I've actually created my own 'technique' or 'algorithm' whatever you want to call it to generate my passwords. I would take parts of the name for whatever I was registering for and autistically work out what the password would be. They were all like 25 characters and looked completely random.
But it got too annoying to have to recreate them
Now I just inject part of the site name and username into a string I have memorized, so I can create them much quicker and it's different for every site. I have various strings that I use for different security levels.
>>47546987 Most enforce *something* preventing "123", but it was kind of obvious he was kidding, wasn't it?
I was toying with the idea of an account creation process that basically worked the same as a standard account creation process, except that you could send a cURL request to an endpoint through a terminal where you basically "manually" request an account creation. Under *this* process, no password requirements would be enforced intentionally, because the thinking would be that anyone savvy enough to do the cURL request in the first place is probably savvy enough to know the risks they're taking.
I would of course have clear instructions (the endpoint, syntax, format, etc...) on the webpage, but I wouldn't give the person some text to copy/paste to make it TOO easy. It'd functionally act like a documented backdoor.
>>47546991 >I would take parts of the name for whatever I was registering for and autistically work out what the password would be. They were all like 25 characters and looked completely random. Uh, you know that's incredibly insecure, right? It doesn't matter if your passwords "look random" or not, what matters is that they actually ARE random.
>>47547052 >Passwords don't need to be random. Uh...
Fuck, the entire POINT of a password is that it has as much entropy as possible, so that it can't be guessed by an attacker. If your password is constructed from just the site name, then an attacker can get in on the first attempt.
>>47546973 I really loathe the idea of a single password unlocking everything. I would much rather spend more human brain cycles thinking up a clever algorithm that I can just memorize and apply to every service I use. For example, at one point I used an algorithm like the first and last characters of each word in a sentence like >My password for Netflix is this sentence! so it'd be >MypdfrNxistsse! or whatever. Point being that it's long, has a mix of capitalized characters and lowercase, as well (potentially) as punctuation. And it's easy enough to remember and extend (Hulu? Just swap "Netflix" for "Hulu"). The only way this would be a problem would be if someone 1) wanted to break every account *I* personally had (ie, not breaking into LinkedIn, but stealing *my* identity), and 2) discovered my input sentence (otherwise they're just looking at gibberish as above and it might not be clear what the logic is).
At one point I used a character shift cipher as well (so A->B, N->O, etc...) so it wasn't even like you could pluck "Nx" out of the Netflix password. It'd be "Oy".
The only appeal I could ever see in a password manager would be a programmatic interface to *change* all of my passwords. When Heartbleed came to light, I realized that I had to scramble all over the fucking internet changing all of my passwords. Why the fuck don't password managers handle that much for me?
I could give up the security of an algorithmic password I can calculate in my head if it was a simple matter of clicking a single button to change/rotate all of my passwords. But it's not.
>>47547086 guy who made the post about constructing the passwords here
Even random number generators construct randomness from something. What matters is how obscure it is and I don't think there is any way at all someone was going to guess how I did it.
But you're also forgetting that anyone trying to crack the password is not going to even know I used such an algorithem. Doing it the way I did isn't exactly considered normal.
Anyway, as I said, now I use a string that is actually random and unrelated to the site. I merely inject a few letters related to the site an my username just to add a little bit of variation from site to site. I know it's not the most secure way, but it's definitely better than using a phrase with dictionary words, or having the password be exactly the same for everything It's still 20+ characters and only 4 or 5 are even related to the site. I feel pretty safe
>>47547093 >I really loathe the idea of a single password unlocking everything Your loss. You won't be able to do better than KeePass or similar manager, or even half as good. You're basically crippling your security because of a superstition.
You can even set it to require a key file in addition to a text password. You can also get a Yubikey or something, if you want something physical (although it's not really that much different from typing out your password).
>>47547102 I ignored the second part because it's flat out wrong. The ONLY measure of how secure a password is is how much entropy it contains; ie, how "random" it is. You can arrange that entropy into a memorable form if you like, but everything other than the number of bits of entropy is utterly irreverent to security.
>>47547128 >Even random number generators construct randomness from something. What matters is how obscure it is Random number generators are assumed to be random. They're often not, but we build them as close as possible.
>But you're also forgetting that anyone trying to crack the password is not going to even know I used such an algorithem. You can't possibly know that. Also, that's straight up security by obscurity.
>Anyway, as I said, now I use a string that is actually random and unrelated to the site. I merely inject a few letters related to the site an my username just to add a little bit of variation from site to site. That's fine.
>I know it's not the most secure way, Actually, the "known letters" don't detract from the security. They just don't add to it either.
>but it's definitely better than using a phrase with dictionary words, Nope. Randomly picked dictionary words are still random, and using a largish dictionary will provide a lot of bits per word.
>It's still 20+ characters and only 4 or 5 are even related to the site. I feel pretty safe 15 characters at about 6.5 bits per character gives 97.5 bits. That's fine.
My only problem with password managers is that for them to be useful, I need them to follow me around. I sometimes log into some of my sites on other computers or from my phone and being stuck without the password manager means I can't log in.
>>47547193 >The ONLY measure of how secure a password is is how much entropy it contains; ie, how "random" it is. >You can arrange that entropy into a memorable form if you like You do realize that you're contradicting yourself.
>>47547136 Is your KeePass password so much stronger than mine that it's fair to describe mine as crippled? I can easily arbitrarily change it with either a change in the input sentence or a change in the algorithm.
And none of my passwords endanger the others on their own. The KeePass password represents a lynchpin in your system. If that gets broken, you're potentially fucked to an unprecedented degree. If someone changes your KeePass password, you don't even have the passwords to the constituent services to try and "outrace" them to reclaim your accounts before those get taken down (not that you want to be in that position ever anyway).
>>47547193 I'm sorry but I'm just going to call BS on this
If my "constructed password" uses information like the number of strokes it takes for me to write a particular letter in my handwriting and various things like that all combined together, how the fuck is a computer going to have an advantage cracking that over a randomly generated string?
Without a large database of my constructed passwords to use to figure out the pattern such a constructed password is no different to the cracking program or person, than a completely random string would be.
>>47547226 >You do realize that you're contradicting yourself. How so? Entropy is a measure of the number of possible passwords that could be constructed by that method. If there's only one password (eg you're rearranging the site name), then you have ln2(1)=0 bits of entropy. But a 100 bit password is just as hard to break if it's make of 10 selections of words from a list of a thousand, or 100 selections of the letters 'P' and 'N'.
>>47547239 KeePass is a local program, you keep the password database file on your system, and you keep an additional key file somewhere else on your system (or a thumbdrive if you want). It is much harder to compromise. People can't lock you our of it if you have a backup.
Also, your passwords might be as good as whatever KeePass generates, but the point of failure in your system if you (you forget, you don't keep up with password rotation, you get lazy, etc.), while KeePass can be configured to be really strict with you, and improve your security.
All trademarks and copyrights on this page are owned by their respective parties. Images uploaded are the responsibility of the Poster. Comments are owned by the Poster.
This is a 4chan archive - all of the content originated from them. If you need IP information for a Poster - you need to contact them. This website shows only archived content.
If a post contains personal/copyrighted/illegal content you can contact me at email@example.com with that post and thread number and it will be removed as soon as possible.