[colug-432] Memorizing Unique Passwords

[Rick Hornsby]

> On Sep 10, 2015, at 11:32, jep200404 at columbus.rr.com wrote:
> 
> On Thu, 10 Sep 2015 10:40:14 -0500, Rick Hornsby <richardjhornsby at gmail.com> wrote:
> 
>> ... a massive risk reduction is achieved by not using the same 
>> password for multiple sites.  One massively complex password 
>> used everywhere isn't good enough.  Remembering lots of 
>> passwords is impossible.  Tools like 1Password (my personal 
>> choice), LastPass, KeePass, etc help fill this gap and can 
>> generate+store unique, difficult passwords for you.
> 
> What do you think of the following technique?
> I've not had time to think hard about it.
> Peer review about this kind of stuff is always needed.
> 
> Sick of memorizing passwords?
> A Turing Award winner came up with this algorithmic trick
> http://www.pcworld.com/article/2978316/security/tired-of-memorizing-passwords-a-turing-award-winner-came-up-with-this-algorithmic-trick.html

I don't memorize more than a half dozen passwords anymore.  I can't.  My brain won't let me.  I'm sure like most of us here, I have way, way more than 20 logins. Hundreds. Some rarely used.  Secondly, the password requirements from site to site vary so wildly it would be impossible to keep track of the algorithm's exceptions. I've tried. It's an exercise in futility.  Over time, I'd want to change the algorithm to make it more complex or accommodate this or that - rendering my ability to decode older passwords more difficult.

Exceptions are things like: Some sites allow no special characters.  Some only allow a subset of special characters.  Some demand at least 2 special characters and your first born child.  Some have a minimum length requirement, some have a maximum length (i.e. 10).  A few sites are horrible and require your password to be digits only.  A few won't let you set your own password - for your own good, of course.  Some sites also have specific username requirements -- now memorize those too.  That's why I'm so grateful for 1Password.  (I know I sound like a sales monkey, but it is truly one of my must-have utilities.)

> "Amazon," for instance, becomes "5FHX7E" for a password using this scheme, but you don't have to memorize it -- 
> only the scheme itself.

I realize that's an example, but it's also a very weak password - short, all uppercase, and no symbols.  My brain hurts trying to think of a way to keep track of which letters in an algorithm-ized password are which case.  There are a few sites which completely lock your account after a few failed attempts and make you call them on the phone to get the account unlocked.  A couple of years ago, one vendor insisted I had to wait for a snail mail letter to reset my account after a few failed attempts.

In the last few years, I've started giving BS answers to the annoying security questions to make them unique for the site.  I think it was after the Palin Yahoo email hack that used social engineering to get past her verification questions that I realized how insanely weak those questions are -- and how it suffers the same site duplication issue as passwords.  But, again, memorizing which fake birthday or which fake street I gave to which site? Or which question I chose from the list?? Ugh. More recently, I've started storing my fake answers in my password vault with the credentials.