers at different times, but with the aid of a password manager I can remember that I told my bank it was my dear chum Et\IVSX/R+!1. They also let you remember what username and/or email address you used.
It's not perfect. There are still quite a few passwords I have to remember without access to a password manager. Including, of course, the master password for the password manager. Luckily those tend to be ones that I type a lot, so I can keep a pretty strong one in my memory. And I don't have the face to use it for PINs - I would certainly be suspicious of someone who needed to look up a PIN when paying with a credit card, for instance. And while some of the more user-friendly password managers do a good job of just working, several sites specifically block them for 'security' so you have to hand-type, and it can be fiddly to get it right. Without being able to cut-and-paste I could easily misspell Et\IVSX/R+!1 as Et\lVSX/R+!1, which is not a problem I'd have if it was from an algorithm in my head.
But it's still way less bother on a daily basis, and I believe way more secure.
(I use Password Safe, Password Gorilla and pwSafe synced across platforms, which is a bit heavyweight and techie. LastPass, 1Password and KeePass are all more than good enough for anyone who isn't paranoid or a genuine high-value target, and certainly way better than reusing the same two or three passwords everywhere.)
This entry crossposted to http://doug.dreamwidth.org/301110.html, where there are
comment(s) not shown here.
It gave me a start, because it's close to a system I used to use before I made the shift to a password manager.
It's an algorithm you can do in your head (if you have that sort of head) that generates a unique password for any site you happen to visit, using the site's name plus a random base password you can re-use for many sites. It's essentially a more sophisticated version of using Passw0rd1Amazon, Passw0rd1Google, Passw0rd1Snapchat, and so on, that doesn't suffer from the problem of making it easy for someone who hacks your password for one site to guess what you use on another.
One benefit is this: "Asked recently by his wife for his password on the REI website, for instance, 'I could honestly say, I don't know if I'm registered at REI, but if I am, then my password is....'"
That's also one of the main problems. If that site requires you to change your password (e.g. it's been hacked, or has a data loss, or whatever), you now need to remember some alternate base password and/or scheme. So after making the mistake of trying to memorise site-specific alternatives (which gets you back where you started with trying to memorise too many passwords), I came up with an alternate system ... and then needed an alternate alternate, and then an alternate alternate alternate. Beyond that I was in real trouble, because any decent site will lock right down if you make three mistakes.
Oh, and all of these schemes have problems if the site changes its name, for rebranding or takeover or because you were previously using a side product and it is helpfully consolidating all user accounts in to a helpful single sign-on system. And you need some way of being
Another issue is with different password requirements. Some sites have different minimum and maximum length passwords - some even silently enforce a maximum length. Some require a particular mix of upper and lower case letters, some require numbers, some don't allow numbers. Non-alphanumeric characters are the worse: some require them, some reject all of them, most require at least one from their own special snowflake set. Some of them won't allow the same character twice in a row (which if your algorithm is any good should happen from time to time). And most of them won't tell you what their policy when you are trying to enter your password. Some don't even tell you precisely what their requirements are when they tell your password doesn't meet them. No single algorithmic system can cope with this diversity: password requirements are mutually contradictory.
Password managers are way better. You can generate a full-on random password meeting the precise snowflake requirements of each site ... and have it back whenever you want. And they also let you store those dreadful password reset questions so you can remember them. It's really hard for me to say who my best friend in school was, so you might get different answers at different times, but with the aid of a password manager I can remember that I told my bank it was my dear chum Et\IVSX/R+!1. They also let you remember what username and/or email address you used.
It's not perfect. There are still quite a few passwords I have to remember without access to a password manager. Including, of course, the master password for the password manager. Luckily those tend to be ones that I type a lot, so I can keep a pretty strong one in my memory. And I don't have the face to use it for PINs - I would certainly be suspicious of someone who needed to look up a PIN when paying with a credit card, for instance. And while some of the more user-friendly password managers do a good job of just working, several sites specifically block them for 'security' so you have to hand-type, and it can be fiddly to get it right. Without being able to cut-and-paste I could easily misspell Et\IVSX/R+!1 as Et\lVSX/R+!1, which is not a problem I'd have if it was from an algorithm in my head.
But it's still way less bother on a daily basis, and I believe way more secure.
(I use Password Safe, Password Gorilla and pwSafe synced across platforms, which is a bit heavyweight and techie. LastPass, 1Password and KeePass are all more than good enough for anyone who isn't paranoid or a genuine high-value target, and certainly way better than reusing the same two or three passwords everywhere.)
This entry crossposted to http://doug.dreamwidth.org/301110.html, where there are
comment(s) not shown here.