4

What's the least painful way to manage passwords for user accounts that you have on various sites?

I see only 3 options:

  • Password manager. Passwords can be different and strong, but the downside is that you still need a master password, which should be weak so you can remember it, like JohnDoe45. If someone gains access to it, all your passwords are compromised. Also, if the password data file gets lost, you're screwed.

  • A single password for every site that you can easily remember. The downside is that if someone finds it, all your accounts from other sites are compromised.

  • Different passwords using a personal algorithm. Like first two characters of the site + first two characters of your name + last character of the site + whatever.

The last option seems the best choice for me. What do you think? Are there better methods which I'm missing?

Anna
  • 43
  • 2
  • 1
    [This](http://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase/6121#6121) + option number 1 = win – StupidOne Jan 16 '13 at 19:14

6 Answers6

1

For managing passwords, see this answer: the trick is not to remember them, but to store the passwords in some "reasonably secure" storage area.

If you really want to remember passwords, with your brain, then my advice would be to force yourself to type them often, at least daily. Fingers are better than brain cells at this kind of job (it is called muscle memory). Of course, this is not practical for Web passwords "at large". What you can do is split your passwords in two categories:

  • the passwords which you use very often, and store in your brain;
  • the passwords which you use rarely, and store in a file.

(Various storage systems exist, but a plain file can be secure enough, if you do it properly; again, see the previous response I link to.)

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
1

If you want to remember your passwords, you either have to work your muscle memory, or you will have to choose some easy to remember passwords. However, Easy to remember is also easy to guess. And the "mental strain" of remembering 3-4-5 passwords of a reasonable length with characters from all the different classes (upper; lower; numbers; symbols; even UTF-8 combinations (oh yeah, try having ALT+4099 in your password)), it's not worth the effort for the average user.

So, what we usually do is reuse or write down our passwords. Reuse of passwords (your #2) will, as you say, possibly compromise all accounts associated with it. People actually seem to understand this and usually reuse passwords only over accounts that protect low value data.

Writing down passwords, however: I claim that writing down passwords is not a problem if done securely. The difference here is writing your bank password on the back of the OTP generator or on a post-it note on your monitor, or if you hide the passwords in your wallet. Of course, you can't use GæµRA­♣$6(◘F0z03*╬ as your Facebook password and keep it in a safe. That's bad usability.

I don't like the algorithm either. It's some percentage "security by obscurity" in there, so however unlikely, if someone finds your pattern you're screwed. Say you're a high value target (I know, you might not be, but you might have some of that glorious money) and use the pattern on somedisposablemessageboard.com and somepaywallnewspaper.co.uk, two pages that might just have had a password leak. If your attacker is somewhat "cognitively capable", he might just find your pattern and try BaAnk$taticPa$$word (made up of "Bank", "Anna" and "$taticPa$$word"), which is your banking password.

Password managers are a storage facility that you trust to keep your passwords for you. As an example, LastPass works with a plugin for easy authentication. This way, you enter the master password (which should be hard to guess, but it'll be your only password, you can stand that) once per browser session (IIRC) and keep downloading passwords from LastPass to your service. There's another problem here, for the particularly paranoid. You enter your master password on your keyboard into your browser, meaning that it is stored memory and may (theoretically at least) be read by a trojan. Also, keyloggers may ignite upon your arrival at LastPass.com, collecting your password. Both get the key to the castle.

(Technical fun fact: LastPass passwords are encrypted with a key generated from your master password using 500 iterations of PBKDF2, a key derivation function. 500 iterations are half the absolute minimum for such use specified in the PBKDF documentation, and may not stand brute force if the stored encrypted passwords are leaked.)

So, what the hell should you do if you can't even enter your password on the keyboard? Stop worrying, write down your passwords and put them in your wallet. Do not write Facebook: ¤#V&W#V&, Bank: AybyB%¤YB¤, Porn: &%HB&4syby, etc. You can remember which is which..

If you're a spy for the CIA, I suggest an external device with a screen to keep your passwords. It should not be another mobile phone, but a dumbed-down device. It should, however, not show anyone the passwords and never transfer them in clear. It would work something like this:

Facebook: Gimme your password, Anna's PC.

Anna's PC: Hang on, I've got that cool external device!

Facebook: Yo, Anna. Authenticate by making your device calculate this challenge using our shared secret (the password) and a hash function (or KDF)!

Anna's auth device: HASH = KDF(Salt, (secret + challenge), Iterations (10000000)

Anna's PC: Hey FB. Response to challenge is boogaboogawhatever89646y7547645

Facebook: Wow, I got HASH = boogaboogawhatever89646y7547645 too! Why, you must be Anna!

(Facebook gate opens)

If you're really crazy, buy a USB bar code reader and make your bank password a couple of bar code numbers. I guess you might need several codes per password, however, as these devices (IIRC) only read numbers. 7025943875928759843758924759834759843725098347527465243785942365674382568347567345454735276567543356728578535 is an all right password, huh? Scan the bar codes for your bank and you're in.

Henning Klevjer
  • 1,815
  • 15
  • 20
0

Comrades, ah the world of passwords! So fascinating, depending on which side you're looking at them from! Personally, I think using a sophiscticated personal algorithm along with some personal algorithmic salting, seems to be the most secure.

The trouble with simple algorithmic passwords is that if a website's admins could see your password in clear-text, they could figure out your personal algorithm, and use it at other websites.

In my experience, I have found that the one of the biggest threats to passwords is the ability to reset them, either from the outside (from the web), or from the inside (i.e. from within corporate environments.)

So a sophiscticated personal algorithm + a personal algorithmic salt is what I would use.

My password ofcourse is MyPwd*StackEx7 (, or like you say in America, NOT!... ;-))

Nik
  • 9
  • 2
0

I normally go with this:

If you have little programming experience (or willing to learn), create a small script (php/perl/java/bash/whatever) to generate passwords based on a string. For example: 

$ ./genpass facebook.com

Inside the "genpass" script (better to name it anything else), you can use as many ciphers/hash algorithms as you want. You can even ask for a password (kind of master) and use it as salt. Then, you cut the resulting string, about 14 to 20 chars, which you can use for your password.

The advantages are that no passwords are stored and that only you know how to generate those. You can add more and more sites to that list without having to do anything. As it is your own personal (customized) method, only your need to take care of not showing it in front of anyone else.

Based in that idea, I created a script (in JS) which uses the entropy of any file (JPG, DOC, MP3, etc.) and generates a password which you can use. As it is Javascript, you can use it offline and you just need to remember which file is for which site (you can create a directory and store some site logos there, for example). It's called "file2pass" (you can see some demos).

I have been using those methods since 2 years ago, and I don't know my passwords (except for those which I use everyday). I generate them on the fly.

lepe
  • 2,184
  • 2
  • 15
  • 29
0

The last option seems the best choice for me (Different passwords using a personal algorithm). What do you think? Are there better methods which I'm missing?

I think a password manager is the best.

However, as you want advice on using a personal algorithm, I'll do what I can to help!

You should consider preventing web site owners from seeing whatever pattern you use. This is a similar problem to web site owners wanting to prevent hackers who steal their password list from seeing all the passwords, so we can apply similar mitigations.

NOTE: You also need a way to change passwords after breaches. In my example below, I took the simplistic approach of having year and month in the salt, assuming that you change your passwords changed monthly.

The best way to do this would be to use PBKDF2, Bcrypt, or Scrypt yourself to generate your password. For instance, you could use Mitsuhiko's Python PBKDF2 implementation with warner's patch (changes the line "rv = starmap(xor, izip(rv, u))" to "rv = list(starmap(xor, izip(rv, u)))"), or an openssl call, etc. to use both a password and a salt, and have a large number of iterations. Ideally use SHA-512 instead of the default SHA-1, and less ideally just use Base64 output.

The command might look like:

pbkdf2 MyPw*forsites salt201402YnU7StackExchange 131072 20

As a bare minimum*, you could use an HMAC, for instance something like the first 20 characters of:

echo "MyPw*forsites" | openssl dgst -sha512 -binary -hmac salt201402YnU7StackExchange | openssl enc -base64

* This minimum is considered insufficient for storing other people's passwords; consider carefully if you're okay using it for yourself.

Anti-weakpasswords
  • 9,785
  • 2
  • 23
  • 51
0

I think it is possible to remember a single strong password for a password safe such as LastPass or Password Safe.

Let’s start with some random words that are weird but I can remember them:

My wag halter was about to be hanged, so he said, to be or not to be that is the question I like big butts and I cannot lie

So use the first letter of each word, just keep wag halter as a word:

Mwaghalterwatbhshstbontbtitqilbbaicl

Now capitalize “wag halter” strangely

mwAGhALTERwatbhshstbontbtitqilbbaicl

Now instead of saying you like big guts, let’s say you like big placentas:

mwAGhALTERwatbhshstbontbtitqilbplacenTASaicl

Generate a random password using a tool:

/%kJ:#Goh[5l

Insert four (or however many you can remember) of these characters in certain locations you remember, or in a random place:

mwAGJhA:LT#ERGwatbhshstbontbtitqilbplacenTASaicl

This is just an idea, but I think most people can memorize something like this.

If you wish, you can also write down an extra 20 characters to add to your password and put it in your wallet. That way if someone finds your wallet they probably still can’t break the password above.

A relevant article on the subject: https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html

I sometimes use less powerful passphrase for things like email or Netflix where I want a reasonably strong password, but something I can remember most of the time if I don’t have my password safe. For other sites I just generate a strong password just because I can. Also, if you think the above steps are too hard, you can use a password like this which is at least stronger than “JohnDoe45”:

AgitPROP5%arrogantCANcer

user40513
  • 133
  • 5