This is a good way to come up with memorable, secure passwords, but it still requires either remembering a bunch of different passwords or being insecure and using the same password for multiple sites.
I'm more into passphrases, now - randomly pull, say, 3 words from a vocabulary. With even a modest word list a couple thousand strong, you have billions of combinations, even assuming the attacker has access to the list. Such passphrases are also easier to tell other people over the phone.
I've been pondering building a 8th grade reading level word list, cleaned of homophones, commonly-misspelled words, etc. for more general use. That would be tedious, though...
I have about 30 unique passwords which I keep in an encrypted file, and a password for "everything else". I have about six passwords I can remember off the top of my head and two of these concatenated are used to unlock the encrypted file. I would seriously recommend doing something like this: you'll feel much happier, I promise.
Also, Password Gorilla, which is java and runs everywhere and is compatiable with passwordsafe's databases. I do what Joel recommended, keeping the db in Dropbox so that newly added passwords are replicated and up to date.
I have an unencrypted file for low security passwords (e.g. web sites that require passwords). I use something like pwsafe for high security passwords. Whenever I create a new password now it is randomly generated. I don't reuse passwords between sites.
I use the phrase idea suggested in the article (full phrase though) for my GPG and pwsafe passwords.
> Step 2: Turn your phrase into an acronym. Be sure to use some numbers and symbols and capital letters, too
Adding symbols to passwords is a huge inconvenience. Why? Because some of the sites that I use fairly regularly don't allow the characters. I end up having a first-class password and a second-class password for websites that are overly draconian. The last time I used Digg (2 years ago or so) it had this restriction, and that's the only site I feel comfortable about sharing ;). Some well-known companies who should know better have the same restriction.
It doesn't seem awful on the surface, but I also switch my password semi-regularly. If I go back to a website 2 years later, I not only have to guess all of my primary passwords, but I have to guess my secondary passwords as well in hopes that it was one of the ones with a bad password restriction.
15 comments
[ 3.3 ms ] story [ 47.5 ms ] threadSo what do you do now?
I've been pondering building a 8th grade reading level word list, cleaned of homophones, commonly-misspelled words, etc. for more general use. That would be tedious, though...
http://www.schneier.com/blog/archives/2005/06/write_down_you...
I have about 30 unique passwords which I keep in an encrypted file, and a password for "everything else". I have about six passwords I can remember off the top of my head and two of these concatenated are used to unlock the encrypted file. I would seriously recommend doing something like this: you'll feel much happier, I promise.
see: http://www.schneier.com/passsafe.html or if you are on OS X or windows: http://www.keepassx.org/
Use it with dropbox and it is available anywhere you are.
I use the phrase idea suggested in the article (full phrase though) for my GPG and pwsafe passwords.
Adding symbols to passwords is a huge inconvenience. Why? Because some of the sites that I use fairly regularly don't allow the characters. I end up having a first-class password and a second-class password for websites that are overly draconian. The last time I used Digg (2 years ago or so) it had this restriction, and that's the only site I feel comfortable about sharing ;). Some well-known companies who should know better have the same restriction.
It doesn't seem awful on the surface, but I also switch my password semi-regularly. If I go back to a website 2 years later, I not only have to guess all of my primary passwords, but I have to guess my secondary passwords as well in hopes that it was one of the ones with a bad password restriction.