from Hacker News

How to create unique passwords you won't have to memorize

by m00s3 on 3/18/18, 5:32 PM with 11 comments

• by tptacek on 3/18/18, 6:26 PM

  Don't do this. Submit a story the normal way, not with a blank URL. Stories with blank URLs are penalized (or were at one point) but, more importantly, submissions to HN are community property, and the person who happens to submit a link first is not entitled to a special commentary at the top of the thread.

• by UncleMeat on 3/18/18, 6:19 PM

  This is dumb but not that dumb.

  The method is (mostly) fine given most people's threat model. It solves password reuse and the generated passwords are resistant to dumb brute force. You lose a lot of entropy if people know the method or even know that characters are more likely to be pulled from the domain name but given a good enough seed (the article has seven characters) you are still generally fine.

  If you are high value target it is obviously awful since you are worth the time for a human to reverse the pattern and break your other passwords.

  The real reason this is dumb is because it doesn't allow you to change your password, not because your passwords have lower entropy.

• by kazishariar on 3/18/18, 6:18 PM

  Not to give too much away. But I think most of us use similar password methods, on top of whatever inlay password provider/manager you're using. e.g. Lastpass autogenerates, saves,syncs and fills. - https://helpdesk.lastpass.com/generating-a-password/

• by hprotagonist on 3/18/18, 6:49 PM

  like a fair few other people, particularly on HN, my process is:

  1. Pick an extremely good, very long master password.

  2. Make my password manager generate maximum-allowed-length random line noise for every site I have an account on.

  3. Never know or care what these passwords are.

  4. For edge cases like workstation logins and "forgotten password hints", use diceware to generate easily typed nonsense phrases.

• by fgeiger on 3/18/18, 10:10 PM

  I used to have a similar scheme for passwords. It only works well as long as one uses the same pattern for all passwords though.

  This starts to break once you want to or need to change a password. I had to abandon the scheme once haveibeenpwned.com noticed me of a breach including one of my passwords. I could either remember a new pattern for that one site or change passwords of all my sites.

  I chose to do the latter and used random passwords created by a password manager. That way I avoided running into the same problem again.

• by iambateman on 3/18/18, 6:27 PM

  Password management remains a big problem for people, who tend to blame themselves for the trouble they find in remembering passwords.

  Giving them tools, however unwieldy, doesn’t seem terrible to me?

  bSSCmp9; scores 38 bits of entropy, and if someone decides that SSC ought to be their personal password pin, I think it’s better than repeating the same password over and over again.

  To me, password managers are the best option, but I struggle to convert my less savvy friends.

• by emerged on 3/18/18, 10:12 PM

  Just use an incredibly strong password you couldn't possibly ever forget and use it for email. Then use password reset with a randomly generated string every time you have to login somewhere.

  Because really, email is effectively the only password which matters.

• by philipwhiuk on 3/18/18, 6:11 PM

  I mean it's bad but it's not that bad really. Obviously if everyone used the same sequence it would be very terrible.

  It's marginally better than pure password reuse.

  But compared to Troubador (https://xkcd.com/936/ ) it's not really worse.

  It slightly mitigates the 'humans are bad password generators' trap.

  Really it mainly falls down because passwords are terrible and the best industry standard solution is a shit version of OAuth where the OAuth mechanism is 'copy and paste from <InsertPasswordProvider>'.