[colug-432] Memorizing Unique Passwords

michael at yanovich.net michael at yanovich.net
Thu Sep 10 15:01:23 EDT 2015

Hash: SHA512

I once tried to use that algorithm method for generating passwords on various
sites, but the problem I kept running into (and why I don't use it anymore)
is that password requirements for different sites can widely vary.

For example:
 * minimum length
 * maximum length
 * have at least 1 of each 'set' of characters (1 capital, 1 lower, 1 special
    char, or 1 special char from this limited list that is different from
    another site.)

If password requirements were standardized across most sites, I could easily
see this method catching on, otherwise I'm going to keep using KeePassX.

On 09/10/2015 02:38 PM, Scott Merrill wrote:
>>> "Amazon," for instance, becomes "5FHX7E" for a password using this scheme, but you don't have to memorize it --
>>> only the scheme itself.
>> I realize that's an example, but it's also a very weak password - short, all uppercase, and no symbols.
> That’s true, but passwords do not exist in a vacuum.  A password like the above might be easy to brute force from a hash downloaded from a database dump, but is less easy to brute force at the login screen at Amazon.com.
> As with most things, one must perform some level of risk analysis.  Do you want an arbitrarily complex password that is resistant to offline attack, as in the case of the Ashley Madison data dump?  Or do you want a password that makes it sufficiently hard for someone to log in as you?  If you’re mostly concerned about the latter, then I’d wager that the above password is “good enough”, and it looks relatively secure against guesses based on public data about you.
> How much security / safety does one gain by adding mixed case letters or special characters?  Sure, you get some, but that comes with the added complexity of a the mental burden to remember the algorithm.
> If you use a different password at most sites, then a compromise of one is less likely to jeopardize your other passwords.  Unless someone is specifically targeting *you*, and therefore analyzing *your* passwords across multiple compromised services, your password algorithm is vanishingly unlikely to be noticed.  So even a weak algorithm offers increased overall security.
> While we’re sharing password generation algorithms, consider also the diceware solution:
>    http://world.std.com/~reinhold/diceware.html
>    http://rumkin.com/tools/password/diceware.php
> Also don’t forget about two factor authentication.  I enable two factor authentication for every site that offers it.  I was really happy to see the sixxs.net offers 2fa for their ipv6 tunnel service!
> Cheers,
> Scott

Version: GnuPG v2


More information about the colug-432 mailing list