I know that you shouldn’t use the same password on every site. But, when you log into several dozen sites, keeping track of all the passwords can be pretty hard.
What system do you recommend that won’t compromise all my accounts when one site gets hacked (assume the worst case — site storing passwords in clear text)?
I am looking for a system that helps me remember the passwords, not a way to store them.
To remember passwords, type them often. You can remember dozens of passwords if you type them daily -- that's muscle memory, the same kind which is used by martial arts practitioners, so remembering many passwords is like being a Kung fu master (albeit in a slightly less awesome way).
Bruce Schneier, well-known Chuck Norris imitator, recommends writing down your passwords and keeping them in your wallet. This makes sense because you are both trained and highly motivated at maintaining a high level of physical security on your wallet. I would double that with a copy of the same password sheet somewhere in your safe, so that you could recover from a wallet theft (i.e. logging again in all the sites and change your password). Also, a piece of paper has no battery which needs recharging.
(Caution: your smartphone is not a good wallet. Physical security on your phone is much lower than the one you apply on your wallet. Unless you are in the habit of flourishing your wallet at arm's length while walking in the street.)
A way of resolving this issue I've been using with much joy lately is the PWDHash system by the Stanford Security lab.
Basically what is does is compute a cryptographic hash of your 'master password' together with the domain of the page you're signing up at, clips it and then fills the result in as the password. This way, every site you sign up for has a non-reversable password that does not compromise any other login, even if someone happened to stumble upon it in plaintext.
There are PWDHash addons for the major browsers, and you can use the web interface if you're on the move.
Other than the fact that it's a marvelous and easily understandable application of theory, a major upside is that you don't have to trust any third party with your passwords. Everything is done locally and open source - it works fine without an internet connection or incomprehensibly encrypted binaries.
You can use a password vault. For instance you have a txt or an excel with all your passwords and you keep it in an encrypted container (truecrypt for instance) and just decrypt it when you need it.
However this is hard to actually use if you want it readily available at any time. If you trust other companies with your data, you could opt for sites like http://www.passpack.com to store your passwords. I'm not really a fan of this myself because you are never 100% how things are stored on the backend.
This can be done, but requires work, hence the popularity of password database software!
You'll want to study mnemonics, the art/science of systems of remembering things. Mnemonic performers do things like memorize the order of a shuffled deck of cards; those methods on a smaller scale should be enough to recall a few passwords.
Derren Brown's "Tricks of the Mind" has a good beginners tutorial, but here's an example of one simple technique, image linking, which should work well for pass phrases.
Suppose your email password is "correct horse battery staple". Imagine, in turn these silly images:
These are deliberately stupid images, the vivider the picture you can make in your mind, the better. Picture this sequence repeatedly, and you'll find that the sequence sticks in your memory; when you start your email program, you'll think of a mail envelope, which leads you to correct, to the horse, then to staple.
Bonus tips:
Choose words that are easy to visualise; you saw I had a little trouble with "correct" above!
If you don't like typing something that long, use a passphrase initialism, e.g. turn "abicjinh" into "apple bicycle idol chicken joker icicle notebook house" and make image links for those words.
You may have password complexity rules for some apps, where you have to use upper/lower case or numbers. These need a little more work.
Remember which letters are capitalised by picking some landmark from a capital city and setting the image there. e.g. for "aB" you visualise an apple riding a bicycle past the Eiffel tower.
Numbers are harder, the usual way is a "peg" system where you assign a reserved word to each number, memorise those, and then use the associated word in the image. e.g. memorise 1-gun, 2-zoo, 3-tree, then remember "a2" as a wild apple being exhibited in cage in the zoo.
If it's something you really can't afford to lose, the safe mentioned above may be the best way. But if you want to truly remember them, you should try to make a sentence out of it.
When I have to create a new password, this is what I do:
Let's take an example: "Mary had a little lamb whose fleece was white as snow" → mhallwfwwas → m-411w=ww45 (the - is the horizontal bar of the H; same with = for F, * for P (from |*), …)
I choose a few letters from the site name. Perhaps those letters are the acronym of the company name. I combine (prefix, append, embed) that with a sequence of characters (to make a strong password) that are the same for all of my passwords. For example:
google = goog15#*xfg27%
yahoo = yaho15#*xfg27%
Wall Street Journal = wall15#*xfg27%
Use humor, rhyming, repetition, offensiveness, silliness, common patterns, embarrassing facts, and other similar techniques to remember your passwords.
Examples:
I use a small USB device of my own making that allows me to carry around a strong password "boost" on my key chain. Every password I enter anywhere is at least 15 random characters.
For web sites I just tack on the first three characters of the web site domain at the end before I boost the seed to 15+ characters. Now, IF all web sites hash passwords then this approach is safe. The final password with the extra three characters on the end of the 15 character random password is still at least as strong as the 15 character password. The HASH, however, is completely different for each site (as long as the first 3 characters are different). So, since each of the site hashes are individually unbreakable by brute force attack, and each site has a completely different hash, the sites are isolated from cross site attack.
However, since not all sites today hash passwords, I also use PwdHash on the client to ensure that there is no way that a stolen clear text (or encrypted) password on a weak site will compromise all the other sites.
One way I try to to understand this is to envision a huge haystack and the need to hide a needle. If the needle is essentially impossible to find, then moving the needle a few inches away still makes it impossible to find.
So, if you can ensure that you enter a very strong 15+ character password with just a few characters different for each site, and ensure that the password is hashed by the site or locally on the client, you have as good a solution as carrying around a big password database. IMHO.
Password reuse is probably the best strategy for making you able to remember all your passwords without storage. Storing random and strong passwords still is probably a better thing to do, though -- just make sure you can access this storage if your primary device goes missing or stolen.
If you want to go down the path of password reuse, you can do it wisely to greatly minimise risks. What matters is that you identify the accounts that must not be compromised and give those a unique password. There are usually few of them: payment accounts, email accounts (password reset emails), and social-reputation-critical accounts (LinkedIn, maybe Facebook).
For the rest, reusing passwords across all websites of a similar theme greatly reduces your amount of credentials, especially if you need to register to a new site that you're not sure you'll ever reuse (e.g. ordering a plane ticket from a new airline). So long as connecting to a website does not allow monetary losses or identity abuses, that website is eligible for reuse.
See the questions and answers here:
Steve Gibson has a number of tools that may be effective - see password haystacks that has the effect of making the password far more memorable but more difficult to break. Alternatively Perfect Paper Passwords can make things easier to remember. There are also multiple variations of the technique recommended by @les
Put a business card in your wallet with a matrix of shapes, digits and punctuations marks on it. Then just memorize small shapes and use the corresponding icons as your password.
If you prefer to memorize them use the palate method, remember 10 sets of numbers and words, use 3 to make a password and you're instantly got 1000 unique passwords.
