I have used two different password algorithms in my life and I ended up thinking it was a terrible idea. They were whether too complex, generating passwords not acceptable in some websites and hard to remember; or too simple, making plenty of colissions between passwords and completely missing the point. All the drawbacks the article mentions are completely accurate and I can relate a lot to each of them.
I ended up just using a password manager with a crazy master password (more than 40 characters long) and randomly generating each of the passwords. That makes it frictionless to change to new passwords or to adapt to each site’s constraints.
I think it’s probably the case that most responses to this will be: “just use a password manager and be done,” which is fair. The post, I think, is pretty good at offering an alternative, “poor man’s technique,” and advice useful for anyone—security works in layers: strong passwords, 2fa, security questions, all the way down to account alerts.
I think one advantage I forgot to mention in the post is that you always have your password. If you’re at a library, you don’t have to login to your password manager. Or if you use Keepass on Dropbox, you are kinda out of luck.
I hesitate to say it’s a poor man’s technique since I am a developer and I prefer the advantages of it. It actually takes more work in some cases than a password manager, at least the initial setup. So it’s more of a tradeoff really.
Passwords are traditionally something you know and a keyfob or other 2Factor thing is something you have (or have access to). When you use a traditional password manager, they both turn into something you have.
I hesitate to say it’s a poor man’s technique since I am a developer and I prefer the advantages of it. It actually takes more work in some cases than a password manager, at least the initial setup.
I didn’t mean it as a jab—I use this technique, too—however, it seems to be frowned upon by many, and I was catering to that viewpoint.
I personally have some half-assed mix of these approaches, which I did not really design purposely, but so far works ok. I have two different password algorithms I use for most sites, but they each have some variants because I ran into sites that wouldn’t accept the passwords they produced originally (e.g. not enough “character classes”). So I now store a plaintext file with the “key” explaining which of these algorithms and their variants I used. It’s in an idiosyncratic scheme that consists of things like “sitename 2^0” (meaning for this one I used the 2nd algorithm, with upcase+numerical variants). It’s not what you’d call cryptographically secure, but I think I actually feel a bit more confident of its safety than the password-manager approach. There are occasionally security holes where trojans can slurp your LastPass files, but if someone slurped my pwd.txt, they’d have to do some custom reverse-engineering that I’m not important enough for anyone to do. It avoids literal passwords being stored anywhere, even encrypted, which has some pros since most breaches are due to some kind of large-scale slurping of passwords.
I have used two different password algorithms in my life and I ended up thinking it was a terrible idea. They were whether too complex, generating passwords not acceptable in some websites and hard to remember; or too simple, making plenty of colissions between passwords and completely missing the point. All the drawbacks the article mentions are completely accurate and I can relate a lot to each of them.
I ended up just using a password manager with a crazy master password (more than 40 characters long) and randomly generating each of the passwords. That makes it frictionless to change to new passwords or to adapt to each site’s constraints.
I think it’s probably the case that most responses to this will be: “just use a password manager and be done,” which is fair. The post, I think, is pretty good at offering an alternative, “poor man’s technique,” and advice useful for anyone—security works in layers: strong passwords, 2fa, security questions, all the way down to account alerts.
I think one advantage I forgot to mention in the post is that you always have your password. If you’re at a library, you don’t have to login to your password manager. Or if you use Keepass on Dropbox, you are kinda out of luck.
I hesitate to say it’s a poor man’s technique since I am a developer and I prefer the advantages of it. It actually takes more work in some cases than a password manager, at least the initial setup. So it’s more of a tradeoff really.
Passwords are traditionally something you know and a keyfob or other 2Factor thing is something you have (or have access to). When you use a traditional password manager, they both turn into something you have.
I didn’t mean it as a jab—I use this technique, too—however, it seems to be frowned upon by many, and I was catering to that viewpoint.
Observations
I personally have some half-assed mix of these approaches, which I did not really design purposely, but so far works ok. I have two different password algorithms I use for most sites, but they each have some variants because I ran into sites that wouldn’t accept the passwords they produced originally (e.g. not enough “character classes”). So I now store a plaintext file with the “key” explaining which of these algorithms and their variants I used. It’s in an idiosyncratic scheme that consists of things like “sitename 2^0” (meaning for this one I used the 2nd algorithm, with upcase+numerical variants). It’s not what you’d call cryptographically secure, but I think I actually feel a bit more confident of its safety than the password-manager approach. There are occasionally security holes where trojans can slurp your LastPass files, but if someone slurped my pwd.txt, they’d have to do some custom reverse-engineering that I’m not important enough for anyone to do. It avoids literal passwords being stored anywhere, even encrypted, which has some pros since most breaches are due to some kind of large-scale slurping of passwords.