2

Possible Duplicate:
What is your way to create good passwords that can actually be remembered?

I am using a self-developed "template" for my own passwords (like Facebook, Gmail etc.)

I use a small set of prefixes and suffixes and build a password like this: prefix + something meaningful, related to the site + suffix + pissible numbers

So, in case of Gmail my password could look like: foospambar112, foo and bar beeing the pre/suffix from my small set. This gives me longish passwords while keeping them easy to remember/figure out again and keeps me from re-using a password.

I'm really prone to forgetting passwords or mixing them, because there are so many of them and I hate recovering passwords, especially if site prevent you from using a password used in the past.

Am I right believing that this is an ok-ish approach to managing your passwords?

Community
  • 1
Evgeni
  • 121
  • 2
  • 1
    Evgeni see this question http://security.stackexchange.com/questions/662/what-is-your-way-to-create-good-passwords-that-can-actually-be-remembered/ – Mark Davidson Dec 18 '12 at 15:56

1 Answers1

10

Forget password schemes like this. All it takes is one breach on one website you use and someone could figure out your scheme, then break into all/most of your accounts.

Use a password manager instead, and store the password vault on a cloud hosting service like dropbox - that way you only have to remember a few strong passwords (one for your OS, one for your password vault, one for your dropbox, and optionally one for your email in case you need to recover your dropbox account). This gives you the ability to have strong unique passwords for all accounts, and only have to remember a small number.

I recommend keepass, since it's cross-platform / cross-device and free, but there are many others out there.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • Well, I actually trying to avoid relying one password manager. – Evgeni Dec 18 '12 at 16:02
  • "..All it takes is one breach on one website..."...to figure out a scheme, dont you need several "samples"? So it'd take several breaches on several websites...and I'm using several schemes.. – Evgeni Dec 18 '12 at 16:05
  • 1
    While I do like the password manager idea, the suffix/prefix approach can work very well IF all passwords are changed regularly. Leaving all those passwords out there unmodified for a long time leaves you exposed to having your scheme deciphered. – schroeder Dec 18 '12 at 16:06
  • @schroeder "...having your scheme desciphered". How would one go about that? Are there any other means besides breaking in or key-logging? – Evgeni Dec 18 '12 at 16:12
  • @Evgeni Often it's not difficult to determine word boundaries and guess the scheme. Granted a lot of attackers won't bother trying (unless it's trivial) but it's better to avoid such schemes entirely. – Polynomial Dec 18 '12 at 16:13
  • @evgeni if you use the same prefix/suffix for everything, like your Playstation account, and your Playstation account details are leaked and cracked, then it will be trivial to determine that "foosonybar112" is a scheme. – schroeder Dec 18 '12 at 16:33
  • 5
    Not only does a manager remove the burden of remembering "secure" passwords, it removes the need to remember where you have accounts. When databases are being compromised fairly regularly (another discussion in itself) it's good to know quickly and easily whether or not an old login was compromised. – Jonathan Garber Dec 18 '12 at 17:15
  • 1
    Additionally, good ones with browser plugins can entirely negate phishing attacks. If you're at a site pretending to be PayPal, and you press the hotkey to fill in your credentials, the plugin won't recognize the site and so won't fill them in. – Stephen Touset Dec 18 '12 at 18:12
  • @JonathanGarber - Every single password manager also suppose presenting a list of all sites and their passwords after having the data decrypted. – Ramhound Dec 18 '12 at 18:30
  • @Ramhound - Correct, but this is the nature of our online world. You're going to pay (in effort, at least) to be online in one form of effort or another. Whether it's in remembering where your logins are, or in keeping your password database secure, you have to pay. I choose to pay this cost in a way that lets me keep maximum control over my passwords and recovery from other peoples' compromises. – Jonathan Garber Dec 18 '12 at 20:20
  • Create yourself a client sheet, write all your password and change them every 3 months. Track password change and keep a hard copy, secured with a level 3 smith lock. – happy Dec 29 '12 at 03:38