The password managers are: KeepassDX (Far Left), KeepassXC (PC version of local), Proton Pass (Better privacy) and Bitwarden (Far Right). Please note that bitwarden does some data collection. See their privacy policy here and their privacy spy rating here.
Yeah, I’m sure you have talked to all the professionals in the industry about this specific topic. You are extremely ignorant, since you already have dismissed what I write, and now you are obviously just looking for a fight. So go fight yourself. If you had common sense, and knew how to talk to people about a topic, we could have had a great discussion here - but no.
Ardens, I agree with trying to create your own password system - at least for your most commonly used things. My concept is a bit like this (don’t wanna give it all away): I keep at least 3 different emails and they have their own browser (Brave, Goanna engine (Palemooon or Basilisk), and Firefox, for example - ones with different engines) and I also use those browsers’ profile options for certain categories. Then, just so that i remember what I am using, I try to color-coordinate the browser’s theme and email theme. Ex: gold is for money/financial stuff and I use protonmail with an odd email name used for nothing else and I use a passphrase in a language I speak a tiny bit of. I assume that most company wesites have a minimum of 3 letters and I can either use the first 3 letters or the last 3 letters as part of my passphrase. If for my financial stuff, I can either add or multiple the numbers…if letter E is 5 and E is one of the letters, for financial, I can multiple by whatever number i choose but I stay consistent…so let’s say it is 3. Letter E is 5, so 5 x 3 = 15. If another letter in the company name is C and that corresponds to 3, then 3 x 3 = 9. And then there is a 3rd letter L which corresponds to 12, so 12 x 3 + 36. So, somewhere within my passphrase, instead of the ECL that is the company website’s name, I use 15936. I also must use a combo of caps and lowercase letters, at least one symbol. usually over 14 total characters and no more than 18 - because some websites set these rules. I can inject the number sequence anywhere I choose - maybe after the 3rd letter of my passphrase just so that I recall that number 3 as being for financial stuff. Example if my passphrase (in a different language) is mykiTTycatisythecutestintheworld =/becomes myk15936iTTycatisthecutestintheworld. Also, for common words such as is or the, swap that word out of symbols - in this example, the word “is” will become %$…so, myk15936iTTycat%$thecutestintheworld
I get tripped up for work passwords, though, because some employers force you to update your PW every 90 days. I usually just add a character and keep the rest the same…but, I can still get a bit forgetful.
There’s a principle in security, https://en.wikipedia.org/wiki/Kerckhoffs’s_principle, roughly summarized as “the enemy knows the system”. It’s the notion that you should be able to fully describe everything about your system except the secret key and still be secure.
That’s always a concerning thing to encounter at the beginning of a description. That implies that there’s an awareness that if you knew how the system worked it would be weaker, which in a security setting is considered a very notable defect.
If we’re looking at the actual security of the system you describe through that lens, the name of the company doesn’t add to your security. Neither does your word substitution rules. The secret in your system is the passphrase and the number you’re using to modify the letters from the company name.
Now, using a passphrase is good, but it kinda felt like you were implying that you use the same passphrase for all services and then modify it. That’s not a good idea, since it reduces your effective security to a single number.
Additionally, a passphrase should be random words, not a known phrase. If the phrase is grammatical it reduces the security pretty fast since it’s weirdly easy to guess word sequences.
Adding a character to the end of a password during rotation is also a bad idea. Anyone breaking a password database will automatically try with a series of characters tacked onto the end specifically to catch that, so a password of yours that got leaked years ago can be used to figure out your current password just by checking it with different endings.
A better system would be to write a truly random password down on a sheet of paper along with 31 others. Now fold up the piece of paper and put it in your wallet.
You are already adept at keeping paper in your wallet secure, and anyone not in physical proximity to you has to fall back to the usual tricks to get at your stuff.
Better yet would be to use a password manager, ideally one you can export to something you carey, encrypted, with you while you go.
Great system you have there. Yeah, places like work, that makes you switch often (witch is also a security risk in some ways), can be a problem. But they might have their own system added. You say every 3 months, and I’d probably put the season on the password then - like winter, spring, summer and fall…
Thanks for sharing some common sense here.
Uh huh. When was I rude? You started by calling me ignorant, and I just asked you some questions about your system. You seem extremely defensive, since it seems to take only the smallest disagreement for you to dismiss someone as ignorant, lacking common sense, and unable to hold a discussion. Take a breath, and try actually explaining your system so there can actually be a discussion of what is or isn’t wrong with it.
I’m not looking for a fight, but I am extremely skeptical of your scheme because it’s one that people bring up often, and it’s never done in a secure way. Maybe yours is, but there’s no way to know if you don’t actually say what it is.
You are looking for at fight. That’s obvious. That’s why any sane person wouldn’t want to engage with you in a debate. I don’t have a scheme, why do you lie? Please explain what “scheme” i have, since you already know it? With is ironic, since you want me to explain it to you… You want a fight, and you are very easily revealed.
Calm down, jeez. You said you have a system for generating passwords. Scheme is just a word for a system of doing stuff in a security setting.
I’m literally just asking what your system is and you’re acting like it’s the most aggressive thing ever.
Do you expect everyone to agree with you immediately? Disagreement isn’t aggression, it’s the starting point for the debate you keep mentioning.