from Hacker News

Ask HN: How'd you manage the password managers' master password?

by imcotton on 1/26/24, 4:27 AM with 26 comments

• by kutenai on 1/26/24, 5:26 PM

  I just memorize it. Write it on a small sticky and hid it somewhere for a period of time until the master is memorized.. then destroy it.

  you could write it on that flame paper they use in spy novels.. now that would be cool also. Does Amazon carry that?

• by roland35 on 1/26/24, 2:11 PM

  I have a circle of password managers all storing each other's master password

• by mortallywounded on 1/26/24, 12:28 PM

  I'm not really sure what it's called, but mine is based on a sentence I have memorized combined with some fixed symbols. I basically take the first letter of each word and keep capitalization and symbols.

  For example, if the sentence I memorized is, "I dreamt I was a butterfly! What a wonderful sight it was." my password would be: IdIwab!Wawsiw.

• by acheong08 on 1/26/24, 1:08 PM

  I’ll be changing my password after this comment but here’s how I did mine:

  <nickname unused since 12 years ago><phone number that no longer exists><another phone number but with shift keys><random http status code>

• by vipa123 on 1/26/24, 5:29 PM

  For some password hardening I take a short random password I already have memorized like abc1oktt and then use my own phonetic change... For example, That one becomes ehbesee1ohcayteaTea... For my master password I take three different of these and just concatenate them together to make a nice long passphrase... Not for everyone, I'm sure. But for me it essentially reinforces and reuses passwords I've known for 25 years... I also convert numbers like SSN or phone with a similar poor cipher... Nein,Ate,Sefen etc..

• by Zetobal on 1/26/24, 2:40 PM

  My favorite band has really long song titles so it's rotating between song names with some added numbers.

  My last one was "The One Armed Boxer vs. the Flying Guillotine.1234". Numbers changed ofc ;)

• by zwayhowder on 1/26/24, 4:55 AM

  I use Diceware. 6 random words with alphanumeric padding. So basically the XKCD, but something like:

  correct_2_horse_2_battery_2_staple. In my experience it doesn't take long to memorise the words.

  I have two passwords I know off by heart, my password manager and my gmail (just in case). I also capitalise a certain letter in each word, but that pattern is in my head only.

  I am of course lazy, so I use biometrics on my phone/tablet/laptop to minimise the need for entering my password. But I wouldn't if I still worked in a high risk industry.

• by wruza on 1/26/24, 3:26 PM

  There's an ancient trick to memorize your complex password: enter it twice a day for a week or so.

• by account-5 on 1/26/24, 9:39 PM

  I don't know the master password for my password manager. I remember the way I type it on the keyboard. Disadvantage being I really need to be in front of a standard keyboard to open the vault.

  I also use a keyfile too for added security.

• by ssss11 on 1/26/24, 7:14 AM

  Multiple words strung together that are important to you…

• by Erratic6576 on 1/26/24, 1:23 PM

  Song verses are easy to memorise and quite long to type

• by blinded on 1/26/24, 5:59 AM

  I just memorize the 20 char random strings.

• by patatino on 1/27/24, 7:15 AM

  Printed emergency kit from 1Password in a bank safe so my wife can access everything if I die.

• by embeng4096 on 1/26/24, 11:03 PM

  It usually shows up as stars so I don't need to worry about other people seeing it, see: hunter2

  Jokes aside, I memorize my password manager's master password, and have it written down in a notebook but in a different glyph set (Idk the scientific name). It's not ciphered or anything so can be decoded, but the chances of somebody recognizing Elian script are fairly low, I think, and recognizing something like Royal House of Riftgard script even lower. And if you use something like Elian script it can be obfuscated further by stylistic alterations. That, combined with a rotating cipher, even something like rot13, is probably enough to defeat all but the most determined attackers, in which case I'll have bigger things to worry about, like the XKCD wrench (https://xkcd.com/538/)

• by millzlane on 1/26/24, 1:55 PM

  supersecure password X 2

  s0 S2oMeThIng Tha! uses words with r@ndom CaPs spaces 123456789s and Spec!@l ch@racters=-!s0 S2oMeThIng Tha! uses words with r@ndom CaPs spaces 123456789s and Spec!@l ch@racters=-!

• by ElevenLathe on 1/26/24, 12:48 PM

  Keep it on a piece of paper somewhere safe.

• by yoyopa on 1/26/24, 4:55 AM

  Passw0rd!@#$!@#$!@#$!@#$

• by LabMechanic on 1/26/24, 9:50 PM

  I have three options for you, along with my two cents on each:

  1) *Bitwarden:*

  I am no longer using Bitwarden since they can delete your account at any time for any reason[5].

  2) *KeePassXC:*

  For KeePassXC, you need to store your "Passwords.kdbx" (~16 kB) database file somewhere and remember a master password.

  3) *Spectre (https://spectre.app/)\\\*

  I haven't tried it yet; however, Spectre calculates your password each time you need it. All you need is a name (e.g., your full name), your master password (see Diceware[1]), and the site name, from which Spectre algorithmically calculates your password. If you need to change a site's password, iterate the counter and calculate a new password.

  It works offline and is open source. Here's a web app version that runs locally:

  [Spectre Web App](https://spectre.pw/)

  *Bonus: One-Time Pad + (Layman-ish) Physics:*

  There are plenty of reasons to be paranoid[2]:

    - Firmware-wise (e.g., Intel Management Engine, Coreboot, Libreboot, system on a chip)
    - Hardware-wise (i.e., Von Neumann architecture - Code + Data)
    - Operating System-wise
      (e.g., 0-click exploits, remote code execution to manipulate the CPU's instruction pointer,
       stack overflow, Pegasus)
    - Facility-wise (e.g., electromagnetic waves, cell towers, Faraday cloth)
    - You (making mistakes)
  

  Given the above, I would first base everything on "true"[A] randomness (see random.org or roll casino-grade dice). "True" randomness is essentially: "every outcome has the same probability." As long as backward time traveling remains impossible, I would abstain from computers and simply follow the One-Time Pad protocol with a pen and paper, among other things.

    Message: Hello -> ASCII -> Binary
  
    Key: 5EYES (keep this private, must be random)
  
    Cipher: <Message in binary format> XOR <Key in binary format> -> convert back to ASCII
  

  The above is just one (i.e., XOR) out of many ways to follow the one-time pad protocol. For 128 characters, you need a random number from 0 to 127. However, you need to ensure that each number has the same probability to show up. Perhaps there is a way to encode or "rename" the numbers from 0 to 127 with a string of digits 1, 2, 3, 4, 5, 6 so that you can roll a die multiple times in a row to randomly get a number between 0 to 127 (see Diceware[1]). One-time pad might be good to encrypt your master password.

  *References:*

    1. Diceware, [Wikipedia](https://en.wikipedia.org/wiki/Diceware)
    2. CS155 - Computer and Network Security,
       [Stanford](https://crypto.stanford.edu/cs155old/cs155-spring18/syllabus.html)
    3. [One-time pad - Wikipedia](https://en.wikipedia.org/wiki/One-time_pad)
  
    4. Animated Explanation of the one-time pad, https://www.youtube.com/watch?v=QVV_bUxxiZ8
  
    5. https://tosdr.org/en/service/1348
  

  *Notes:*

    A) If you assume determinism (because our current "collective bias" leads us that way),
       then the quote marks are okay; if not, then not.
  
    Personally, everything seems to be based on assumptions or beliefs anyway (your existence, math, ...),
    so I go by "ignorance is bliss."