Ask HN: How'd you manage the password managers' master password?
xkcd/936 is OK-ish for educated geeks, but in practice for a large amount of no-tech users, they only have a few candidates of fruits, sports, animals, or city names to pick from, let alone not to mass it up in memory at some point.
For now, the best option seems to store a complex master password in your phone's keychain and protect it with biometric authentication, but it's important to keep your phone safe. If someone steals your iPhone and the passcode, they could wipe out your iCloud account within just a few clicks.
Now shameless plug, I've just posted "accdoo cipher" on Show HN two days ago [1], and if you have one second to spare, here is my pa33w0rd for demonstration [2].
Any other ideas?
btw: I feel relieved that password managers (Bitwarden and 1Password for example) only require a minimum length for your master password. There are no complicated rules to follow, which is great. I hope other companies follow their approach.
[1]: https://news.ycombinator.com/item?id=39115559
[2]: https://accdoo.app/#0118-999-881-999-119-7253#256
27 comments
[ 5.4 ms ] story [ 71.2 ms ] threadcorrect_2_horse_2_battery_2_staple. In my experience it doesn't take long to memorise the words.
I have two passwords I know off by heart, my password manager and my gmail (just in case). I also capitalise a certain letter in each word, but that pattern is in my head only.
I am of course lazy, so I use biometrics on my phone/tablet/laptop to minimise the need for entering my password. But I wouldn't if I still worked in a high risk industry.
I came here to post essentially the same thing.
Assuming Gmail account is the core email behind majority of services, so breaching that account would allow password reset on most other services.
I also have TOTP and a Yubikey and a Passkey etc etc.
I was more protecting myself against a situation where my password manager was unavailable AND I needed access to my email urgently. Which has happened at least twice to me in the past.
Though to be fair once was Lastpass about 15 years ago when they reset everyone's password because of suspicious logs in an abundance of caution. That's right there was a time they were a "good" organisation.
For example, if the sentence I memorized is, "I dreamt I was a butterfly! What a wonderful sight it was." my password would be: IdIwab!Wawsiw.
<nickname unused since 12 years ago><phone number that no longer exists><another phone number but with shift keys><random http status code>
s0 S2oMeThIng Tha! uses words with r@ndom CaPs spaces 123456789s and Spec!@l ch@racters=-!s0 S2oMeThIng Tha! uses words with r@ndom CaPs spaces 123456789s and Spec!@l ch@racters=-!
My last one was "The One Armed Boxer vs. the Flying Guillotine.1234". Numbers changed ofc ;)
you could write it on that flame paper they use in spy novels.. now that would be cool also. Does Amazon carry that?
> Burning is probably the best method of data destruction available, but think about the paper. Ungummed, rice cigarette papers seem ideally suited to this role. A colleague did some tests with Club Cabaret Width papers, and they burn completely.
> It’s not as difficult to write on cigarette papers as you might think. Using a No. 2 pencil with a fine but blunt tip works well. A No. 3 pencil works better, but it is a bit weirder to be carrying. Pens have a number of problems. First the extremely hard tip of the pen is more likely to leave impressions in the surface below the paper. Also, anything with ink has the possibility to bleed through to the surface below.
> And good cigarette papers are made to burn cleanly and completely. The Club papers burned best when allowed to burn in the free air. That is, lit and released at about chest level. These papers also have the advantage of having very low volume and could be easily eaten if required.
https://www.schneier.com/academic/solitaire/
I also use a keyfile too for added security.
1) *Bitwarden:*
I am no longer using Bitwarden since they can delete your account at any time for any reason[5].
2) *KeePassXC:*
For KeePassXC, you need to store your "Passwords.kdbx" (~16 kB) database file somewhere and remember a master password.
3) *Spectre (https://spectre.app/)\\\*
I haven't tried it yet; however, Spectre calculates your password each time you need it. All you need is a name (e.g., your full name), your master password (see Diceware[1]), and the site name, from which Spectre algorithmically calculates your password. If you need to change a site's password, iterate the counter and calculate a new password.
It works offline and is open source. Here's a web app version that runs locally:
[Spectre Web App](https://spectre.pw/)
*Bonus: One-Time Pad + (Layman-ish) Physics:*
There are plenty of reasons to be paranoid[2]:
Given the above, I would first base everything on "true"[A] randomness (see random.org or roll casino-grade dice). "True" randomness is essentially: "every outcome has the same probability." As long as backward time traveling remains impossible, I would abstain from computers and simply follow the One-Time Pad protocol with a pen and paper, among other things. The above is just one (i.e., XOR) out of many ways to follow the one-time pad protocol. For 128 characters, you need a random number from 0 to 127. However, you need to ensure that each number has the same probability to show up. Perhaps there is a way to encode or "rename" the numbers from 0 to 127 with a string of digits 1, 2, 3, 4, 5, 6 so that you can roll a die multiple times in a row to randomly get a number between 0 to 127 (see Diceware[1]). One-time pad might be good to encrypt your master password.*References:*
*Notes:*Jokes aside, I memorize my password manager's master password, and have it written down in a notebook but in a different glyph set (Idk the scientific name). It's not ciphered or anything so can be decoded, but the chances of somebody recognizing Elian script are fairly low, I think, and recognizing something like Royal House of Riftgard script even lower. And if you use something like Elian script it can be obfuscated further by stylistic alterations. That, combined with a rotating cipher, even something like rot13, is probably enough to defeat all but the most determined attackers, in which case I'll have bigger things to worry about, like the XKCD wrench (https://xkcd.com/538/)