441
submitted 5 months ago by protein@programming.dev to c/asklemmy@lemmy.ml
you are viewing a single comment's thread
view the rest of the comments
[-] w3dd1e@lemm.ee 6 points 5 months ago

This is a method I heard once for remembering random passwords that I thought was clever.

Create your own alphabet of words (or random characters). A is for Apple, B is for Boy, C is for Cat…etc.

For every letter in the URL, you use the word from your alphabet. Ex:

www.facebook.com

F = Fog, A = Apple, C = Cat, E = Egg, B = Boy, O = Off, O = Off, K = Kite

Next, you need a number if you didn’t use one in your alphabet.

Facebook is 8 letters long so I might use 8. Or only letters repeated once. Or maybe you use the whole URL. Up to you, but you do it the same way for every site. You create a patter that you follow and can remember, rather than remembering every password.

Need a symbol? Assign that to the top level domain. In my example, .com = # .edu = ? .org = * etc

Put it all together and my example password would be “8FogAppleCatEggBoyOffOffKite#”.

A password for google.com might be ‘6GolfOffOffGolfLogEgg#’.

Obviously, you don’t have to do it this exact way with the alphabet, number, and symbol. The idea is that you create a set of rules that you remember and follow. If you write down “A = Apple B = Boy…” and someone finds it, it won’t be instantly obvious that it is meant for passwords.

This is terrible. If someone gets a couple of your passwords it’s pretty easy to work out the patterns and gain access to your other accounts.

Don’t complicate it. Use a password manager. I know none of my passwords and that’s how it should be.

[-] DNOS@lemmy.ml 4 points 5 months ago

I Guess we already have a couple of his passwords ... Good job man, Sorry whats your name ?

[-] patatahooligan@lemmy.world 4 points 5 months ago

For someone to work it out, they would have to be targeting you specifically. I would imagine that is not as common as, eg, using a database of leaked passwords to automatically try as many username-password combinations as possible. I don't think it's a great pattern either, but it's probably better than what most people would do to get easy-to-remember passwords. If you string it with other patterns that are easy for you to memorize you could get a password that is decently safe in total.

Don’t complicate it. Use a password manager. I know none of my passwords and that’s how it should be.

A password manager isn't really any less complicated. You've just out-sourced the complexity to someone else. How have you actually vetted your password manager and what's your backup plan for when they fuck up?

When Dashlane reports a breach. I change my passwords.

[-] patatahooligan@lemmy.world 1 points 5 months ago

So no vetting at all presumably since you didn't mention it? So how do you know that Dashlane is safer than a password scheme that might be guessed by someone after they've already compromised a couple of your passwords?

Dashlane is pretty big and I’ve not seen any negative reports from security researchers. They offer bug bounties for people that do find vulnerabilities etc.

I believe the consensus is that password managers are better than any human password scheme. I could host my own manager but then there are more vectors for an attack, and why reinvent the wheel.

[-] Bytemeister@lemmy.world 4 points 5 months ago

Not bad, but I could see that creating passwords that are too long for some systems, and it would be vulnerable to dictionary attacks. Also, what would you do when the site requires a password reset?

Maybe do your strat, but only do every other, or every 3rd letter as a short word, and use a Caesar cipher, incrementing the cipher once each time you have to reset? Sounds kinda fun, but I don't think most sane people would do that... Open to ideas though.

[-] Tlaloc_Temporal@lemmy.ca 4 points 5 months ago

I've come across several sites with abhorrently short password limits, as low as 12.

Worse, 2 of them accepted the longer password, but only saves the first n characters, so you can't log in even with the correct password, untill you figure out the exact max length and truncate it manually.

Even worse, one of those sites was a school authentication site, but it accepted the full password online and only truncated the password on the work computer login. That took me an entire period to suss out.

[-] evasive_chimpanzee@lemmy.world 5 points 5 months ago

You just gave me a flashback to a system I encountered as a student where my password got truncated, so I couldn't log in. I had to ask the teacher what to do, expecting her to have access to a reset or something, but she just told me what my password was. It was like 3 and a half words, clearly truncated and stored in plain text.

[-] w3dd1e@lemm.ee 1 points 5 months ago

I personally just use a pw manager. If I used them system myself, the alphabet words would probably be strings of characters that aren’t real words and I’d probably salt them too. But yeah I imagine you could run into size limits, which is a problem.

I just wanted to share a pw strategy that seemed interesting. I used a simple pattern to make the concept easier to understand.

this post was submitted on 24 Jun 2024
441 points (98.0% liked)

Asklemmy

43944 readers
578 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS