15 comments

[ 3.3 ms ] story [ 47.5 ms ] thread
This is a good way to come up with memorable, secure passwords, but it still requires either remembering a bunch of different passwords or being insecure and using the same password for multiple sites.
Thats especially true given that you want to add in symbols, numbers and capital letters. You are going to end up needing to write it down anyway.
Actually just using that sentence is good enough. And simpler.
Many systems have (dumb) arbitrary limits on password size and content.
I used to use this scheme exclusively. It's pretty good, particularly when you use semi-obscure song lyrics.
"I used to use this scheme exclusively"

So what do you do now?

I'm more into passphrases, now - randomly pull, say, 3 words from a vocabulary. With even a modest word list a couple thousand strong, you have billions of combinations, even assuming the attacker has access to the list. Such passphrases are also easier to tell other people over the phone.

I've been pondering building a 8th grade reading level word list, cleaned of homophones, commonly-misspelled words, etc. for more general use. That would be tedious, though...

Another Schneier recommendation is to write your passwords down, just keep the piece of paper away from people who might misuse it:

http://www.schneier.com/blog/archives/2005/06/write_down_you...

I have about 30 unique passwords which I keep in an encrypted file, and a password for "everything else". I have about six passwords I can remember off the top of my head and two of these concatenated are used to unlock the encrypted file. I would seriously recommend doing something like this: you'll feel much happier, I promise.

Have you tried KeePassX or passwordsafe? passwordsafe was actually created by Schneier with twofish encryption.

see: http://www.schneier.com/passsafe.html or if you are on OS X or windows: http://www.keepassx.org/

Use it with dropbox and it is available anywhere you are.

Also, Password Gorilla, which is java and runs everywhere and is compatiable with passwordsafe's databases. I do what Joel recommended, keeping the db in Dropbox so that newly added passwords are replicated and up to date.
I already use Dropbox so I'll give it a try.
I have an unencrypted file for low security passwords (e.g. web sites that require passwords). I use something like pwsafe for high security passwords. Whenever I create a new password now it is randomly generated. I don't reuse passwords between sites.

I use the phrase idea suggested in the article (full phrase though) for my GPG and pwsafe passwords.

Can I ask what kind of document or method of encryption you use for your passwords?
> Step 2: Turn your phrase into an acronym. Be sure to use some numbers and symbols and capital letters, too

Adding symbols to passwords is a huge inconvenience. Why? Because some of the sites that I use fairly regularly don't allow the characters. I end up having a first-class password and a second-class password for websites that are overly draconian. The last time I used Digg (2 years ago or so) it had this restriction, and that's the only site I feel comfortable about sharing ;). Some well-known companies who should know better have the same restriction.

It doesn't seem awful on the surface, but I also switch my password semi-regularly. If I go back to a website 2 years later, I not only have to guess all of my primary passwords, but I have to guess my secondary passwords as well in hopes that it was one of the ones with a bad password restriction.