The password managers are: KeepassDX (Far Left), KeepassXC (PC version of local), Proton Pass (Better privacy) and Bitwarden (Far Right). Please note that bitwarden does some data collection. See their privacy policy here and their privacy spy rating here.
I wonder why more people don’t use their brain instead? I mean, a simple system, will make it easy to have unique passwords for every site/app, and for you to be able to remember them…
Because your brain is terrible at remembering random data. Your simple system is extremely unlikely to produce passwords of any particular quality.
Also, I have 170 passwords saved. I don’t know how many of those live in the category of “once every six months”, which is too infrequent to remember easily.
And using a simple system means that once somebody figures out the system, all your passwords become compromised potentially.
True. But you don’t figure out the system, and if you did, the system could be changed in a matter of minutes. To figure out the system, you would need more than 3 samples of the passwords, at any given moment, and the likelihood of that happening is just about the same as your password manager being hacked, having a vulnerability or you giving people access to it.
Please talk about your own brain, because you have no evidence that shows, that our brain is terrible at remembering. It’s actually quite good.
That you you can’t produce a quality password with a system, that’s on you. I can, easily.
It’s easy to remember a thousand password, if your system is good.
I can see, that your mind is made up, so further debate is fruitless. But it doesn’t change the fact, that I’m right here. 😉
What’s your system? I love hearing about people’s great systems for generating passwords. How much entropy does your system produce per password?
You’re extremely confident for someone disagreeing with literally every security professional I’ve talked to, and considering I work in the industry, that’s a lot of people.
Yeah, I’m sure you have talked to all the professionals in the industry about this specific topic. You are extremely ignorant, since you already have dismissed what I write, and now you are obviously just looking for a fight. So go fight yourself. If you had common sense, and knew how to talk to people about a topic, we could have had a great discussion here - but no.
Ardens, I agree with trying to create your own password system - at least for your most commonly used things. My concept is a bit like this (don’t wanna give it all away): I keep at least 3 different emails and they have their own browser (Brave, Goanna engine (Palemooon or Basilisk), and Firefox, for example - ones with different engines) and I also use those browsers’ profile options for certain categories. Then, just so that i remember what I am using, I try to color-coordinate the browser’s theme and email theme. Ex: gold is for money/financial stuff and I use protonmail with an odd email name used for nothing else and I use a passphrase in a language I speak a tiny bit of. I assume that most company wesites have a minimum of 3 letters and I can either use the first 3 letters or the last 3 letters as part of my passphrase. If for my financial stuff, I can either add or multiple the numbers…if letter E is 5 and E is one of the letters, for financial, I can multiple by whatever number i choose but I stay consistent…so let’s say it is 3. Letter E is 5, so 5 x 3 = 15. If another letter in the company name is C and that corresponds to 3, then 3 x 3 = 9. And then there is a 3rd letter L which corresponds to 12, so 12 x 3 + 36. So, somewhere within my passphrase, instead of the ECL that is the company website’s name, I use 15936. I also must use a combo of caps and lowercase letters, at least one symbol. usually over 14 total characters and no more than 18 - because some websites set these rules. I can inject the number sequence anywhere I choose - maybe after the 3rd letter of my passphrase just so that I recall that number 3 as being for financial stuff. Example if my passphrase (in a different language) is mykiTTycatisythecutestintheworld =/becomes myk15936iTTycatisthecutestintheworld. Also, for common words such as is or the, swap that word out of symbols - in this example, the word “is” will become %$…so, myk15936iTTycat%$thecutestintheworld
I get tripped up for work passwords, though, because some employers force you to update your PW every 90 days. I usually just add a character and keep the rest the same…but, I can still get a bit forgetful.
Great system you have there. Yeah, places like work, that makes you switch often (witch is also a security risk in some ways), can be a problem. But they might have their own system added. You say every 3 months, and I’d probably put the season on the password then - like winter, spring, summer and fall…
Thanks for sharing some common sense here.
There’s a principle in security, https://en.wikipedia.org/wiki/Kerckhoffs’s_principle, roughly summarized as “the enemy knows the system”. It’s the notion that you should be able to fully describe everything about your system except the secret key and still be secure.
That’s always a concerning thing to encounter at the beginning of a description. That implies that there’s an awareness that if you knew how the system worked it would be weaker, which in a security setting is considered a very notable defect.
If we’re looking at the actual security of the system you describe through that lens, the name of the company doesn’t add to your security. Neither does your word substitution rules. The secret in your system is the passphrase and the number you’re using to modify the letters from the company name.
Now, using a passphrase is good, but it kinda felt like you were implying that you use the same passphrase for all services and then modify it. That’s not a good idea, since it reduces your effective security to a single number.
Additionally, a passphrase should be random words, not a known phrase. If the phrase is grammatical it reduces the security pretty fast since it’s weirdly easy to guess word sequences.
Adding a character to the end of a password during rotation is also a bad idea. Anyone breaking a password database will automatically try with a series of characters tacked onto the end specifically to catch that, so a password of yours that got leaked years ago can be used to figure out your current password just by checking it with different endings.
A better system would be to write a truly random password down on a sheet of paper along with 31 others. Now fold up the piece of paper and put it in your wallet.
You are already adept at keeping paper in your wallet secure, and anyone not in physical proximity to you has to fall back to the usual tricks to get at your stuff.
Better yet would be to use a password manager, ideally one you can export to something you carey, encrypted, with you while you go.
Uh huh. When was I rude? You started by calling me ignorant, and I just asked you some questions about your system. You seem extremely defensive, since it seems to take only the smallest disagreement for you to dismiss someone as ignorant, lacking common sense, and unable to hold a discussion. Take a breath, and try actually explaining your system so there can actually be a discussion of what is or isn’t wrong with it.
I’m not looking for a fight, but I am extremely skeptical of your scheme because it’s one that people bring up often, and it’s never done in a secure way. Maybe yours is, but there’s no way to know if you don’t actually say what it is.
You are looking for at fight. That’s obvious. That’s why any sane person wouldn’t want to engage with you in a debate. I don’t have a scheme, why do you lie? Please explain what “scheme” i have, since you already know it? With is ironic, since you want me to explain it to you… You want a fight, and you are very easily revealed.
Calm down, jeez. You said you have a system for generating passwords. Scheme is just a word for a system of doing stuff in a security setting.
I’m literally just asking what your system is and you’re acting like it’s the most aggressive thing ever.
Do you expect everyone to agree with you immediately? Disagreement isn’t aggression, it’s the starting point for the debate you keep mentioning.
That wink really makes it cringe dude regardless of whether you’re right or wrong
That was very important for you to say, right? Were you upvote-hunting?
Feel free to join for a good debate, if you can stay on topic with your next comment.
I can’t remember over 1000 20+ character strings lol.
I’m sorry to hear that. I can - with ease. lol.
It has a major downside. What if you don’t have access to your password manager and need access to a service.
Perhaps a pc you gotta use you don’t trust completely so loggin in with your master passsord in a cloud based password manager, isn’t a good idea, even if you only want the password for a not so important service, you’d still be exposing yourself unnecessarily.
What if you want to type in your password in a printer with limited capability? You’d have to manually and painstakingly type in your long generated e-mail/dropbox/etc password. And more.
Some are perhaps niche circumstances but enough to keep me abay
Pre-Smartphone Era, you’d have a point.
These days, everyone has a smartphone that is compatible with password managers.
The Standard Operating Procedue is:
Don’t log in on an untrusted machine
If you must do it*, then find the password on your phone and type that in to the computer.
Then after you’re done, you generate a new password on your phone password manager app and change it using your phone.
If you don’t like to be distracted by smartphones, you can carry one turned off. If you don’t want to carry one for privacy reasons: Use an Offline Password Manager (Keepass) on Graphene OS, another Open Source Operating System, or a phone that has removable battery and with airplane mode on all the time.
If you need a password for work and work doesn’t allow phones, memorize that password on top of your password manager’s vault password. Two passwords to remember are still better than remembering 20.
You generate a shorter password specifically for the printer, just read it from your phone when you need it.
Was that an answer to my comment, or to the post? It seems like it was meant for the post…?
How often does any of that happen to you?
For the second one, that seems unlikely, and you can just type the password you read off your phone.
The printer scenario seems both unlikely, and has nothing to do with password managers.
If you’re memorizing your passwords, you need to factor in the likelihood you forget, and for the actual security of the password. It sounds like you’re memorizing weak passwords, which is the heart of the problem, not a downside to password managers.
It’s not just a matter of memory. While our brains might be able to come up with one or two strong passwords/phrases on their own, there’s too much room for predictability and when that happens, you’d be no better off than if you used the same password for everything.
There really isn’t too much room for predictability. I guess you just don’t know how to make a strong password on your own, and that’s fair. But please don’t try to tell people that it can’t be done, since it’s been done for decades.
And unlike password managers, this system can’t be hacked - or corrupted, so people will stand there without their passwords to a 100 apps and homepages…
Good luck making passwords that are both memorable AND resistant to even basic brute force attacks. Only way that happens is through completely random generation via a password manager.
That’s not true, but you are free to believe that. So go use your password manager, which can be hacked, and then you all of your passwords are known.
I don’t mind people using their password managers. But I can see that some people really can’t handle, that I have a better system. Maybe because they feel a bit stupid right now - or something - who knows?
Considering the fact that virtually every expert in cybersecurity and cryptography agrees that you need a password manager, it definitely is true. Your issue is that you think you know better than everybody else… Let’s just hope your arrogance doesn’t cost you your accounts because then you’ll be getting a whole lot of “I told you so” from most folks.
Good to hear that every expert elected you to be their spokesperson. Trying to borrow ethos from other experts is just sad. But do you know why they will often say that? Because they know that a lot of people otherwise would use 1234 or abcd… So that’s the easy advice. The good advice would be to teach people to make a strong and memorable password.
Well, what might your arrogance cost you, since you are sitting here, trying to pass yourself of as spokesperson for **EVERY **expert in cybersecurity?
I’m just speaking common sense here, dude. It’s common sense, and if you do any ounce of research, you’ll see the exact same thing that I’m saying.
Coming up with a solid and strong master password is one thing. But trying to come up with some variations of a master password that you use across all your different sites is inevitably going to result in predictability and predictability is poor security.
Again, common sense info that you’ll find if you do any ounce of research, but it’s obvious that you have neither done your research nor do you want to do your research. You just want to sound like you’re smarter than everybody.
It’s not common sense, unless you are already determined, that you have made a flaw from the beginning. Predictability is ONLY possible, if you know the way the password combinations was made, or if you have enough (at least 5-10) different passwords, from the same person, and could figure out their system - which is hard, even at that point.
Thanks for advising me to do some research. How about you point me to what you are talking about, or else I could just say, that you should go do some research that proves I’m right. See… that’s meaningless. I am smarter than you - MR. I try to demean people I talk to, because I’m the smartest…
I tried that once, nah not for me.
You’re lucky to have such great memory, but most people do not. Life is too stressful to be also juggling the memories of more than 20 different passwords all the time.
Btw, you said in your other comment:
The downvotes aren’t against you, but the comment. Its simply just disagreement with what you said, it isn’t hatred, just so you know.
I have a shitty memory, but I know myself, and how to work with me. That’s not a great memory I have, that’s common sense and knowing how I work.
You don’t really get the point here. You have to remember 1 system - not 20 passwords. Be as stressed as you want to, but even with a password manager, you have to remember the password for that. That’s 1 password you HAVE to remember, or all your passwords are lost.
I’m talking about remembering 1 system to make your passwords from - that will make different passwords for every app and site, that you can remember, because you remember the system behind it. You kan read about it here (though it is not the system that I use, it’s a great example): https://www.wikihow.com/Create-a-Password-You-Can-Remember
Let me put a system together for you, as an example.
You want a password for this site. It’s online, so you chose to put “ol” in your code. To make it unique, you chose to put “leml” for the first and last 2 characters. You like Guns’n Roses, and especially November rain, which you sing along to, so you put “WiLiYe” into it, for the first letter of each word, from the first line of the lyrics; “When I look into your eyes”.
Now you have both a unique code, and big and small letters. Now you separate it by using the ¤ sign, to also ad a special character, so your code looks like this now: olleml¤WiLiYe¤
Now for some numbers, that some sites like you to put in. Chose your lucky number, or maybe your birthday, and then add your lucky number. Say you were born 1989 in October (10th month), and your lucky number is 13. Then you can add 13 to both the year and the month. 2002 and 23. Put that on you code… olleml¤WiLiYe¤2002¤23
Now you have a unique code and a system you can remember. Even if you write your system down, it would be hard for others to figure out. It might look like: Type of connection, first and last two, first line high and low, born with luck… 3 times upper four (for the ¤ sign - at least on my keyboard).
Good luck figuring that out without any hints… :-)
Next time you come to another homepage, let’s say facebook, you code will look like: olfaom¤WiLiYe¤2002¤23 The first part is unique, and it can’t just be hacked, even though there are some similarities…
You should read this thread, had a lot of perspectives on this.
https://sh.itjust.works/post/39160164