Remembering Passwords

BrotherBill · #1 24-Apr-2008, 02:29 PM

Today, I entered a site that required login, and as I started to enter my password, my mind went blank. I simply could not remember the password I had used for that account.

What method do you use for remembering passwords and not advertise them to the world? I know everyone uses different methods, I'm open for suggestions.

I strongly agree that you should have different passwords for each site. You wouldn't want one to be discovered and allow access to all accounts. I don't want to write them down on paper to be picked up and carried off. And I'm nervous about keeping them in a file or database on the computer in the event of a successful attack.

Any help is appreciated,
Bill

ThomasMc · #2 24-Apr-2008, 02:43 PM

Thanks to Fergal I've been on Think Geek most of the day

what about this little gizmo

its even got this

Quote:

“

including a self-destruct feature for high risk scenarios

”

**Fergal1982** · #3 24-Apr-2008, 02:45 PM

I have a simple system. I have a post it notes, with the site name, and the password upside down.... what do you mean thats not secure?

**BosonMichael** · #4 24-Apr-2008, 03:29 PM

There are several methods you can use. Here's one I developed. Start out by creating a base password. Make it something that's not brute force crackable, like a numeric string or a word. Create an acronym out of a phrase, for example. Or use your kids initials, all backwards. Or combine those with the last number of the day they were born. Anything that isn't obvious to figure out.

Then, for each site, add a code known only to you to the start, middle, or end of that base password. It could be a single letter or a few letters... just something that you can remember from that site.

For example, let's say I create a base password out of my kids' initials and the month of their birth (these are not my kids initials): abz07cdz12. Then, for a site like CertForums, I can take the last three characters, "ums", and add it to the middle (or start, or end) of the base password, giving me abz07umscdz12. For Microsoft, it would be abz07oftcdz12. For Amazon, it would be abz07zoncdz12. Bam, you've got a different password for each site, and you don't have to keep track of them.

You don't have to use the name of the site. You can use anything that you can remember when you hit that site. For your bank, add the letters BA. For shopping sites, add the letters SH. For forums, add the letters FO. Or make just the 2nd letter capped, but be consistent from one password to another so you're not stuck trying to remember how you created that particular password.

If you're hacked, change your base password and change your pattern. Simple as that.

**Fergal1982** · #5 24-Apr-2008, 03:32 PM

interesting method. rep given.

Question. My old (and soon to be current again) employer has a strict password system that includes: Changing every 43 days; and not any of the previous 12 passwords. How would you apply your system to that?

**BosonMichael** · #6 24-Apr-2008, 04:14 PM

Quote:

“

Originally Posted by Fergal1982

interesting method. rep given.

Question. My old (and soon to be current again) employer has a strict password system that includes: Changing every 43 days; and not any of the previous 12 passwords. How would you apply your system to that?

”

Rotate through various patterns. That's likely the only password you have that rotates that often, right? So... add the "extra characters" to the front... then middle... then back... then capped for all three... then title case (first character capped) for all three... then in reverse order... then initials of the company... then the initials of the product that you're working on for the next 43 days... you'd never have to reuse a password, if you were so limited. Luckily, you can start reusing them within 12 changes.

OceanPacific · #7 24-Apr-2008, 04:27 PM

I dont know, I just remember them. Honestly, I use mainly one password, but I change that one password about every 6months-1year. This may not be very secure, I dont know. I will often change passwords by one letter or by changing the digits or the case. As far as remembering them, I dont know, I just do I guess.

Though once in a blue moon (I shouldnt have been drinking, I know,lol, BlueMoon) I will forget my password, and have to call my bank and prove im me.

ffreeloader · #8 24-Apr-2008, 05:58 PM

BM's method works for him, but it seems pretty complicated. What I do is use the same password for any place in which nothing personally identifying is kept. It's usually a fairly simple password.

In other sites where I need to make sure no one is going to easily guess the password I've used the year, model, color, and my nickname for some of the cars I've owned. They end up being pretty long. Usually 15 to 20 characters.

In still other sites in which I can't use that long of a password I'll think of a phrase I associate in my mind with that site and use a combination of upper and lower case letters made up of the first letter of each word in the phrase. If the phrase is short and there are enough characters allowed I will add a significant date in history that I easily remember and somehow associate with the site.

**BosonMichael** · #9 24-Apr-2008, 07:22 PM

Quote:

“

Originally Posted by ffreeloader

In still other sites in which I can't use that long of a password I'll think of a phrase I associate in my mind with that site and use a combination of upper and lower case letters made up of the first letter of each word in the phrase. If the phrase is short and there are enough characters allowed I will add a significant date in history that I easily remember and somehow associate with the site.

”

Dude... that's the *same* method I just gave.

Take a base password (like a date or a phrase) and add something memorable from that site.

zebulebu · #10 24-Apr-2008, 07:47 PM

I just use this

BrotherBill · #11 25-Apr-2008, 04:19 PM

Thomas, I really like that, just so long as I remember the initial sequence. And Fergal's method might work if I could stand on my head to read the password. I currently use a method very similar to what BM and FF describe, sometimes with a mix of caps, lower case, and numbers, sometimes not.

OceanPacific. I admire you. You are as I once was. Now if you multiply your age by three, you may get a little better feeling for what I'm saying. You gotta love it while you can, but someday, watch out, it's coming.

Thanks Zeb, I'm assuming that Password Safe is a free download. I didn't see mention of price. Warrants a closer look.

Thanks for the suggestions everyone. I think for the moment, I need to do a little restructuring of my passwords. I was surprised how many I had. I think I probably need to learn a little more about encryption as well. I've asked this of a couple different forums, if anyone else is interested, here's a few other password managers that I've also heard about.

Password Corral that looks interesting enough. Sorry Freddie, Windows only.

RoboForm can be integrated into your browser.

KeePass Password Safe is an open source manager.

Cheers

sjf1978 · #12 01-May-2008, 11:07 AM

the trouble with those methods is you've introduced a predictable element. ie if someone notices the key you are using ***oft*** perhaps they could decipher a piece of your thought process. Association could be its downfall and the rest of your string of passwords. A truely random long string like a passphrase with upper, lower, number and even better non standard acii ie ♥ if thats supported with the system of course. Alienblack249A!♥1066 . I know its easier said than done with so many passwords and pins in our lives today. To be fair its about time the IT industry got rid of the individual password as there are so many threats to defeat them. Ultimately two form authentication raises the bar with tokens and biometrics. CAPTCHA can help online wise too with drop down selection boxes ie choose 3rd letter and 4th letter of secret phrase or a java box to point at the correct location.

Spice_Weasel · #13 01-May-2008, 03:37 PM

I tend to use passphrases, as they are often much more secure than psuedo-random strings.

Another very useful tool are password amplifiers. Input a precursor password and a salt, and out comes a high entropy string. I like it more than the password vault approach for several reasons:

- No need to maintain and protect the vault, a very big advantage;

- Simpler to change passwords;

- Infinitely portable - you can recover passwords without needing to carry them with you;

- Passwords produced are high entropy - avoids human weakness when selecting passwords

In general I think a password amplifier/generator approach is better than password storage tools, but there is no perfect solution, just different compromises.

Spice_Weasel

sjf1978 · #14 02-May-2008, 08:22 AM

Island hopping is a big problem with passwords and as you say no perfect solution with them so defence in depth is needed. I mean how many have us have worked in places where the local admin machine password is the same through due to imaging boxes. Or the use of LM hashes on the network to support older apps or just unknowingly left on? Windows boxes with the last 10 hashes cached. They can be social engineered far too easily also. Hey look under the average user's keyboard and you'll find one or bright coloured ball in the bin (not that I've ever been through the bins lol...) Yes you should have policy about not doing that but people still do it. (the old it will never happen to me)

neilmowforth · #15 02-May-2008, 09:08 AM

I choose my password dependent on what the site holds. E.g. this forum, my low security generic password, e retailer sites which store my card details have a medium security password (a mixture of numbers, capitals and lower case - but still rememberable), high security sites, such as my bank & email have a higher security password (a mixture of everything which means nothing to anyone - except me).