Seeing some recent discussion of password security
prompted me to review my password situation.
I am going to adopt a new approach.
Each password will consist of 2 parts
a variable part which is stored ( it does not matter where), and
a fixed part which is carried in my head
When entering a password, I look up the variable part, combine it with the fixed part in my head and enter the combined
result.
That means I can write the variable part on paper… and it is secure.
How I do the combining could be a simple concatenation , or could be more devious.
It does not help with keyboard logging, and obviously I would never let the browser save any combined password.
I dont like password vaults, they can be lost. I like hard copy.
OK lets say the variable part is ‘abcd’
and the part I memorize is ‘xyz’
The simplest way to combine them is
‘abcdxyz’
but It could be more tricky like
‘axbyczd’
or even some complicated convolution, if my brain could cope with that.
a variable part which is stored ( it does not matter where), and
a fixed part which is carried in my head
I think that’s a good idea. I do something similar on some passwords:
I have a format for a simple algorithm that creates a password, and I have a code for each variation of the algorithm. Seeing the code, I know how to create the password.
However, I think your proposed method may be better.
I differentiate across sites…
I have a fix part, which is my password anyway, but I mix into the sites name, so I can easily remember the password, and combine with the sites nickname.
For example, if my password is “let me log in please” and I say to to Itsfoss.community, then the real password is “let me login my little itsfoss please”
(Of course this is just a stupid example, both for passwd and for site nickname part, but I don’t feel dangerous to share the basic idea )
So I have technically different password for every site I log in, still I can easily remember all those passwords… basically the same comfort as having one single password for login to everywhere.
You may think, if someone cracks “The Site” and grabs my password from there, may be able to predict my password to itsfoss.community too.
But that cracker should know where my fix part is, and which is the nickname part of that, and also should know what a nickname I gave to itsfoss.community in my mind… as I speak hungarian ntively, and I like to make puns, chances a chinese hacker predicting my password is quite negligible (I think).
(The (that time) sophisticated encryption “enigma” of the germans were cracked and decrypted, but the US used navajo code talkers during world war II - no one could decrypt those messages: so using a strange langugage must be kind of secure in a way )
I have no idea. I guess it hardens, but defeating???
If someone managed to install a keylogger on your computer, I think the problem is how it succeeded?
Each password will consist of 2 parts [variable and fixed]… Any opinions before I take the plunge?
You are actually reducing your security. If you create 15-character passwords, and 7 characters are the fixed part, you have just reduced the randomness of your password to 8 characters instead of 15. Plus, if just one of your passwords is stolen, all the others are related to it. All a thief needs for the rest of your passwords is the (shorter) variable part of each instead of the whole thing.
Also, what happens if the “fixed” part ever gets compromised and you want to change it?You’ll need to change all your passwords instead of just one. That’s a lot of maintenance cost.
If you’re worried about using and losing a password vault, (1) upload a GPG-encrypted copy of the vault to the cloud or to a personal Linode ($5/month), and (2) keep an unencrypted copy of your passwords in a bank’s safety deposit box. As an aside, #2 is particularly helpful if you die unexpectedly and your family or loved ones need access to your accounts. It’s a morbid topic but it actually happens.
One more observation: if a thief ever steals two of your passwords, they will learn your fixed string and your secret method for combining the fixed & variable parts. This may compromise all your other passwords.
Here’s what I mean. Suppose my secret string is FOOBAR and my variable part is something easy to remember, like the name of the company that owns a website. So my Google password is gFOOBARoogle and my TikTok password is tFOOBARiktok. Can you guess my password at Chase Bank (chase.com)? So can a hacker who steals the first two passwords.
It does help, thank you.
It would seem one has to be as random as possible…
If I were to use the 2 part idea, the 2 parts would have to be
combined with some algorithm more invisible than simple concatenation.
I think the bank vault idea, or equivalent, is the useful.
There has been several items about this in france recently bit expensive and i am sure others exist
The president of our association insists we change our passwords on a monthly basis for all our accounts, emails, etc… which i find a pain in the ass. Mainly because one of the committee left and refused to hand over his password hence i was tasked to break in and get the accounts back one important email account took over a week to recover,
I believe that using a password manager is the strongest (and also easiest) approach to this problem. If you want to get even more secure you can require two factor authentication to run the password manager.
Each login gets its own password which I set to be 20 or more characters long. With an alphabet of 72 characters (A-Z, a-z, 0-9, and 10 symbols) this produces an astronomical number of combinations. Trying combinations at a rate of a billion per second would take much longer than the age of the Earth to guess a correct password. But I have only to remember one password to activate the manager. The decryption of my password manager data (which is kept in The Cloud and syncs across devices) occurs locally and is never transmitted anywhere.
I act on the principal that all my files are accessible and any password manager etc is crackable
I am also old enough to remember pencil and paper
My solution to passwords is use one or two passwords for the irrelevant sites where on does not care - and use “say” chrome of firefox password manager
For significant sites use a two book solution - site and user name in one book with some coded cross link to the second book containing passwords.
If one has a partner then each can carry one of the books when travelling etc
This allows one to use imaginative passwords which I often use historical clues rather the record the actual password
All passwords for serious financial sites are unrelated to each other
Hi @kimt ,
Welcome and thank you for this response.
I think you are right… I should sort my sites into
important and other, and maybe use a simple 2 part solution
for other, and something more unique for important sites.
I am quite old and forgetful, I have to have a system and my wife has to understand it too.
Regards
Neville
I’m in my mid-seventies, and I’m too lazy for anything complicated when it comes to passwords. I use a password manager with a very long, strong master password consisting of a string of phonetic words (currently some thirty characters long). That’s O.K. with me, because I only need it when I re-install my OS, or switch to/add a new web browser.
For the few sites that don’t automatically login/fill-in the username and password (some sites prevent this behavior), I can open my password vault to get at the login information I need with only a few clicks.
To my way of thinking, a password manager is the next best thing to passkeys (I’m eagerly awaiting the time when they dominate the password/security landscape). Until then, I’ll stick with my password manager (periodically increasing the length of my unique passwords as the need arises - I check the landscape about twice a year). As I recall, currently, a 12-character password length is recommended, so I use 16 characters. When/if that recommendation increases to that length, I’ll respond with 20-character passwords, etc. Hopefully, passkeys will be the default by the time quantum computing becomes an issue.
This is how I handle the password question. I hope it helps,
Thanks Ernie.
It helps with some things. … I need better (longer) passwords.
A vault is OK if you only use one PC and you back it up well.
I use two PC’s and a tablet… currently I keep things mostly on paper with a few critical exceptions. Paper is portable
What can I get that is safer than paper, is portable, and can be backed up somehow? Maybe use the tablet? Maybe some simple device like an organiser? Maybe a book with a lock?
I am getting old too ( 79 next week). I have to keep it simple.
I have a desktop, and two laptop PCs here. I use the browser extension for my password manager in the browsers of all three machines (Of course, my password manager stores my passwords in the cloud) with no problems. If you have issues with doing that, there is always the option to use a password manager that stores your passwords locally, in an encrypted folder. Assuming you have a file server on your local network, all you’d have to do would be to locate that folder on your server, then you could put a copy of your password manager on each of your computers so you can use your passwords from any one of them. That’s a lot of work at the outset, but you only have to get it set up once, and you could back up your password vault when you back up your server (you do automate backups, right?).
Personally, I prefer the easier path of using a cloud-based password manager and browser extensions myself ,