undefined | Better HN

0 pointsIshKebab9y ago0 comments

I memorised a very simple algorithm to construct passwords from the domain name of a site. Then I concatenate that with one of three fixed portions depending on how important I view the site (e.g. banks get the most secure one, then gmail, then everything else).

It works pretty well. Different password for each site, I only have to remember a few things, and it would take several compromises (and a weirdly dedicated attacker) to work out my algorithm.

For example, my 'insecure' fixed part might be 'Tenk5$' (I recommend including uppercase, lowercase, a number and a symbol in that part to get around idiotic password requirements). Then my algorithm could be 'the last 5 letters backwards, skip the first vowel'. In which case my password for HN would be 'Tenk5$rtani'.

0 comments

progx9y ago

Problem is, that not all sites use the same style of passwort.

Some need Lower-/Uppercase, some with numbers, some with special Chars, some restrict to minimum of x chars, some use a maximum.

Your system works not for all things, i use a similar system, but store a bunch of passwords with last pass. Only really important passwords are in my head.

qmr9y ago

> Only really important passwords are in my head.

That has not worked well for me. I have lost a small amount of bitcoin, and some encrypted homedirs and encrypted hard drives.

IshKebabOP9y ago

Yes, occasionally sites don't allow it, but I've found if you use at least one of: uppercase, lowercase, numbers and symbols, and have a length of around 10, then it will go through virtually all sites.

I keep meaning to collate idiotic password rules so you can see for sure which patterns work in all of them, but I've never got around to it.

kps9y ago

I use a method like that, but the result of that step then goes through PwdHash (whose code is small enough to inspect for naughtiness) so that multiple web sites wouldn't expose the scheme.

slavik819y ago

> it would take several compromises (and a weirdly dedicated attacker) to work out my algorithm.

Use that algorithm widely enough and several compromises are guaranteed. The only thing protecting your password is that url manipulation.

agentgt9y ago

I do a vaguely similar thing but I don't share it with the world :)

IshKebabOP9y ago

That's not the actual system I use obviously.

j / k navigate · click thread line to collapse

0 pointsIshKebab9y ago0 comments

It works pretty well. Different password for each site, I only have to remember a few things, and it would take several compromises (and a weirdly dedicated attacker) to work out my algorithm.

0 comments

progx9y ago

Problem is, that not all sites use the same style of passwort.

Some need Lower-/Uppercase, some with numbers, some with special Chars, some restrict to minimum of x chars, some use a maximum.

Your system works not for all things, i use a similar system, but store a bunch of passwords with last pass. Only really important passwords are in my head.

qmr9y ago

> Only really important passwords are in my head.

That has not worked well for me. I have lost a small amount of bitcoin, and some encrypted homedirs and encrypted hard drives.

IshKebabOP9y ago

I keep meaning to collate idiotic password rules so you can see for sure which patterns work in all of them, but I've never got around to it.

kps9y ago

I use a method like that, but the result of that step then goes through PwdHash (whose code is small enough to inspect for naughtiness) so that multiple web sites wouldn't expose the scheme.

slavik819y ago

> it would take several compromises (and a weirdly dedicated attacker) to work out my algorithm.

Use that algorithm widely enough and several compromises are guaranteed. The only thing protecting your password is that url manipulation.

agentgt9y ago

I do a vaguely similar thing but I don't share it with the world :)

IshKebabOP9y ago

That's not the actual system I use obviously.

j / k navigate · click thread line to collapse