• w3dd1e@lemm.ee
    link
    fedilink
    arrow-up
    8
    arrow-down
    2
    ·
    5 months ago

    This is a method I heard once for remembering random passwords that I thought was clever.

    Create your own alphabet of words (or random characters). A is for Apple, B is for Boy, C is for Cat…etc.

    For every letter in the URL, you use the word from your alphabet. Ex:

    www.facebook.com

    F = Fog, A = Apple, C = Cat, E = Egg, B = Boy, O = Off, O = Off, K = Kite

    Next, you need a number if you didn’t use one in your alphabet.

    Facebook is 8 letters long so I might use 8. Or only letters repeated once. Or maybe you use the whole URL. Up to you, but you do it the same way for every site. You create a patter that you follow and can remember, rather than remembering every password.

    Need a symbol? Assign that to the top level domain. In my example, .com = # .edu = ? .org = * etc

    Put it all together and my example password would be “8FogAppleCatEggBoyOffOffKite#”.

    A password for google.com might be ‘6GolfOffOffGolfLogEgg#’.

    Obviously, you don’t have to do it this exact way with the alphabet, number, and symbol. The idea is that you create a set of rules that you remember and follow. If you write down “A = Apple B = Boy…” and someone finds it, it won’t be instantly obvious that it is meant for passwords.

    • dependencyinjection@discuss.tchncs.de
      link
      fedilink
      arrow-up
      28
      ·
      5 months ago

      This is terrible. If someone gets a couple of your passwords it’s pretty easy to work out the patterns and gain access to your other accounts.

      Don’t complicate it. Use a password manager. I know none of my passwords and that’s how it should be.

      • patatahooligan@lemmy.world
        link
        fedilink
        arrow-up
        5
        arrow-down
        1
        ·
        5 months ago

        For someone to work it out, they would have to be targeting you specifically. I would imagine that is not as common as, eg, using a database of leaked passwords to automatically try as many username-password combinations as possible. I don’t think it’s a great pattern either, but it’s probably better than what most people would do to get easy-to-remember passwords. If you string it with other patterns that are easy for you to memorize you could get a password that is decently safe in total.

        Don’t complicate it. Use a password manager. I know none of my passwords and that’s how it should be.

        A password manager isn’t really any less complicated. You’ve just out-sourced the complexity to someone else. How have you actually vetted your password manager and what’s your backup plan for when they fuck up?

          • patatahooligan@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            5 months ago

            So no vetting at all presumably since you didn’t mention it? So how do you know that Dashlane is safer than a password scheme that might be guessed by someone after they’ve already compromised a couple of your passwords?

            • dependencyinjection@discuss.tchncs.de
              link
              fedilink
              arrow-up
              1
              ·
              5 months ago

              Dashlane is pretty big and I’ve not seen any negative reports from security researchers. They offer bug bounties for people that do find vulnerabilities etc.

              I believe the consensus is that password managers are better than any human password scheme. I could host my own manager but then there are more vectors for an attack, and why reinvent the wheel.

      • DNOS@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        5 months ago

        I Guess we already have a couple of his passwords … Good job man, Sorry whats your name ?

    • Bytemeister@lemmy.world
      link
      fedilink
      Ελληνικά
      arrow-up
      4
      ·
      5 months ago

      Not bad, but I could see that creating passwords that are too long for some systems, and it would be vulnerable to dictionary attacks. Also, what would you do when the site requires a password reset?

      Maybe do your strat, but only do every other, or every 3rd letter as a short word, and use a Caesar cipher, incrementing the cipher once each time you have to reset? Sounds kinda fun, but I don’t think most sane people would do that… Open to ideas though.

      • Tlaloc_Temporal@lemmy.ca
        link
        fedilink
        arrow-up
        4
        ·
        5 months ago

        I’ve come across several sites with abhorrently short password limits, as low as 12.

        Worse, 2 of them accepted the longer password, but only saves the first n characters, so you can’t log in even with the correct password, untill you figure out the exact max length and truncate it manually.

        Even worse, one of those sites was a school authentication site, but it accepted the full password online and only truncated the password on the work computer login. That took me an entire period to suss out.

        • evasive_chimpanzee@lemmy.world
          link
          fedilink
          arrow-up
          5
          ·
          5 months ago

          You just gave me a flashback to a system I encountered as a student where my password got truncated, so I couldn’t log in. I had to ask the teacher what to do, expecting her to have access to a reset or something, but she just told me what my password was. It was like 3 and a half words, clearly truncated and stored in plain text.

      • w3dd1e@lemm.ee
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        I personally just use a pw manager. If I used them system myself, the alphabet words would probably be strings of characters that aren’t real words and I’d probably salt them too. But yeah I imagine you could run into size limits, which is a problem.

        I just wanted to share a pw strategy that seemed interesting. I used a simple pattern to make the concept easier to understand.