Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Internet

How do you Remember Your Passwords? 406

Aaron asks: "Like most people reading this, I have more than a few computer accounts. Password maintenance (e.g., changing them regularly, thinking of ones that are hard to crack but possible to recall, remembering what this week's password is on account foo) is nontrivial. What strategies for managing passwords do you have?" Mnemonics and password schemes are tricks a few people use, but I'm sure some of you out there have better ways. Would any of you care to share?
This discussion has been archived. No new comments can be posted.

How do you Remember Your Passwords?

Comments Filter:
  • Nutty though this may sound, a piece of paper is strangely immune to all forms of hacking. Just don't let anyone else see it.
  • Keep all mine in scribble.
  • Write them down for the first week. Use the new passwords frequently, even if you don't have to use those accounts often, try to use them often for about a week. After that if you are any good at a number-letter password combo they should be engrained until the next time. It has always worked for me. Oh and don't forget to flush the passwords once you're done. Hate to see someone dumpster diving and finding a password or two.
  • by Anonymous Coward
    Coped this off my friend Ke6n:

    Use patterns from the home row keys. Squares, diagonals, horizontal and vertical lines, left to right, right to left, and each hand.

    They're generally non-dictionary letters, big, and easy to memorize, left-straight.

    But they require you to use roughly the same keyboard.

    -- Ender, Duke of URL
  • i keep a deliminated text file with all my personal passwords (several workstations and websites), servers, virtual server telnet accounts, and ftp accounts on it. the file is always PGP encrypted with max bit encryption available. what would i do if i forgot my password file password??????

    by the way, the file is on an magnetic-optical and called "judy.jpg" (just an example), not on my hd, just in case.

  • I personally prefer car reg numbers as they are hard to quess (random letters and numbers) but they mean something to me.

    I've driven loads of different cars and therefore I have lots to choose from. Rotate weekly - add an underscore or two - reverse them for extra effect.

    Still, the easiest one to remember is of course " ".
  • by jojo80 ( 99781 )
    It might be an idea to create a text file with your accounts and the corresponding passwords and then encrypt everything with PGP. Thus you only need to remember one password.
    The problem is that if you forget this password your other passwords are lost too...
  • i take a line from a song or a movie and use the first letters...then i twist that around by capitalizing certain letters or sticking in a punctuation mark in between, just to add an aire of randomness to it.
  • by kuperman ( 7726 ) on Saturday November 13, 1999 @03:52AM (#1536556) Homepage
    I use my PalmPilot to store many of my passwords. There are three apps that I know of that you can use:
    • Secret! - which is basically a password protected set of memo pages, but it also can do TAN and single use passwords.
    • SecureMemo - Similar to Secret! but each memo is encrypted seperately. I was already using Secret! when some of these types of things came out.
    • Strip - My current favorite. This is a password protected application that is designed for managing password info. It is a database of records with Username, Password, and Description fields. It can generate a random password of a requested length, and you can use it to send an account to another user (great for a sysadmin when creating people's accounts). Only big negative I've seen is that the password length has a length limit, so storing ssh and pgp passphrases may not fit.
    All three of these store their data encrypted both on the pilot and on the backups. You could do something similar with a PGP or otherwise encrypted file on your computer, but I prefer the redundancy of having the data in two places. PalmPilot and backup machine (plus backups of the backup machine. :-)
  • ...and yet I remember each one. Why? Because
    when I forget.. the first thing I ask myself...

    "If I were to pick this password, which, surpise, I did... What would it be? Hrmm..." ....
    And I usually get it after a couple tries. :)


    -Matthew
    Technetos, Inc.
  • I must agree that using passwords is simply the best was to remember them. Using a password is almost a habit. The positioning of the fingers, the order of the keystrokes... how often did you type your old password out of habit when you knew very well you changed it recently?

    But there is more you can do than using them a lot. Make passwords that make sense. This doesn't necessarily make them insecure, but easier to remember. For example: noone would guess w3/.org is the password for Rob's server. But it's darn easy to remember.

    All my passwords have some sort of connection to my life, servers, what's running on them, etc etc. But be careful not to make them too easy. My password is most definitely not my girlfriends name.

    Also, use your old passwords (that you are familiar with) for all those stupid Web-accounts. Who cares! Of course make exceptions when you start ordering stuff, especially with one-click-buying.

  • I remember my password, RHF4345_enternow_123, by repeating it loudly and writing it everywhere. My clients can feel safe knowing their personal information is secure with me.
  • by Per Abrahamsen ( 1397 ) on Saturday November 13, 1999 @03:56AM (#1536560) Homepage
    I use my wife's first name for all my accounts. For those sites that does not accept "Amanda" as a password, I use the names of my kids ("Allan" and "Ann"), and also write the password down on a yellow label stuck to my monitor (together with the site/account name of course), as well as in a file named PASSWORDS in my home directory. Just in case the label fall off.

    This has worked well until now, I have never had to ask the admins to remind me what my password is.


  • by Stormbringer ( 3643 ) on Saturday November 13, 1999 @03:57AM (#1536561)
    Nothing says that easy to memorize has to mean easy to guess.

    Take a common household phrase..

    ash nazg gimbatul

    ..apply 31337 to it..

    @Sh N@5g G!Mb@tU1

    ..now table it...

    @ShN
    @5gG
    !Mb@
    tU1

    ..and unwind that.

    @@!tS5MUhgb1NG@

    ...that's something that can be memorized in source form as long as the 31337 rules are consistent and the table is near-orthagonal. It can be regenerated on a scrap of paper or, with a smudged-off-afterward marker, on a countertop.

  • by Anonymous Coward

    It never ceases to amaze me that most people need special techniques to memorize passwords.

    Whenever I change my passwords, I just do a few spurious extra logins for about an hour or two after I change one. After that, I'm set.

    I suppose that if I used dictionary words or names like most people seem to prefer, then I'd have to have some special technique to memorize that they're passwords; I find it hard to cross-link strings like that. My usual base for passwords - punctuation, numbers, control characters - generate unique strings and thus are easy to memorize.

  • I type some number enriched ascii jumbled text from something I have laying on the desk that can be remembered and type it in qwerty on a dvorak keyboard. I can type my password out, but if you ask me what it is, I wouldn't know unless I actualy typed it. Its like a secret decoder ring...

  • My password is "password".

    I use this on a couple of machines (198.137.240.91 and 198.137.240.92), and it seems to work pretty well.

    BTW, I haven't told you my login name ;)


  • Wouldn't some of the cracking programs have these strings coded in?
  • There are webservices that keep your passwords for you, I think Microsoft launched one not so long ago. I keep _all_ my root passwords on their servers! ;-)

    Also, Mozilla will be able to remember them for you in your 'wallet', I don't know how it's encrypted locally but the wallet and your profile should be (and can be) password protected themselves. Internet Explorer also does this.

  • Tatoos on my forearm.
  • The one from the movie SpaceBalls:
    12345
  • I think that he has a point truthfully...

    Anyone remember spaceballs?

    I tell you, qwerty or 12345 would not be the first ones i would try to break a password with. Maybe I'm just rambling but oh well...
  • As ya can tell im a terrible speller.. actually it comes to me advantage in a small way when it comes to passwords. %95 of the time i misspell words the same way. a misspelled password evades dictionary checks. on top of that i tend to use the same character replacements (! instead of i, 0 instead of o, etc etc). so i usually end up pickin a word that reminds me of the login and bang - i remember the password (%95 if the time heheh)
  • by Dave500 ( 107484 ) on Saturday November 13, 1999 @04:13AM (#1536573)
    One of the things I have noticed is that humans as a whole tend to remember pictures and symbols far more easily than alphanumeric information. (Simple fact - we have evolved that way).
    As one of the system administrators for a medium sized ISP, we are faced with the problem of regulary rotating certain account passwords (I think you can guess which ones ;-) ). After several years it became hard to achieve unique ones that everybody involved could easily remember. Hence our switch to visual methods.
    Simple Example:-

    Imagine a large smiley face situated on your keyboard (as in certain keys were colored differently to make up the face)

    Nasty ASCII Art Bit:-

    1234567890-=
    qwertyuiop[]
    asdfghjkl;'#
    zxcvbnm,./
    Normal Keyboard layout

    1234*6*890-=
    qwertyuiop[]
    as*f*h*kl;'
    \zxc**nm,./
    Stars show keys used to draw smiley face

    Ok, so I have made a pretty lame job of that, but notice that I have used 5 & 7 to make up the eyes, g for the nose and dvbj for the mouth. That gives us a password of 57gdvbj. Once we have that, we can add features to make it more secure, a Capital G for the nose for example, or using punctuation % and & to give the face "eyebrows".
    Personally I find this method a useful way of coming up with passwords that are only suseptable to brute force attacks, whilst maintaining a visual link so that our primate brains can have a stab at remembering them. Other pictures that can be used are symbols, flags, large letters, the list is pretty long.

    Good Idea/Bad Idea?

    Dave.

  • by Anonymous Coward
    ~> telnet dina.kvl.dk
    Trying 130.225.40.228...
    Connected to dina.kvl.dk.
    Escape character is '^]'.
    abra

    SunOS UNIX (elc1)

    login: abraham
    Password:
    Login incorrect
    login: abraham
    Password:
    Login incorrect
    login: abraham
    Password:
    Login incorrect
    login:
    telnet> quit
    Connection closed.

    Liar. :)
  • ive found that my memory is just more tuned to remembering numbers, mathimatical formulas, and strings of characters in general than other things like events, people, and conversations. it seems like once ive used a password (or ip address, account number, etc) a few times, i will continue to remember it, as long as i recall it every so often.

    i used to be a network admin at an isp. we had one master sheet of paper with all the passwords for servers and NAS's (totalling around 25) that we would keep locked in a safe. i would only have to pull it out when i wanted to get on a box that i hadnt used more than once or twice. i guess my memory is just better at storing arbitrary strings up to around 10 characters.

    whats annoying is that usually i can remember whether ive heard a person's name before but i have a very hard time associating their face with the name. i also have a difficult time rememberng all the things im supposed to do during my day. my finance on the other hand can remember conversations from years ago word for word but has to check with me when someone asks for our zip code. i wonder if theres some sort of male/female thing going on...

    anyway, one way to make passwords easier is to take a random 4-6 letter word and to convert it to "l33t-speak", and then optionally tack on a random number or non-alphanumeric or two. for example, take the word "fault", change it to "F@u|t", and add a 0 to get "0F@u|t". granted it may not be perfect, but it may be easier to remember than random characters and a bit more secure than just dictionary words. another trick we used at the isp was to make them loosly based on vulgarities--after a while it was almost a contest to see who could thing of the best(or worst depending on your perspective).

    still another alternative can be found on freshmeat. theres is at least one program out there that will keep a list of passwords for you. i think theyre stored encrypted, and you only have to remember the one password to open the list.
    "gpasman" and "kpasman" are two examples...

    --Siva

    Keyboard not found.
  • Example: You take the word slashdot, and move you hand over one space and type slashdot. It's hard to do in the beginning, but it get easier.

    d;sdjfpy would be the password, except I switch the symbols to something on the top row. It looks like randomness when it really isn't.

    Of course, for access I actually care about, I use something completely different, which is just random numbers and symbols mixed with 3 letter words.

    Managing them is easy, since I have basically 10 main passwords for web sites. If I feel like it I rotate them around, and then just try to remember which had which. But I'm not randomly guessing my password anymore.
  • For admin level passwords I first create a "random" alphanumeric password and then create a mnemonic phrase using method I got from one of those "How to improve your memory" books I read long ago. To remember numbers you can use sounds.
    1 T or D sound.
    2 N
    3 M
    4 R
    5 L
    6 Soft G or ch
    7 Hard G or K
    8 F
    9 P or B
    10 S

    It took a while to get comfortable with it but it was long ago and the pain is forgotten. The mnemonic for my (now closed) bank account from 15 years ago is "mouse cheese malls" which translates to 3060350. Double letters which make a single sound count are a single number. For letters, I use words. There doesn't seem to be a problem remembering which words are for numbers and which are for letters.

    When I have to assign medium level passwords to others, I give them a phrase and they use the first letter of each word sometimes followed by a number. i.e. Why did the chicken cross the road...wdtcctr22.

  • My personal technique is called the mash blindly like a drunk on your keyboard then write out the mess about 10 to 15 times and you got it memorized.

    Today's Password is: p5Q28#%^uhqqb&@
  • www.normsoft.com [normsoft.com]. The author is responsive to new feature requests and fixes bugs like a demon. Well worth the US$13!
  • For many "personal" accounts (Unix user accounts, root password on my personal box, mud passwords) I've used the same scheme to build a password, consisting of a group of characters from a related set, and some punctuation. It has been subject to crack attacts by several admins, numerous times, and it has never been cracked.

    For admin accounts (except for some reason, I've never subjected a root account to this), and some websites, I often base passwords on lines of songs I like. For instance, the first letters of each word; if there aren't enough letters, punctuation, and/or the artists initials help. And often, instead of using the real line, I substitude one or more words. ;-)

    Sybase SA accounts are a lot easier. Sybase gives you up to 30 characters, so no 8 character limit. My favourite tactic there are plays on names related to the town I was born; given the fact that all Sybase servers I've worked with were behind firewalls in environments noone else was coming from the same country I was born in, that was pretty safe.

    Root passwords are a different matter. Except for personal boxes, root passwords are often shared between people, so deciding on them is a different manner; you can't just use your favourite strategy.

    And sometimes, you don't really care. For instance, slashdot mails your password, and your password goes in plain text to slashdot when you log in. Not that I could really care if someone used my password - slashdot is pretty close to the end when it comes to important things. For such passwords, I just keep them in a file, and cut-and-paste, although my current slashdot password has a certain rythm that makes it easy to remember.

    Oh, one word of advice. Don't suggest in a (root) password things that aren't true. In a previous workplace, we had 2 sun E3000's next to each other, sharing a console using a switchbox. One weekend, I came in to chance the tape drive of one of the machines. The root password of the machine suggested it was the machine to the left. I logged in and halted the system. Then I turned the key of the left machine, and wondered why the screen didn't go blank. When my pager went of 30s later to notify me which machine was down I realized what I had done.....

    -- Abigail

  • I work as a sysadmin for a fairly large webhosting firm, and I always need to rememper a plethora of passwords. The passwords must also be fairly secure (IE- we never use words in the passwords, etc.). I've found that to make up passwords, makepasswd is the best program available (check freshmeat for your copy, or `apt-get install makepasswd` on Debian systems).

    I run makepasswd like this
    makepasswd --count=60 --maxchars=8 --minchars=8 --string=qwertyuiopasdfghjklzxcvbnm1234567890
    That generates passwords with only lower case and numbers (I have found when remembering in upwards of 20-30 passwords, it's easiest to stick to one case). After I generate my new password lists I normally transfer them to my Pilot in a memo, and lock that memo down under the private area (I rarely use it, but it's always nice to have).

    It's not a horribly complex system, but by using makepasswd you have no tendencies to lean twoards ceratin patterns, and you can generate hundreds of passwords very quickly.

    Another word of the wise- keep an archive of all of your old system passwords, even after you have changed them. I have often found some part of a system or a rarely-used piece of equipment (Switch, Router, etc.) that has been forgotten in a password roll and is set to some old password. Having a list of them somewhere makes trying the old combinations VERY easy. (I once knew a guy who forgot the password to his 3Com Switch 1000, and he rendered the management portion of the switch useless)

  • Comment removed based on user account deletion
  • Pick a phase you remember by heart. For example:

    "Yippy-ky-yay MuthaF**er" from Die Hard[1|2|3]

    (I've deliberately chosen to use a weak example)

    Now, use the first letter of each word. YKYMF.

    You want to make it harder, scramble the capitalization: YkyMF

    Maybe add punctuation: YkyMF!

    Pick a theme with several such phrases, and there you go: easy to remember, hard to guess passwords.
  • I tend to use passwords based on songs. One of my favorites was JSfm#!^ which was based on the Grateful Dead song Jack Straw. The first line of the song is "Jack Straw from Witchita (sp) shot his buddy down" The are the characters (on my keyboard) on top of which is Witchita's telephone area code.
  • I don't know what kind of material you are dealing with highly secure government or buisness info should be kept on something outside of your computer. I like the first post that says a piece of paper it is what I use for stuff that is important. I also have a floppy with a word doc. that has my normal pass stuff on it. However I am also extremly lazy and will admit I use a program called gator for my basic stuff. If I were to be quized on my passwords without access to my disk I would probably fail.
  • Whenever I change my passwords, I just do a few spurious extra logins for about an hour or two after I change one. After that, I'm set

    Does that work if you have 40 passwords to remember, some of them you haven't used for half a year?

    -- Abigail

  • Comment removed based on user account deletion
  • The first 3 letters of my auto manufacturer,
    followed by the last 4 numbers of the V.I.N.,
    followed by my first, middle and last initials.
  • I use three stratagys...
    One is to use old commands used on old computers for low priority accounts (stuff I don't really care about)
    I use a combonation of favoret numbers (such as some of the numbers of my birthday or old vic20 poke codes) and again old commands or the cryptic names of hardware I have on my desk [not my main computer but my old XTs monitor things like that]
    I'll also just not bother and have the computer remeber my passwords for me. or save them in a password file..
    I've been moving more and more to the password file.. saving them on a backup flopy and keeping the flopy in a safe place.
    This seems to work very well.

    cross fingers...

    I prefer to let the computer automaticly enter passwords for me. This is how I usually rembered my passwords for BBSes I call during the 1980s and early 1990s...
    when the terminal program didn't support it I'd make a macro for each BBS.. when the terminal didn't support macors I wrote the passwords down.. I hated writing anything down but thats life

    I try to make my passwords as hard to remeber as posable now a days...
  • All my passwords consist of random, but readable, strings of characters that alternate each hand on the keyboard. That way I can type them a) quickly, and b) with a sort of rythmn in my hands and fingers.

    Initially I remember the way these fake words "sound" (I also keep them written down for a while) but after a couple of weeks my hands remember them better than my mind.
  • Firstly, I take names/place names from the Star Wars Trilogy (no chance of any of them being dictionary words), then I pepper 'em with some random numbers and caps. Also, I've found Lewis Carroll poems have some great nonsensical words to use.

    However, past this system, I usually use iterations of a same general password for a single puprpose: I use one set for my internet passwords (NY Times registration, Hotmail account, etc. ALl the unimportant stuff). Another set for my university account and account on my own machine. Lastly, my root password is different than all of them...

  • Hmm. I keep mine on a Scramdisk (a free virtual disk encryptor available from Here [clara.net]. I also encrypt the data with PGP every so often and email it home, so I have a backup if I lose the scramdisk or forget IT's password
    --
    -=DaveHowe=-
  • Yeah, I basically write them down in my sketchbook.
    And I keep a backup in the "Notepad" DA on the Mac.
    Nobody goes near my machine, so I don't worry. It's at home. :)

    Pope
  • by iota ( 527 )
    I try to keep my password methods simple:
    • For ssh, I use the encrypted key authentification method. That way I can choose hideous passwords for my machines, make a keyfile, and then never worry about the password again. Plus, I know I'm secure unless someone sits down at my box and 1) breaks my keylock and 2) unlocks my screensaver.
    • For many other things, I keep them in an encrypted PalmIII program I made. It uses crude writing-recognition to authenticate -- I know no one can duplicate that.
    • For all my physical logins (ie, my home machine), I have threefold security: 1) a username 2) a password and 3) a program in my PalmIII that I have to cradle the Palm and hit the hotsynch button, and the Palm sends a password file as part of the synch.
    • As far as my passwords go, I try to forget the letters and numbers on the keyboard, and do it by sight. Trying to memorized random strings of numbers and letters is tough for me -- but memorizing a sequence of hand-movements is easy.
    Thats just how I do it... has worked well so far! jason
  • I put all my passwords in my HP100LX palmtop's database application. Of course the database is password protected. So -- I have to remember this one password to get me access to my hundred other passwords.
  • Every time I have to choose a new password, I use whatever comes to my mind at the moment, usually being careful not to choose words that can be found in a dictionary. After that, I rely in muscular memory, I mean, if I used it a couple of times then I don't have to think in it to write it, just let my fingers go.
    Not so long ago I discovered I don't have two password starting with the same letter, so, I'm able to write down the first letter of each password and that's enough to recall it later. Now, I enforce this property on purpose.
  • But you have to be physically there
    Reboot the box then

    LILO: linux -s

    # passwd whatever
    # shutdown -r now

    Now you have root back and change whatever the hell you want :)

    Or in the Case of RAS equipment
    do a NINDY by plugging the jumpers on the mobo
    Upload a new TAOS/COMOS using a serial connection with 1K/XModem transfer
    halfway through upload yank the jumpers
    Reboot twice .... You're in, but your initial config might be all skiwompus!

    OK OK all kidding aside. personally I do PGP encrypted files of router/RAS configs as well as passwd files stored offsite in 2 vaults. One at home, one in another office.

    Hey it was either that or tattoo the passwds on my cat, and let the fur grow back!!
    *JUST KIDDING PETA PEOPLES*
  • by Jonas Öberg ( 19456 ) <jonas@gnu.org> on Saturday November 13, 1999 @04:49AM (#1536603) Homepage
    Until some time ago, I used the same password as the username. Not kidding. I got a few visits that way, people mailing me from my own account saying "Cool! Hey, your foo script didn't work like it should, I fixed it for you", and the like. People who want to do bad things seems to be lame enough never to just knock on the door and try the handle.
    I'd like to still have the same scheme on some systems, but people in general are paranoid enough so that I choose strong passwords so that they will still be friends with me. I must say though that I find it much easier to restore a backup every once in a long while, than to use all the paranoid security that people force upon me. I even secured my own computer and removed the guest/guest, system/manager and login/password accounts, which had been there for, well, forever really.
    So either way; how do I remember the passwords these days? Well, it's not only passwords, it's bank account codes and other codes too that goes with all plastic cards you get. I'm sorry to say that there really isn't any great trick to it. The mind can easily store atleast 20-30 more secure passwords (and probably even more), even if you change them regularly. To memorize a new password, I write it down on a piece of paper and try to attach images of the characters to the paper in my mind. If you attach graphical images, sometimes even smell perhaps, you will most probably remember it far longer than you need to.
  • I have about 50 different things I keep
    passwords on. So I keep them on my PalmPilot.

    I just add each account as a contact in
    my phone list, and mark the contact as private.
    Each contact has a separate memo attached which
    holds the account name and password (and other relevant info).
    All of the password contacts live under a list name (coincidently)
    'Passwords'.

    So, all I have to remember is the PalmPilot Security password
    to get to gain access to all
    of the other passwords. The trouble with this
    scheme is that sometimes I forget to turn
    Security password back on.....

  • The problem isn't remembering passwords you use on a regular basis. The problem is remembering the string of random characters for the account you haven't used in two months.
  • Why would I do that? My password is completely secure! I even use it on my luggage!

    123456

    Whoa! How did that slide in there!


    Chas - The one, the only.
    THANK GOD!!!

  • Password and remembering them have been very easy for me ..

    Well the process that I have used is as follows :

    If I have a standing GF when I change the password, I would keep my password as "iluvxyz", and if I have just broken up with a GF i would have my password as "fuckuxyz".. :)

    Isn't that cool. Maybe it will be cooler if I also add that I have never had a GF !

    Manifest
  • by Chas ( 5144 )

    Contrary to my previous, humorous post, I store my passwords in a plain text file, zipped with a password on the zipfile, then PGP-encrypted and stored on a CD.

    The passphrase is something I'm almost unlikely to forget. But just in case, I keep a copy of the passphrase and the zip password in a locked strongbox in my room.

    For additional physical security, I also own a set of swords.....


    Chas - The one, the only.
    THANK GOD!!!

  • by GW Hayduke ( 19878 ) on Saturday November 13, 1999 @05:03AM (#1536614)
    I just thought of this whilst reading all the posts..
    for keyboardists, try the opening few measures of the theme of a composition, (hmm.Bach's Preludes would be a little too repetative though..) imagining the comp keyboard as a musical keyboard. Yeah Yeah I know, the keys are entirely wrong, BUT,If you know the piece, your fingers should remember at LEAST the theme, and hit the same area everytime..
    I started testing this theory with not only keyboard themes, but also guitar licks... BTW, Chords don't work:), violin solos, bass lines.
    Trombonists,flautists, and other brass and woodwinds would tend to have problems. Especially trombonists :) because of the registers requiring multiple fingerings....
    I dunno, maybe I just need more coffee
    and more testing.... please let me know what you think
  • Best way I've found is to just wham your keyboard. Of course don't just hit the alpha part. Hit everything. Get the resultant string, and remove characters here and there to get the length you want. Tada!

    Write it down. Stick it onto your eyeball. Read it and recall it for an hour, or more if needed. Log on to the account every minute. Burn the paper.

    There. Of course trouble comes with many different accounts with different passwords.
  • I used to do the single password thing. I took a word and shifted it and then scrambled it... I've also used a make-shift cipher wheel. The best thing to do is open a text file and then bang on the keyboard with both hands (lightly, of course...don't want to break anything). Make sure you hit the shift key while you do it, and make sure you get close to all the keys... then...well, you pick a string from the mess. Random as it gets....

    j&^UFVotygOU^ryf*$RF9ogLMg9*%&Tk

    and there you have a password, you just have to memorize it :)
  • I only use about 5 passwords ever
    a) two for my home machines (root/normal user)
    b) one for work
    c) a couple for web login accounts

    As i change jobs I do change my work password. Only my web login passwords are likely to fail a standard dictionary attack.

    I find about 5 words which have been garbled is about the limit my brain can store. ;-P
  • I store them in a text file :-) the catch is, I encrypt the file with PGP. Any time I decrypt it for reference I am careful not to leave the unencrypted file around, too.

    My password generating tactic is to use the first letters of a phrase that is meaningful to me. Let's say I like Vengaboys, especially their catchy line "Boom boom boom boom I want you in my room", which generates the password "bbbbiwyimr". Or "4biwyimr" if you have to have numbers in your password.

    Note 1: don't use phrases that are meaningful to you but to many other people too. Crackers have them in their dictionaries. So don't use "to be or not to be", nor "there ain't no such thing as a free lunch"; I had the latter actually guessed by the dictionary cracker run by my sysadmin once. Don't use common proverbs etc.

    Note 2: as an additional criterion I apply the speed of typing the password on a keyboard. Believe me, I guessed many passwords looking at people's hands and would not rather have it done to me.
  • Proposal:
    Biological retrival of "random" paswords is a comlicated task, when new passwords are added to our collection every day. A "secure" method of password generation is required to 1) eliminate the need to store a pasword at an insecure location and 2) be able to retive the password if the storage location is not accessible. Therefore I use a hashing function, H that takes arguments var1, var2 ... varn ( H(var1, var2... varn) ) to produce a unique password for every site. (I usually use something like (myname, domain name)

    Justification:
    I don't think I'll forget my name, or the site that's asking for the password. So as long as you can remember a scheme like initials+1st 5 letters of domain name, you'll be ok.

    Analysis of running time:
    The hashing can be done in 0(1) time (constant time). Furthermore hash collisions are not important and do not affect performance of generating and retreiving H(var1, var2,...,varn).
    Furthermore the algorithm is scalable.

    Modifications to H():
    Everyone can just have a particular modification to the generic hash function. For instance use "1LFMdoamin.com"

    Weaknesses:
    Unfortuneately, if someone figures out H() you are escrewed. The solution is to use an array of hashing functions (26) and select a hash routine according to some criteria. i.e., use the 1st letter of domain name, c to select H[c](). Be sure to not make the modification(s) on the hashing algorithm easily observible and guessible. That should create seamingly randomness to anyone who gets a pasword or two. They might figureout the H() for particular c, but as long as they don't get more than 1 password with a particular c, they should not realize that they know H[c]().

    Final Comments:
    passwords ahould be made of "random" characters from S where S is set of all valid characters. However has bioligical organisms, we cannot be expected to remember a growing number of unique passwords. Therefore a hashing function on string literals (dynamic or static) can provide a not-so-easily-guessable but easy-to-remember-password-scheme that is "reasonably" secure.

    Followup:
    For really important passwords though, I ditch the whole scheme all together, and use something random - I can remember a few of those.
    My password for slashdot is random, btw.
  • For most of my passwords, I use Ferrari model designations. There are hundreds of them, eg f550m, f360m, 412t2, 355f1 etc. That way I can just keep trying them until I get the right one. Of course, internet related passwords are usually "8o11ox2u" or something stupid like that.
  • Absolutely! One memo for user/pass, one memo for ATM & CC PINs, another for bank account numbers, etc. Dead in the water without my Pilot.
  • I just go into my /etc/passwd file in linux and write down what the encrypted form of 'HemostheHamster'. That's my password.
  • I have a piece of paper with several phrases on it. I just have a formula I memorize for generating a password (mixed capitalization, punctuation, and alphanumerics) from the phrase. If you were to find the paper, you couldn't distinguish it from a grocery list or a "favorite quotes" list in my pocket and it would do you little good without the formula.
  • My way of creating and remembering passwords is
    to take a word I know, or phrase, or whatever,
    and transpose it on my keyboard -- move all the
    letters one or two letters left, right up or
    down. Usually I shift one or two characters
    and one control character. Ususually, after the
    second or third time I type it, I don't have to
    look at the keyboard, either. =)

    The net result of this is uniformly
    line-noise-type passwords.
  • I just tell my wife all of my passwords. Women are WONDERFUL at remembering non-trivial things like this.

    The oil light on the other hand... ;)
  • Well, many people say I'm lucky to have a photographic memory, and in many ways I am, including my method of password storage. I have 50 different passworded accounts (ok, 47), and each has a minimum of 8 (some places dont let you put any more) alphanumeric passwords which I generate using truly random numbers (radioactive decay), see http://www.fourmilab.ch/hotbits/ My pgp passphrase is 53 chars and contains all special characters as well as caps, lowercase, and numbers. But, it's not truly random, but a combination of my other passwords. I find this helps people a lot when they ask me how to choose new passwords. Combine some old ones! Most people cant store them all in their memory, tho, so I point them to Counterpane's passwordSafe. there's a link on their site, http://www.counterpane.com hope this helped. JacobB
  • Here's my method, a specific mnemonic technique. Start by picking some specific event or time in your life that's easy for you to recall but is not an obvious one to someone other than yourself. For example "in 1996 when I traveled to Vermont to celebrate Thanksgiving with my best friend Bob," or "when I used to play Shadowrun with John and Paul in college," or "when I first started working for Peter and I had to fix up that unbelievably crappy Perl code the last programmer, Matt, put together." Make a point of choosing a specific event (a particular thanksgiving) not a generic or repeating one (any thanksgiving). Also don't pick something obvious (your wedding) or something someone could easily get information on (if you have a web page about your trip to Mexico, don't use that).

    Now take the date, place, activity, and people involved in your chosen event/time-span. For example:

    • November 1996
    • Thanksgiving
    • Vermont
    • Bob Jones

    Pick out specific fragments of those to use in your password:

    • Nove[mb]er 199[6]
    • Than[ks]giving
    • [Ve]rmont
    • B[o]b Jo[n]es

    Glue your fragments together with non alpha-numerics:

    mb-6.ks/Ve=on

    After typing it a few times, you should be able to get it just by remembering "Thanksgiving at Bob's, 1996."

    Of course you still have to remember which password goes with which account. If you find this to be the tricky part, you could probably deal with it by writing down just enough information to get you to remember, like "11-96". Unless someone can guess the event (thanksgiving) and knows the details (at Bob's place in Vermont), they can't even get near your password, and even with all that information the number of permutations makes a brute force approach prohibitive.

  • ...try Strip [zetetic.net]
  • Funny that you ask :) Because just today I had to guess my password account. When I create a new password, I usually take the first word which comes into my mind and cripple it using upper and lower case, numbers and little cyrilic ... Then I write it down into an encrypted file.

    But two day ago I had to change my password on a very ancient and dumb terminal and I couldn't save it (even vi didn't display correctly :( ). Of course I remembered the word but not the permutations I did with it... Now I have it again :) after trying almost all of 2**6 combinations that seemed possible to me :)
  • Comment removed based on user account deletion
  • The problem is remembering the string of random characters for the account you haven't used in two months.
    I use The Public DNS as dns server for my domain. For 6 months there was no need to change anything. Now I have to change my IP address. And I can't remember my password. Some Linux or dns term, phonetic spelling in dutch with maybe a number. I tried over 60 passwords, haven't got it yet.
    The Public DNS has a password reset service but they haven't reset a password for over a year. The service is free so I can't complain too hard.
  • I've always wanted to use some kind of hardware to store authentication things. For example,

    Idea 1, SSH: I don't allow telnet to any machine I admin, just SSH. I've wanted to generate RSA keys for every host, and then burn them onto a CD. Use the same password to protect every key. Then, you'd have to have both my password and the CD to hack my boxes. This, of course, requires both SSH and a CDROM drive on any client machine that you access from. It doesn't work just for general passwords.

    Idea 2, iButton: Maybe a different system would, however. It involves those funky iButtons [ibutton.com]. These are little watch battery sized devices which store some fixed amount of data (different sizes up to about 64k), and can be addressed by a simple serial interface. You touch the iButton to a small contact (called a "Blue Dot") which plugs into a serial port, and software downloads the data. Store the authentication data (RSA key or just a plaintext password) in the iButton, maybe all encrypted with a single password. Then when authenticating, touch the iButton to the contact, and type in the (single) password to decrypt. The software could figure out which account was being accessed, and use the appropriate key. I think the software bits here wouldn't be too hard (I only see software on iButton's site for Windoze machines, is this being remedied?). Of course, this would require a iButton contact on any client machine that you access from; or it would require you to carry the contact thingy around and plug it into a serial port (pain in the ass).

    I've often wondered how well this would work in an environment with lots of people. Could you reasonably expect people to hold onto an iButton or a CD? Maybe the iButton, if it attached to their keys? Is this too Draconian?

    Thoughts?

    -c

  • It's also a great way to practice certain passages. Your computer won't let you hit wrong notes!
    However, I noticed that most systems won't let you have passwords that are as long as Flight of the Bumblebee.
    I tried a different technique, only to discover that drumsticks can really mess up a keyboard after long-term use.
  • I actually have two schemes. The first is just to come up with a password that forms some sort of shape... then I just type the shape. (Yes, yes a lot of people do this). Although I find that this is most useful for telephone based passwords, its easier to type shapes when pecking IMHO.

    Anyways, the other scheme that I use is that I come up with a fixed 4 character string of random symbols and numbers (like 1!.] or something like that) and then for each of my accounts I assign a four letter word (pick your favorite!). Then for the password I reverse the word and interleave it with the random string, so if you picked the word "this" for a particular account the password would be '1s!i.h]t'. So I remember one random string and then I just have a bunch of four letter words to associate with each account.

  • I usually think of a simple to remember password, and mess with it a bit (bu11Y4u, whatever), or come up with something more random if the account is important, then scramble it by typing it in dvorak on a qwerty keyboard, then doing the translation...

    ie (bu11Y4u = nf11T4f, etc.)

    it becomes fairly unreadable, but I suppose if you had a dictionary cracker that did dvorak conversion, it would be easier to crack, but hey, that's what backups are for...
  • Back when I was heavily into BBSing, I somehow remembered every phone number and password for each system in my head. To this day I still don't know how I managed it. As for coming up with passwords? No definite method.
  • Somebody else obviously got to his account before you. He doesn't have the new password either.

    heh
  • by alhaz ( 11039 ) on Saturday November 13, 1999 @07:10AM (#1536693) Homepage
    When I'm putting a password on something I'm not going to use every day, or at least not often enough that I'll remember it, I generally use CD catalog numbers.

    You know, the string of numbers and letters on the label. This has saved my butt many, many times.

    I may forget the exact string of letters, numbers, and non-alpha-numerics. But I always, always remember which CD.

    If I'm home, I can pull it off the shelf. That's easy enough. But here's the cool part.

    If you're away from home, any record store can look it up for you. This has saved me from having to hack into my own systems many times. And when you call a record store at 11:00 in the morning and say "I have a strange request", the lone person managing an empty store in off business hours is generally eager to help, too.

    I don't care if they know the password - they don't know who i am or what i'm unlocking.

    Sure, you could come to my house and take down a list of my entire cd collection, but it would take you a while. I have a lot of music, and i also mix upper and lower case on the letters.

    Of course, if you have a small music collection, or predictable tastes, maybe it's not such a good idea. Personally, 70% of my cds were special-order.

  • In the previous password poll on slashdot I revealsed that I 'leet my passwords (password -> p4ssw0rd). This is hard to crack and easy to remember. The only thing left now, is to associate all the many passwords with the accounts they belong to. Unfortunately I do this by simply making passwords from services they are associated with (e.g., randomportal.com -> r4nd0mp0rt4l). I guess that's a weak link in my scheme...although the only way to break it would be to actually know my scheme...which I guess I've just given to every slashdotter :\
  • This is the best one I've found so far..

    When creating a password, I take the first word(s) that pops into my head, and then spoonerize it..
    (for those of you who have forgotten third grade english, a spoonerism is a play on words, where syllables are swapped.. for example "start the car" would become "cart the star." "slashdot" could become "dlatsosh", "datslosh")

    Then, all I have to do is remember what I was thinking of when I created the account (pretty simple - if it's non-critical, I just use the name of the site.)

    Oh, for those of you who think I just told you my slashdot password, this is the place I didn't do this :o)
  • One good source for PalmOS software is PalmGear HQ [palmgear.com].

    --

  • For pilot software, I go to Palm Gear HQ [palmgear.com]. Here are the links for the software I mentioned: I'm pretty sure that the SecureMemo is by CertiCom [certicom.com].
  • A program can prevent itself from being swapped out, gpg does this.
    In the free list? I assume it's never written to disk unencrypted.
  • I have this 14-letter (yes, it was originally for NT) password which is entirely random, including the amount of punctuation stuffed into it.

    Now, this isn't the case anymore, but when I finally burned the piece of paper it was written on, I had the exact keystrokes tucked away somewhere in my head, but the actual password itself wasn't there. I could think "type the password" and quickly spin it off but I could not remember the password.

    I've had to tell a few other people, and I always had to type it out into Notepad just to remember it, but I have it completely memorized now (along with 6 or 7 other 8-letter passwords).
  • My strategy is similar, though I only have two zones - accounts I care about, and accounts I don't. I have a set of 3 or 4 pronounceable-linenoise passwords I cycle through periodically (so far I've yet to have any problem with this); lately every time I cycle back to one, I change one character from a letter to a h4x0r-sp33k letter, though I keep that to letters which have a tactile mapping (e to 3, o to 0) since that also coincidentally makes it so that on my Datahand I just push down the numbershift key.

    Personally, I don't see the need to change them very often. I don't let people see them while I'm typing them (touchtyping has many advantages :) and I usually ssh to other systems. The only ones I don't ssh to are the ones I don't care about anyway (such as slashdot and the various MUCKs I'm on), and for those I just use a common word.
    ---
    "'Is not a quine' is not a quine" is a quine.

  • As far as memorization tricks are concerned, I find that straight memorization of the characters is foolish. It is much easier to remember a phrase and what you did to it. Here's a good example:

    first: take a phrase, say:
    "I love Meg"
    This is one that I can fondly remember.

    second: mispell things:
    "ey lav Meg"

    third: truncate, abbreviate and shorten: "eylavm"

    fourth: mess with the caps and characters: "eyLaVM"

    There, you have a rather strong password, and all you need to remember is that you love Meg (which I do, I stopped using the password because I had to tell her what I'd done... ;).

    Any way, it is a pretty simple hash, and you can use phrases as long as you like, anywhere from 2 words on up. All it needs to be is something you can remember.

    For those stupid numbers (social security, bank accounts, etc), I have a little business card in my wallet which I write them on. Now, the first nine characters of every number is formatted to look like an ssn, and then when I have shorter numbers to remember, I tack them onto the end, so they don't really follow any format a person could recongnize. I can pick out which numbers are what, but that's because I know where I wrote them.

    I hope that helps, but I also know that I have a pretty impressive long term memory, so what seems simple to me...

    Jeff

  • I change my major account passwds weekly; one week I needed to know the seven wonders of the world, so for the first week I used

    gwcgptoz3wow
    (Great Wall of China, Great Pyramid, Temple Of Zeus, 3 Wonders Of the World)

    then I had to know a torsion formula for engineering:

    theta_PLoverAE (theta = PL/AE)

    onward to a new friend I met and whose birthday I needed to remember:

    erica16june79

    That way, after logging into my account for a week, I know my password and a useful fact. When I realize that I no longer recite the mnemonic to myself each time I login, I know it's time to change over.

    --Jurph
  • Basically, I choose a phrase or common theme (like a musical group I like, etc) and then take the first letter or two of each word, then 37337-1z3 it. This can generate nice long passwords if you need them, for instance, my PGP key is encrypted with an 18 character long phrase based on a musical group, using such obscure things that it would be rather hard for someone to guess.

    Also, using psuedo-perl code generates instant line noise passwords, and as long as you're up on your perl, everything is easy to remember. For instance (this one is easy, but you get the idea):

    my=~s/$p4ss/@w0rd/g;

    It doesn't make sense, but that's ok.
  • Firstly keep the number to a minimum - for minimum password length of 8 characters 8 passwords is about the maximum users can cope with using this system. Users are required to think of a quotation, poem, a passage from a play, etc. which they ALREADY remember. Security administrators produce a card for each 'work-group', one per user. The card has the letters of the alphabet printed in any order, even random, in one column or line and a random selection of keyboard characters in a parallel line or column. Cards are replaced at 6 month intervals with a new combination of characters. The user simply spells out the remembered 'key' to themselves, one letter at a time, with the card to hand, looks at the alphabetic column/line and selects the corresponding code character for entry. When the card is kept 'private' this method of remembering passwords is far more resistant to cryptographic techniques than the machine on which it is being used. The habit of some users sticking the card on their VDU/terminal - "in case I loose it" should be discouraged - this makes the system vulnerable to cryptographic techniques. Loosing a card is no big deal anyway, as co-workers in the same 'group' have an identical card which may be borrowed to log in. Lost cards should of course initiate the replacement of all cards for the 'work-group'.
  • I do pretty much the same thing, I use a random character generator to kick out a few passwords, pick the hardest one for stuff that matters.. Boxes only I have root on, etc. Then I use the next hardest one for boxes someone may need root on at some point, then I use the next for personal accounts I care about, then i use the name of the week with a number or two thrown in for sites I could care less about. Once every couple of months I kick out some new passwords and change them all and voala. I have also figured out with the random garbage my passwords are, if someone needs root and I give it to them, they don't remember it the next day and have to ask again.
  • Of course, it defeats the entire purpose of the system for you to tell us this, because now anyone who finds one of yoru passwords can figure ou the rest, making changing your password pointless.

    YES!!! Good point. Let The Cracking Begin!!! This /. neanderthal will pay for his security breach! The foolish mortal was smart enough to hide his email from his /. preferences, but I did a lookup for "Coward,Anonymous" on a few email search engines, and LOOK WHAT I FOUND!!

    E-mail Results 1 - 3 of 3

    1) coward, anonymous
    My E-mail Address is PRIVATE

    2) coward, anonymous
    My E-mail Address is PRIVATE

    3) Coward, Anonymous
    guest@Radio.CZ


    We have found him!! He will pay for leaving himself so wide open. Let this be a lesson to all that would follow.
  • All my passwords are typable with one hand (not pecking mind you) and flow from the hand with as little awkward movements as possible. It works.

    All my passwords used to be based on either the word reverberated or stewardesses. "reverberated" definitely flows better, so I'd make passwords something like "Reverbberatedd".

    'Course, then I switched to Dvorak, so now everything flows better. :)
  • not unless the cracker coded it that way...I'm sure you could come up with a crack ruleset for keys that are near each other, but it would be a pain.

    Mmmmm. Dvorak.


    Security through obscurity.
  • If you can touch type, make some varyations. I used to use asdfasf. REALLY easy to remember, and friends who think they're cute can try to break you password by watching, but no one counts the *******.
  • Also, if I ever lose an arm I'm locked out of all my accounts...

    I usually use the front of my cranium to bash passwords into the keyboard. I figure, if I lose the front of my brain, I can do without being able to login to /.
  • CryptInfo may be a great bit of software, but what use is that if you can't trust it since the code isn't open?

    This isn't to impune its author in any way: the software could have been compromised without his knowledge, or else his family might be held under risk of murder unless he distributes a non-obvious backdoor.

    Cryptographic software has to be open-sourced, full stop. No exception.

    Strip is GPL'd, so even if it were god-awful (which it is isn't), at least one can trust it.
  • does anyone know of a UNIX command line filter that can convert plaintext to 3l337 text? There are some cool things one could do with that.

    Actually, what I would really like is a proxy server that "Eleetizes" all communication going through it, while keeping links and such intact. That could be fun.

    I could easily write the former myself if it does not exist, but I don't know how to write a proxy server...

    --
    grappler
  • if the system allows an unlimited number of authentication requests to be made without imposing a delay between requests, or if you have the hashed/encrypted string to match against, then yes.

    --Siva

    Keyboard not found.
  • Just make it a cgi script that takes an url as a parameter, as in:

    http://yourbox.com/cgi-bin/make-leet.pl?target=h ttp://slashdot.org

    or something similar. Just have the script grab the page in question, leet'ize it, and print it back out. Not too hard. A while back I wrote something like that to remove relocate urls from places like excite.

"Conversion, fastidious Goddess, loves blood better than brick, and feasts most subtly on the human will." -- Virginia Woolf, "Mrs. Dalloway"

Working...