How do you Remember Your Passwords?

Aaron asks: "Like most people reading this, I have more than a few computer accounts. Password maintenance (e.g., changing them regularly, thinking of ones that are hard to crack but possible to recall, remembering what this week's password is on account foo) is nontrivial. What strategies for managing passwords do you have?" Mnemonics and password schemes are tricks a few people use, but I'm sure some of you out there have better ways. Would any of you care to share?

Piece of paper

[McMac]

Nutty though this may sound, a piece of paper is strangely immune to all forms of hacking. Just don't let anyone else see it.

Re:Piece of paper

[Pope]

Yeah, I basically write them down in my sketchbook.
And I keep a backup in the "Notepad" DA on the Mac.
Nobody goes near my machine, so I don't worry. It's at home. :)

Pope

Re:Piece of paper

s'easy...

type out a six character string followed by a dash and then a real word....ie: a8fd9)-jim...

when you need to change it, make your next password "one-up, one-down' followed by the same word...ie:b7ee8(-jim....makes it so easy to remember even if you change your passwords once a week...it also makes it easy to backtrack through various passwords...been using this method for six years....

Re:Piece of paper

[ToastyKen]

Of course, it defeats the entire purpose of the system for you to tell us this, because now anyone who finds one of yoru passwords can figure ou the rest, making changing your password pointless.

Re:Piece of paper

I like to generate a password based on some object which has writing on it (such as the second letter in each word on the warrantee of my stereos, shifted up by 8 letters, with wraparound, maybe with some capitalization or number->letter scheme. Given the tremendous number of possibilities that can be generated by doing this, then deliberitly breaking the pattern somewhere, etc, its virtually a random password, but can be easily hundreds of characters if you so wish.

- Rei

Re:Piece of paper

[SamIIs]

Of course, it defeats the entire purpose of the system for you to tell us this, because now anyone who finds one of yoru passwords can figure ou the rest, making changing your password pointless.

YES!!! Good point. Let The Cracking Begin!!! This /. neanderthal will pay for his security breach! The foolish mortal was smart enough to hide his email from his /. preferences, but I did a lookup for "Coward,Anonymous" on a few email search engines, and LOOK WHAT I FOUND!!

E-mail Results 1 - 3 of 3

1) coward, anonymous
My E-mail Address is PRIVATE

2) coward, anonymous
My E-mail Address is PRIVATE

3) Coward, Anonymous
guest@Radio.CZ

We have found him!! He will pay for leaving himself so wide open. Let this be a lesson to all that would follow.

Re:Piece of paper

[InsomniacsDream]

Come on, give him/her a break. I hope nobody seriously tries to "pay him back for leaving himself so wide open". This is childish and beneath any respectable hacker, as this would not pose much of a challege anyway; kind of like Mike Tyson and Pee Wee Herman duking it out (god wouldn't that be a beautiful site though). I admire the principled hacker, the one who hacks for a higher purpose, over the 'just because I can do it' hacker. Not that the latter isn't still a little fun at times.

With that said, this does raise a good point. I ain't handing my password strategy over to a bunch of foaming-at-the-mouth script kiddies. Not that I wouldn't enjoy crushing anyone who tried messing with my account (note the .gov extension). We've dealt with all kinds of break-in attempts before, and they've all had a happy ending for us. We had problems with packet sniffers a few years back.

Now all of NASA exclusively uses ssh. This is very secure because it uses RSA authentication instead of just passwords. All (most) other ports are closed except for ssh, and you can't get access without the private key from each authorized machine. This makes it more like authorized machines instead of authorized users. I Like it a Lot (spoken with a Jim Carrey accent)!

I mostly keep them all written down on a piece of paper that I guard with my life. I never keep an electronic record.

Palm Pilot

[Matts]

Keep all mine in scribble.

Re:Palm Pilot

[Haven]

I just go into my /etc/passwd file in linux and write down what the encrypted form of 'HemostheHamster'. That's my password.

Re:Palm Pilot

[David+Ishee]

I use Strip (Secure Tool for Remembering Important Passwords)

Here is the link

It is a GPL program, and uses 96 or 128 bit block encryption of all databases (Uses the 3-way or Idea algorithms respectively).

Re:Palm Pilot

[Listerine]

All my passwords are typable with one hand (not pecking mind you) and flow from the hand with as little awkward movements as possible. It works.

Re:Palm Pilot

[HeTTaR]

Yeah and the generate random password saves me all the effort of having to think of one =) hmmm I love my pilot.
HeTTaR
M&D Eaton
http://www.uq.net.au/~zzmeaton
hettar@uq.net.au

Re:Palm Pilot

[Gooner]

Thanks for the link to Strip. I also use Password Safe from Counterpane (www.counterpane.com) for my desktop system. It uses the Blowfish algorithm and you can have multiple databases for home and work etc.

cheers

Re:Palm Pilot

[SamIIs]

All my passwords are typable with one hand (not pecking mind you) and flow from the hand with as little awkward movements as possible. It works.

All my passwords used to be based on either the word reverberated or stewardesses. "reverberated" definitely flows better, so I'd make passwords something like "Reverbberatedd".

'Course, then I switched to Dvorak, so now everything flows better. :)

Memorization through use.

[BradyB]

Write them down for the first week. Use the new passwords frequently, even if you don't have to use those accounts often, try to use them often for about a week. After that if you are any good at a number-letter password combo they should be engrained until the next time. It has always worked for me. Oh and don't forget to flush the passwords once you're done. Hate to see someone dumpster diving and finding a password or two.

Re:Memorization through use.

[Rob+Kaper]

I must agree that using passwords is simply the best was to remember them. Using a password is almost a habit. The positioning of the fingers, the order of the keystrokes... how often did you type your old password out of habit when you knew very well you changed it recently?

But there is more you can do than using them a lot. Make passwords that make sense. This doesn't necessarily make them insecure, but easier to remember. For example: noone would guess w3/.org is the password for Rob's server. But it's darn easy to remember.

All my passwords have some sort of connection to my life, servers, what's running on them, etc etc. But be careful not to make them too easy. My password is most definitely not my girlfriends name.

Also, use your old passwords (that you are familiar with) for all those stupid Web-accounts. Who cares! Of course make exceptions when you start ordering stuff, especially with one-click-buying.

Re:Memorization through use.

It never ceases to amaze me that most people need special techniques to memorize passwords.

Whenever I change my passwords, I just do a few spurious extra logins for about an hour or two after I change one. After that, I'm set.

I suppose that if I used dictionary words or names like most people seem to prefer, then I'd have to have some special technique to memorize that they're passwords; I find it hard to cross-link strings like that. My usual base for passwords - punctuation, numbers, control characters - generate unique strings and thus are easy to memorize.

Re:Memorization through use.

[TDR-X]

My personal technique is called the mash blindly like a drunk on your keyboard then write out the mess about 10 to 15 times and you got it memorized.

Today's Password is: p5Q28#%^uhqqb&@

Re:Memorization through use.

[Abigail-II]

Whenever I change my passwords, I just do a few spurious extra logins for about an hour or two after I change one. After that, I'm set

Does that work if you have 40 passwords to remember, some of them you haven't used for half a year?

-- Abigail

Re:Memorization through use.

[Alan+Shutko]

The problem isn't remembering passwords you use on a regular basis. The problem is remembering the string of random characters for the account you haven't used in two months.

Re:Memorization through use.

[jaapD]

The problem is remembering the string of random characters for the account you haven't used in two months.
I use The Public DNS as dns server for my domain. For 6 months there was no need to change anything. Now I have to change my IP address. And I can't remember my password. Some Linux or dns term, phonetic spelling in dutch with maybe a number. I tried over 60 passwords, haven't got it yet.
The Public DNS has a password reset service but they haven't reset a password for over a year. The service is free so I can't complain too hard.

Re:Memorization through use.

[Omicron]

I capture all of my keystrokes...that way when I pass out face down on my keyboard at 6 in the morning after a 12 hour coding binge, i just take the first 8 or so characters that aren't repetitive after my head has hit the keyboard. It works pretty good :)

Re:Memorization through use.

[elflord]

I tend to start by logging in and out about 10 times. That usually "burns it in" to my fingers. No paper required.

Re:Memorization through use.

[chuck]

It is a good point that one tends to memorize things through use. That's why I start with one single password. I'll call it my Mega HardCore Secure Password(Tm). The Mega HardCore Secure Password is used on my personal accounts, the ones where I store my mail and files, for about six months each. I will only use the MHCSP on local connections, or SSH, to keep it from being compromised. When the MHCSP expires, I come up with a new MHCSP. The old MHCSP becomes my Semi-Secure Pretty Important Password(Tm). Becaues it is my old MHCSP, the SSPIP is easy to remember. (And because I use the _new_ MHCSP every day, I remember that as well.) I use the SSPIP on commerce sites, and places where I can check my credit card balances, & stuff. These are things that I want secure, but I expect that security is weaker on the other end anyway, so it doesn't matter as much. But in transit it uses SSL, so we're safe from sniffers. When the SSPIP expires, it becomes my Common Remote Access Password(Tm). The CRAP password is used on numerous free email services, online gaming sites, and other things I don't give a CRAP(Tm) about. In fact, I almost expect this password to be discovered at some time, because it's sent around in plaintext, and sometimes I tell people what it is so they can access something. In reality, I have more than three levels, but this is the basic idea. But the key is, since I've used each password for about six months, I remember them all.

Re:Memorization through use.

[echo-e]

i typically glance across my desk and pick out a few fragments of text and digits (usually off lables and barcodes) then change a couple of letters to hax0r numbers, write it down, use it a few times, then swallow or flush the paper.

as was mentioned in this thread, after using the passwords a few times, they're easy to remember.

-james

Re:Memorization through use.

It's so weird. One could think you all got top level clearance jobs @ the NSA. Would you relax already! Whoever wants to find your dirt, WILL find. If there's not enough, they'll CREATE it. So stop eating paper and move on to other foodgroups... /r.

Patterns

Coped this off my friend Ke6n:

Use patterns from the home row keys. Squares, diagonals, horizontal and vertical lines, left to right, right to left, and each hand.

They're generally non-dictionary letters, big, and easy to memorize, left-straight.

But they require you to use roughly the same keyboard.

-- Ender, Duke of URL

Re:Patterns

[donheff]

Wouldn't some of the cracking programs have these strings coded in?

Re:Patterns

not unless the cracker coded it that way...I'm sure you could come up with a crack ruleset for keys that are near each other, but it would be a pain.

Re:Patterns

[kveldulv--]

I have 3-4 different passwords that I generally use for different things irc bots/web sites,mail/ibill stats/dial up . For different accounts I'll just add something on the end or change a common value to something similar but unrelated, 'I' may change to '1' for (shitty) example. Browsers remembering passwords I find damn handy too, more to save typing than remembering.

Re:Patterns

[Zang]

Yup, patterns are the way to go.
Keep them varied but simple.

Find the patterns...
9i8u7y6t
mju7nhy6
5tgbvcxz
qweasdzxc
v4c3x2z1

Take mju7nhy6 for example... Use this on one machine, but keep the pattern on another but shift it over 3 and you get vfr4cde3.

Keep the patterns varied and for *really* secure patterns, don't use keys next to each other such as m97bc53z1v4m.

Re:Patterns

[Zang]

Oh, and memorize many patterns.

I used to use 7ujm6yhn all the time but people near me would notice me sliding my finger twice down the keyboard for the pass.

Re:Patterns

[SamIIs]

not unless the cracker coded it that way...I'm sure you could come up with a crack ruleset for keys that are near each other, but it would be a pain.

Mmmmm. Dvorak.


Security through obscurity.

Re:Patterns

[SamIIs]

If you can touch type, make some varyations. I used to use asdfasf. REALLY easy to remember, and friends who think they're cute can try to break you password by watching, but no one counts the *******.

probably unsafe, but

[Conspire]

i keep a deliminated text file with all my personal passwords (several workstations and websites), servers, virtual server telnet accounts, and ftp accounts on it. the file is always PGP encrypted with max bit encryption available. what would i do if i forgot my password file password??????

by the way, the file is on an magnetic-optical and called "judy.jpg" (just an example), not on my hd, just in case.

Re:probably unsafe, but

[Juxtap0ser]

Yes, I used to do the same thing, and then once DID forget the password file password. Tried to remember it for months, no (easy) way to Brute Force that 1024 bit PGP, unfortunately! That REALLY sucked.

Car Registration numbers

[Rob+the+Roadie]

I personally prefer car reg numbers as they are hard to quess (random letters and numbers) but they mean something to me.

I've driven loads of different cars and therefore I have lots to choose from. Rotate weekly - add an underscore or two - reverse them for extra effect.

Still, the easiest one to remember is of course " ".

Re:Car Registration numbers

[supz]

Still, the easiest one to remember is of course " ".

reminds me of a funny experience i had. i had this zip file with god knows what in it, probably porno. i had zipped this file with a password on it so the feds (and my parents) couldn't tap into the top secret contents of it, but then a few weeks later when i wanted to open the file i couldn't for the life of me remember what the password was. so in a futile attempt to recover the password, i downloaded a brute force zip password cracker. i left it running for a couple of hours and when i got home from saving the world, it had found 0 passwords. discouraged and pissed off, at the blank password entry prompt i just hit enter, and BAM, there was the zip file extracted and decrypted. thank god know one else knew about how stupid i was, err oops.

-

Re:Car Registration numbers

A few years back, I used a similar system. A frequently clueless jaywalker, I had a few close calls with cars nearly running me down. I memorized their license plate numbers and used them as passwords.

I do not recommend this system. You shouldn't have to risk your life to generate a new password. System administration is not an extreme sport.

Still, I had no trouble remembering those numbers. Sudden realization of mortality will do that.

Re:Car Registration numbers

He, reminds me When I walked to school a moth or to back I went past a couple of cars with regs like "Zip321" "ARC432" "LHA543", this is acctually true. :-)

That's the same combination as my luggage!

For simple, non-life or death security, nothing beats a good 'qwerty' or '12345'.

Re:That's the same combination as my luggage!

[renegade187]

I think that he has a point truthfully...

Anyone remember spaceballs?

I tell you, qwerty or 12345 would not be the first ones i would try to break a password with. Maybe I'm just rambling but oh well...

Re:That's the same combination as my luggage!

Just think, now I know not only your luggage combo, but also your computer passwords and your taste in movies :) Spaceballs... I like your taste...

Re:That's the same combination as my luggage!

[pfy]

for non mission critical passwords i use "the" for mission critical, i use the serial number off the back of a floppy disk. of course I keep the disk and label it something to remind me that it is a password, but other than that it is the most secure way I can think of to generate new passwords.

Re:That's the same combination as my luggage!

[The+Happy+Blues+Man]

Heh... whenever my friends start up a Quake server that they don't want the rest of the LAN getting in to, they set the password to 1234.

Although if I remeber, we told it to someone who we didn't want playing later, so we had to change it to 2345. :)

The Happy Blues Man

PGP

[jojo80]

It might be an idea to create a text file with your accounts and the corresponding passwords and then encrypt everything with PGP. Thus you only need to remember one password.
The problem is that if you forget this password your other passwords are lost too...

Re:PGP

[Rob+Kaper]

There are webservices that keep your passwords for you, I think Microsoft launched one not so long ago. I keep _all_ my root passwords on their servers! ;-)

Also, Mozilla will be able to remember them for you in your 'wallet', I don't know how it's encrypted locally but the wallet and your profile should be (and can be) password protected themselves. Internet Explorer also does this.

Re:PGP

[Noofus]

Although I havent found it very useful yet, MacOS 9 has a keychain feature that essentially does what you said. I tried it once, thought it was cool then disabled it.

Re:PGP

Do you REALLY want MicroNSAoft to have your password? Course they prolly already have it through the back door .

my trick...

[acroyear]

i take a line from a song or a movie and use the first letters...then i twist that around by capitalizing certain letters or sticking in a punctuation mark in between, just to add an aire of randomness to it.

Re:my trick...

I use the same thing, except that I'll replace some letters with numbers. "In space, no one can hear you scream." becomes "1s,nochy5.", I don't use that one anymore, so I can divulge it ... the only problem with this scheme is that some servers (web) don't like punctuation in passwords, so it starts to permute a little and you're back to remembering variations.

Re:my trick...

I use an anagram for recent events. For example, my last password was 18lass. On the 18th May, I had dinner with one of my friends parents. the la is for Laura (her name) and ss is for Sarah Smith (my friend).

That is one reason I have a PDA

[kuperman]

I use my PalmPilot to store many of my passwords. There are three apps that I know of that you can use:

• Secret! - which is basically a password protected set of memo pages, but it also can do TAN and single use passwords.
• SecureMemo - Similar to Secret! but each memo is encrypted seperately. I was already using Secret! when some of these types of things came out.
• Strip - My current favorite. This is a password protected application that is designed for managing password info. It is a database of records with Username, Password, and Description fields. It can generate a random password of a requested length, and you can use it to send an account to another user (great for a sysadmin when creating people's accounts). Only big negative I've seen is that the password length has a length limit, so storing ssh and pgp passphrases may not fit.

All three of these store their data encrypted both on the pilot and on the backups. You could do something similar with a PGP or otherwise encrypted file on your computer, but I prefer the redundancy of having the data in two places. PalmPilot and backup machine (plus backups of the backup machine. :-)

Re:That is one reason I have a PDA

Another one is Passman. Passman works with a master password and some sort of encryption. Not completely save probably, but way better than writing it down.

Re:That is one reason I have a PDA

[bladel]

Absolutely! One memo for user/pass, one memo for ATM & CC PINs, another for bank account numbers, etc. Dead in the water without my Pilot.

Re:That is one reason I have a PDA

[Stinking+Pig]

Strip is the best!!!

I haven't run into the length limit-- then again, I keep my gpg passphrase fairly short since I need to type it pretty damn frequently.

The best thing about Strip isn't the ability to keep my own accounts straight, though -- I use my own accounts and could probably remember them. The best thing is keeping the account info of all the relatives and ex-employers that I moonlight for.

Re:That is one reason I have a PDA

[Zero_G]

I just did an internet search and failed to come up with a link to Secret! SecureMemo or Strip. Where can I find them?????

Re:That is one reason I have a PDA

[david62]

You can download Strip from http://www.zetetic.net/

Re:That is one reason I have a PDA

[Phil+Gregory]

Of those, my favorite is Strip. Not only does it have all the functionality I need and uses strong encryption to store the passwords, it's also GPLed.


--Phil (Always looking for GPLed Pilot programs.)

Re:That is one reason I have a PDA

[DaEvOsH]

People, try TopSecret, it uses a Tiny Encryption Algorithm, which uses a published encryption algorithm using 128 bytes keys. It seems pretty solid, has a very good conduit, Win app, and let you keep as many memos you want. Try it @:

www.clicklite.com

Re:That is one reason I have a PDA

[Savage+Henry+Matisse]

I totally agree. PDAs are a god-send to avid account-holders. If you-all like these apps, you'll love Cipher. It's a freeware implementation of 128-bit IDEA for the Palm OS. Encrypts Memos using the clipboard, so all backups are also encrypted. Very cool. I swear by this prog; Holger is now my second-favorite German (first is Hacker-Pschorr.) -"S"HM

Re:That is one reason I have a PDA

[boots@work]

I'm writing an application called GNU Keyring with the best features from all of these, and it's also GPL'd so that you can assure yourself of its security. You can find it at Freshmeat 942590261.

A different password for every site...

[ElvenKnight]

...and yet I remember each one. Why? Because
when I forget.. the first thing I ask myself...

"If I were to pick this password, which, surpise, I did... What would it be? Hrmm..." ....
And I usually get it after a couple tries. :)


-Matthew
Technetos, Inc.

Re:A different password for every site...

[JM_the_Great]

Hmm.......this means that your passwords are pretty easy to guess. They couldn't have been that obscure, or you wouldn't have remembered. This means that basically anybody could try to think like you and figure out your password.

Then again - I might be wrong.


That's my $(2^4*3+1/7%3*2/100)

Re:A different password for every site...

[ElvenKnight]

And what makes you think you think anyone can
think like me? COurse.. I bet you knew
I would say that... :)


-Matthew
Technetos, Inc.

It's still better than "PASSWORD"

[Voltage_Gate]

I remember my password, RHF4345_enternow_123, by repeating it loudly and writing it everywhere. My clients can feel safe knowing their personal information is secure with me.

My wife's first name

[Per+Abrahamsen]

I use my wife's first name for all my accounts. For those sites that does not accept "Amanda" as a password, I use the names of my kids ("Allan" and "Ann"), and also write the password down on a yellow label stuck to my monitor (together with the site/account name of course), as well as in a file named PASSWORDS in my home directory. Just in case the label fall off.

This has worked well until now, I have never had to ask the admins to remind me what my password is.

Re:My wife's first name

~> telnet dina.kvl.dk
Trying 130.225.40.228...
Connected to dina.kvl.dk.
Escape character is '^]'.
abra

SunOS UNIX (elc1)

login: abraham
Password:
Login incorrect
login: abraham
Password:
Login incorrect
login: abraham
Password:
Login incorrect
login:
telnet> quit
Connection closed.

Liar. :)

Re:My wife's first name

[Relforn]

Somebody else obviously got to his account before you. He doesn't have the new password either.

heh

Re:My wife's first name

Its amazing how many people use the first names of their nearest and dearest as passwords. When a few years ago I was having some fun with my local ISP I obtained about 100 out of 1000 users passwords. About half of these were obtained by going throught a baby names book. Myself, I use names of things important to me along side numbers that are important to me. For example I might use 4555Dave if my name was Dave and my pin number for banks was 4555.

Re:My wife's first name

[Xerithane]

Actually -- I do use schemes like this. I pick arbitrary friends that are have a memory associated to the computer, scramble their name using alphanumerics, than I have a good password of @u_1nm0x.$ And It just looks like their name to me..
-= Making the world a better place =-

One method I use

[Stormbringer]

Nothing says that easy to memorize has to mean easy to guess.

Take a common household phrase..

ash nazg gimbatul

..apply 31337 to it..

@Sh N@5g G!Mb@tU1

..now table it...

@ShN
@5gG
!Mb@
tU1

..and unwind that.

@@!tS5MUhgb1NG@

...that's something that can be memorized in source form as long as the 31337 rules are consistent and the table is near-orthagonal. It can be regenerated on a scrap of paper or, with a smudged-off-afterward marker, on a countertop.

Re:One method I use

Yeah, 31337 is the way to go.. I was amazed, and to this day, the only shred of respect I had for the NT admins at my old place was that they used it for generating passwords.. Okay, thats not ubercool, but these guys were really lame...so its a bright spot for them.

Re:One method I use

For a bank card 4-digit pass number, I convert it to hexadecimal and put it on a slip of paper at home in a known place.

Re:One method I use

[dpreformer]

I tend to use something similar. Take a song whose lyrics you remember:

"The long and winding road, that leads to your door"

Use first and/or last letters of the words (or alternate them), and make the easy to remember substitutions (to -> 2, and -> & etc) and leave in punctuation. The beatles lyric fragment becomes:

Tl&wr,tl2yd

Any memorable line from a movie, song, comedy sketch, etc can work. Not easy for dictionary attacks to crack, easy to remember.

Re:One method I use

[orion99]

This method doesn't seem too secure to me. As long there is little ramdomness in the process, the end result is not secure, being susceptible to a brute force attack.

Let's see, you started with a common household phrase, which, depending on the length, doesn't contain too much randomness. You applied the eleet rule, which also is almost deterministic, and finalized with a deterministic permutation, the write-rows-read-columns. Knowing this whole procedure, it's just a matter of trying the most common phrases, applying this procedure before. Of course, if the attacker doesn't know the procedure, this is one source of randomness, but now that you've published it that randomness is gone.

As for my approach, I find it easier to let my brain learns the positions and sequence of the keys than to try to memorize the letter and hunt it down every time. I generate a random password using spwgen (available under debian) and then type it several times, trying to concentrate on the movement of the fingers, instead of the specific keys. So for example for the password 7$t-87c+ I try to concentrate on the fact that I use my right hand twice (with the left hand pressing the shift for the second key), and then my left followed again by the right 3 times etc. Of course this will depend on your own typing skills, but since for me it doesn't change that often, it makes for an easier to remember password.

I find I can remember quite a few of these passwords (even those I have not used for a while) and it makes learning new ones quite painless. Of course, I'd advise you to write them down for the first few days, keeping in a safe place (like pasted on your monitor;-). My favorite method of generating random passwords is, well, generating random passwords. I use a program called spwgen (available under Debian) to spit a few passwords, and then I type one at a time to find one that is too awkward to type. I then just type it several times to memorize the sequence of keys. I find I more readily remember the password if let the brain remember the

qwerty on dvorak

[dattaway]

I type some number enriched ascii jumbled text from something I have laying on the desk that can be remembered and type it in qwerty on a dvorak keyboard. I can type my password out, but if you ask me what it is, I wouldn't know unless I actualy typed it. Its like a secret decoder ring...

I'll never forget

[Mr.+Offtopic]

My password is "password".

I use this on a couple of machines (198.137.240.91 and 198.137.240.92), and it seems to work pretty well.

BTW, I haven't told you my login name ;)

Re:I'll never forget

I wouldn't mess with these machines... do an nslookup on 'em ;-)

Re:I'll never forget

[JelERol]

'Password' as an password, isn't that one of the big 5? I would put a random number on the end of it like 'password32'. That would make it a mite more secure. Notice the word mite.

Patterns

I think patterns are the best, as long as you are always using the same style of keyboards. They are quick to excute and hard for people behind you to see. One thing I would recommend though is while typeing in patterns, hold down shift, and use numbers. From my experience with l0pht crack, you have a much better chance once you are out of the alpha-numeric region.

For the longest time I had 10 memorized passwords that I would use at random when I created an account, and that way it would only take me 10 tries.

Anonymous Coward
--
A fortune 500 company's (Computer Distributer/Integrator, who love NT) SAM was cracked in a period of 48 hours, on a PII400 with 128M, the main reason, simple alpha-numeric passwords. The VP password hadn't been changed for 800+ days, it was 'sparrow'

Tatoos

[MattXVI]

Tatoos on my forearm.

A Password That Will Never Be Forgotten

[meni]

The one from the movie SpaceBalls:
12345

Re:A Password That Will Never Be Forgotten

[finkployd]

That's incredible, I have the same combination on my luggage!

Finkployd

I don't.

Why do you think there are so many AC's on here!?

My strange passwd methodology

[voudras]

As ya can tell im a terrible speller.. actually it comes to me advantage in a small way when it comes to passwords. %95 of the time i misspell words the same way. a misspelled password evades dictionary checks. on top of that i tend to use the same character replacements (! instead of i, 0 instead of o, etc etc). so i usually end up pickin a word that reminds me of the login and bang - i remember the password (%95 if the time heheh)

Humans Are Visual Creatures

[Dave500]

One of the things I have noticed is that humans as a whole tend to remember pictures and symbols far more easily than alphanumeric information. (Simple fact - we have evolved that way).
As one of the system administrators for a medium sized ISP, we are faced with the problem of regulary rotating certain account passwords (I think you can guess which ones ;-) ). After several years it became hard to achieve unique ones that everybody involved could easily remember. Hence our switch to visual methods.
Simple Example:-

Imagine a large smiley face situated on your keyboard (as in certain keys were colored differently to make up the face)

Nasty ASCII Art Bit:-

1234567890-=
qwertyuiop[]
asdfghjkl;'#
zxcvbnm,./
Normal Keyboard layout

1234*6*890-=
qwertyuiop[]
as*f*h*kl;'
\zxc**nm,./
Stars show keys used to draw smiley face

Ok, so I have made a pretty lame job of that, but notice that I have used 5 & 7 to make up the eyes, g for the nose and dvbj for the mouth. That gives us a password of 57gdvbj. Once we have that, we can add features to make it more secure, a Capital G for the nose for example, or using punctuation % and & to give the face "eyebrows".
Personally I find this method a useful way of coming up with passwords that are only suseptable to brute force attacks, whilst maintaining a visual link so that our primate brains can have a stab at remembering them. Other pictures that can be used are symbols, flags, large letters, the list is pretty long.

Good Idea/Bad Idea?

Dave.

Re:Humans Are Visual Creatures

The face looks like something out of a Dali painting on my split keyboard.

Re:Humans Are Visual Creatures

You obviously never have to switch between keyboard layouts... Imagine switching from US to French with this system!

specialized memory?

[Siva]

ive found that my memory is just more tuned to remembering numbers, mathimatical formulas, and strings of characters in general than other things like events, people, and conversations. it seems like once ive used a password (or ip address, account number, etc) a few times, i will continue to remember it, as long as i recall it every so often.

i used to be a network admin at an isp. we had one master sheet of paper with all the passwords for servers and NAS's (totalling around 25) that we would keep locked in a safe. i would only have to pull it out when i wanted to get on a box that i hadnt used more than once or twice. i guess my memory is just better at storing arbitrary strings up to around 10 characters.

whats annoying is that usually i can remember whether ive heard a person's name before but i have a very hard time associating their face with the name. i also have a difficult time rememberng all the things im supposed to do during my day. my finance on the other hand can remember conversations from years ago word for word but has to check with me when someone asks for our zip code. i wonder if theres some sort of male/female thing going on...

anyway, one way to make passwords easier is to take a random 4-6 letter word and to convert it to "l33t-speak", and then optionally tack on a random number or non-alphanumeric or two. for example, take the word "fault", change it to "F@u|t", and add a 0 to get "0F@u|t". granted it may not be perfect, but it may be easier to remember than random characters and a bit more secure than just dictionary words. another trick we used at the isp was to make them loosly based on vulgarities--after a while it was almost a contest to see who could thing of the best(or worst depending on your perspective).

still another alternative can be found on freshmeat. theres is at least one program out there that will keep a list of passwords for you. i think theyre stored encrypted, and you only have to remember the one password to open the list.
"gpasman" and "kpasman" are two examples...

--Siva

Keyboard not found.

Re:specialized memory?

[Cato]

One problem with *pasman type programs is that the unencrypted data may be left behind in the swap file, or even in the filesystem's free list. I'm not sure how well Linux deals with this sort of thing, but in any case it's better than writing them down somewhere accessible.

One advantage of the Pilot is that it has no swap space and is a bit harder to hack than a Linux box, so that's what I use.

Re:specialized memory?

[QuMa]

A program can prevent itself from being swapped out, gpg does this.
In the free list? I assume it's never written to disk unencrypted.

Re:specialized memory?

[Largos]

I have the same mom. situation.. it drives my roommate mad, need an ip/phone #/hex string? I can help 98% of the time. but I cant get in my car w/ out returning 5-6 times to get forgotten items before I can go anywhere.


Largos
ICQ: 4e8343

Re:specialized memory?

[ShoeHead]

Any schoolkid can tell you why you remember hearing someone's name easier than a name-face relationship. It's the same reason why matching questions are easier than fill-in-blanks.

Re:specialized memory?

6 characters is easily brute forceable.

I use the shifting method

[Hermelin]

Example: You take the word slashdot, and move you hand over one space and type slashdot. It's hard to do in the beginning, but it get easier.

d;sdjfpy would be the password, except I switch the symbols to something on the top row. It looks like randomness when it really isn't.

Of course, for access I actually care about, I use something completely different, which is just random numbers and symbols mixed with 3 letter words.

Managing them is easy, since I have basically 10 main passwords for web sites. If I feel like it I rotate them around, and then just try to remember which had which. But I'm not randomly guessing my password anymore.

Re:I use the shifting method

[Keeper]

Strangly, it is much more difficult to shift you hand up or down a line... for some reason I still type the right letters :)

Passwords are a pain

[Toth]

For admin level passwords I first create a "random" alphanumeric password and then create a mnemonic phrase using method I got from one of those "How to improve your memory" books I read long ago. To remember numbers you can use sounds.
1 T or D sound.
2 N
3 M
4 R
5 L
6 Soft G or ch
7 Hard G or K
8 F
9 P or B
10 S

It took a while to get comfortable with it but it was long ago and the pain is forgotten. The mnemonic for my (now closed) bank account from 15 years ago is "mouse cheese malls" which translates to 3060350. Double letters which make a single sound count are a single number. For letters, I use words. There doesn't seem to be a problem remembering which words are for numbers and which are for letters.

When I have to assign medium level passwords to others, I give them a phrase and they use the first letter of each word sometimes followed by a number. i.e. Why did the chicken cross the road...wdtcctr22.

Re:Passwords are a pain

[Skeezix]

Yes, this a an excellent method for memorizing numbers. If there is enough interest, I may write a piece on memorization. It is an art that I have studied for some time now. This technique and many others can be used to improve your memory very effectively. There are no bad memories, just untrained ones. Memory training is a highly underrated art and one that deserves some attention. Back in highschool I got so annoyed with my poor memory that I began to research the subject. I studied and trained my memory for several months and found amazing improvements. My grades improved (I ended up graduating valedictorian with the highest gpa in the school's history), I was able to, with ease, memorize phone numbers, addresses, speeches, shopping lists, and the like. And this had nothing to do with some sort of superior intellect. I was an average guy with an apparently poor memory that just needed some training. People have been astounded as I recited 300 digits of pi, and even more astounded when I told them that I memorized it in less than one hour. I have demonstrated going through a shuffled deck of cards and being able to recite back the cards in order, or backwards, or name any arbitrary numbered card in the deck and it's position. Or someone can take 3 or 4 cards out of the deck without me seeing which ones they took, then I go through the deck a second time and tell them instantly which ones they took. Intrigued yet? Watch DoLinux.org for a soon-to-come article on memory training. Anyone can do it. With time it becomes second nature. You find yourself memorizing things without consciously applying mnemonics.

--Jamin Philip Gray
jamin@DoLinux.org

Re:Passwords are a pain

[darkman95]

Can we purchase this amazing system for just 5 easy payments of $49.95 plus shipping and handling?

Re:Passwords are a pain

[Skeezix]

Ha Ha, very funny. Yes, most people laugh when I mention this sort of thing and push it out the window with all the other "self-help" type kits. The truth is that memory training is a very real science. Government agencies have been using it for years, the military uses it, and many educational systems use it. I was homeschooled until highschool and one of the focuses of my education was memory training. The results were nothing short of astounding. Laugh all you want, but the truth is that in highschool I could memorize a 300-digit number in under an hour. Now I can do it in 10 or 15 minutes. And I'll remember it months after the fact. Memory experts have said that the average human can only remember a string of seven digits with an untrained memory. Hmm....think on that for a while.

Ever taken an IQ test? The last time I took one, they had a series of questions based on number recall. Being able to flawlessly recall digits that are spoken to you, or to reverse the digits with equal ease raises your score.

Did you buy a palm pilot just for the purpose of keeping phone numbers and addresses? Why? Your mind is capable of easily memorizing hundreds of phone numbers, dates, notes.

Another sneak preview. I will show you in my article which I will write soon, how to give the day of the week for any date from the start of the Gregorian calendar until the indefinite future. You won't need a perpetual calendar. You can do it all in your head in seconds. There are shortcuts to the math that I have yet to see in any book. Stay tuned....

--Jamin Philip Gray
jamin@DoLinux.org

Re:Passwords are a pain

[Abigail-II]

Memory experts have said that the average human can only remember a string of seven digits with an untrained memory.

Is that way phone numbers in the US have 7 digits for the local part? Because hardly anyone can remember a phone number that includes an area code?

-- Abigail

Re:Passwords are a pain

[conform]

"Back in highschool I got so annoyed with my poor memory that I began to research the subject. I studied and trained my memory for several months and found amazing improvements."

"I was homeschooled until highschool and one of the focuses of my education was memory training."

I'm a little confused here. Did you do memory trining in highschool, or before highschool? Do you remember?

Re:Passwords are a pain

[orangesquid]

I've heard it may... Phone numbers are actually constructed in n+3+3+4 form, n=country code, 3=area code, 3=prefix, 4=(forget whats its called... oh well)
By the way, this is where the lack of available phone numbers etc. comes from -- the phone company only allocated prefixes, rather than number ranges. If a company wants to buy 200 phone numbers, they either have to find someone who has already bought a prefix and work out something with them or purchase a block of 10000, leaving 9800 numbers unused...
And on the memory techniques... I've found that memorizing long strings of numbers is easier if the numbers have a pattern, even if its a nonrepeating one, like pi... I have memorized 25 digits (3.1415926535897932384626433) just by breaking it into chunks that made sense:

3.14 - nearly everyone is taught this is in elementary school... plus, 4-1=3, which is the starting pre-digit
159 - notice 5-1=4, 9-5=4
26 - same, 6-2=4
53 - 5-3=2, which is half of 4
589 - this is the same as '59' but with an extra digit stuck in, which is merely one less than the '9'
79 - 9-7=2
323 - this is a string of threes, two units long, interrupted by a digit one less than the rest
846 - mentally, I swap the 4 and 6, and think of this as a pattern of a loss of 2 per digit, descending from 8 to 4
264 - this is the above with the 4 and 6 swapped, but the 8 is replaced by a number 6 less than itself
33 - this is the 323 with the 2 removed

I never have problems remembering what number each set starts on... but someone could apply mnemonics if they wanted to I guess.

Just my several hundred pesos.

Re:Passwords are a pain

[Skeezix]

Sorry, those two statements were a bit confusing. The answer is both, to some degree. Before highschool, I focused some on memory training but didn't really have the motivation to practice regularly. It did help, but it wasn't until highschool that I began to research it on my own. Before highschool the memory training I received was due to the ciriculum that my parents chose.

--Jamin Philip Gray
jamin@DoLinux.org

Re:Passwords are a pain

[Tallus]

I did a dyslexia* training course a while ago and learnt a similar scheme that uses visual equivalents where you equate the shape of something with the number and create a picture out of it. So to memorize my new phone number I imagine a picture of a cherry in a swans mouth, swimming out of a tunnel. On top of the tunnel are two snowmen holding hands.The one on the right is hoding up a flag = 620887.

After a while the process becomes unconcious and it has had pretty amazing results. Four years ago it took me eighteen mounths to memorize (my own) six digit phone number. When I got a pager recently I had memorized the eleven digit number without any conscious effort, within days.

* It was based on the theory that dyslexia is due to a deficent phonic memory.
Paul M

"There are no innocent bystanders
What where they doing there in the first place"

CryptInfo is absolutely the way to go...

[Jules]

www.normsoft.com. The author is responsive to new feature requests and fixes bugs like a demon. Well worth the US$13!

spreadsheet

Use a spreadsheet, keep a copy only on a disk (or zip etc.) and print out a copy. Don't put any passwords on the spreadsheet, just keep the disk in a safe place.

Also keep a different password for each site.

"Nobody'll Ever Guess My Daughter's Name!"

As a general rule, I use alphanumerics in strings (at least) one byte long; afterwards, I copy the password into a private file on my Palm III.

Back in the old days of DOS & bulletein boards, a friend of mine used names from Star Trek. You could imagine the look of outrage on his face when I told him about the cracking database which had every word from all of the books and scripts related to the original series.

Longer, randomized codes may be time-consuming, but in addition to safety, they provide better typing practice.

Password schemes.

[Abigail-II]

For many "personal" accounts (Unix user accounts, root password on my personal box, mud passwords) I've used the same scheme to build a password, consisting of a group of characters from a related set, and some punctuation. It has been subject to crack attacts by several admins, numerous times, and it has never been cracked.

For admin accounts (except for some reason, I've never subjected a root account to this), and some websites, I often base passwords on lines of songs I like. For instance, the first letters of each word; if there aren't enough letters, punctuation, and/or the artists initials help. And often, instead of using the real line, I substitude one or more words. ;-)

Sybase SA accounts are a lot easier. Sybase gives you up to 30 characters, so no 8 character limit. My favourite tactic there are plays on names related to the town I was born; given the fact that all Sybase servers I've worked with were behind firewalls in environments noone else was coming from the same country I was born in, that was pretty safe.

Root passwords are a different matter. Except for personal boxes, root passwords are often shared between people, so deciding on them is a different manner; you can't just use your favourite strategy.

And sometimes, you don't really care. For instance, slashdot mails your password, and your password goes in plain text to slashdot when you log in. Not that I could really care if someone used my password - slashdot is pretty close to the end when it comes to important things. For such passwords, I just keep them in a file, and cut-and-paste, although my current slashdot password has a certain rythm that makes it easy to remember.

Oh, one word of advice. Don't suggest in a (root) password things that aren't true. In a previous workplace, we had 2 sun E3000's next to each other, sharing a console using a switchbox. One weekend, I came in to chance the tape drive of one of the machines. The root password of the machine suggested it was the machine to the left. I logged in and halted the system. Then I turned the key of the left machine, and wondered why the screen didn't go blank. When my pager went of 30s later to notify me which machine was down I realized what I had done.....

-- Abigail

Re:Password schemes.

that's what they get for not simply buying another console

Password Generation

[gashalot]

I work as a sysadmin for a fairly large webhosting firm, and I always need to rememper a plethora of passwords. The passwords must also be fairly secure (IE- we never use words in the passwords, etc.). I've found that to make up passwords, makepasswd is the best program available (check freshmeat for your copy, or `apt-get install makepasswd` on Debian systems).

I run makepasswd like this
makepasswd --count=60 --maxchars=8 --minchars=8 --string=qwertyuiopasdfghjklzxcvbnm1234567890
That generates passwords with only lower case and numbers (I have found when remembering in upwards of 20-30 passwords, it's easiest to stick to one case). After I generate my new password lists I normally transfer them to my Pilot in a memo, and lock that memo down under the private area (I rarely use it, but it's always nice to have).

It's not a horribly complex system, but by using makepasswd you have no tendencies to lean twoards ceratin patterns, and you can generate hundreds of passwords very quickly.

Another word of the wise- keep an archive of all of your old system passwords, even after you have changed them. I have often found some part of a system or a rarely-used piece of equipment (Switch, Router, etc.) that has been forgotten in a password roll and is set to some old password. Having a list of them somewhere makes trying the old combinations VERY easy. (I once knew a guy who forgot the password to his 3Com Switch 1000, and he rendered the management portion of the switch useless)

Re:Password Generation

We do almost exactly the same thing, but I leave '1' and '0' (or 'i' and 'o') out of the list of allowable characters. Some of my technicians have terrible handwriting, and I got tired of hearing "Is that a '1' or an 'l'?"

Re:Password Generation

[m3000]

Another password generator can be found here

Re:Password Generation

[spaztik1]

Hell, I just wrote my own password generator. Why mess with complex, if not annoying, command line arguments when you can accomplish the same thing with less than 20 lines of code. If you have trouble remembering these passwords, write them on a piece of paper. It's an odd thought, but its crack proof.

-------------------------------------------------- ---------------
"C for yourself."

My tactic for passwords:

[wowbagger]

Pick a phase you remember by heart. For example:

"Yippy-ky-yay MuthaF**er" from Die Hard[1|2|3]

(I've deliberately chosen to use a weak example)

Now, use the first letter of each word. YKYMF.

You want to make it harder, scramble the capitalization: YkyMF

Maybe add punctuation: YkyMF!

Pick a theme with several such phrases, and there you go: easy to remember, hard to guess passwords.

Re:My tactic for passwords:

[AngusSF]

I'll use something similar, but add 2 or 3 characters related to the site. E.G. if I'm working at IBM I'll add HAL at the beginning or end of the phrase. I've used the first letters of a number of things, like the mountain ranges around my home town (not where I live now), or the major streets N to S, or ...

Re:My tactic for passwords:

[cmpute]

If you can find a phrase with some numbers it will become even better, like: Two small birds jumped over the ten meter high fence (Just made this up), you'll get: 2sbjot10mhf, crack that!

Re:My tactic for passwords:

[Anonymous+Daredevil]

Try using the second or third letters of each word in the phrase too to mix things up further. In the Die Hard example from above you'd have: IyAUu! or iYaOU!, if you spell Mother correctly. Random caps added for good measure.

Re:My tactic for passwords:

Or a phrase with symboles in it. Like b0agm!4t$ Bank of America gives more bang for the buck.

passwords

[rwalkup]

I tend to use passwords based on songs. One of my favorites was JSfm#!^ which was based on the Grateful Dead song Jack Straw. The first line of the song is "Jack Straw from Witchita (sp) shot his buddy down" The are the characters (on my keyboard) on top of which is Witchita's telephone area code.

Paswords

[Understudy]

I don't know what kind of material you are dealing with highly secure government or buisness info should be kept on something outside of your computer. I like the first post that says a piece of paper it is what I use for stuff that is important. I also have a floppy with a word doc. that has my normal pass stuff on it. However I am also extremly lazy and will admit I use a program called gator for my basic stuff. If I were to be quized on my passwords without access to my disk I would probably fail.

Re:Paswords

[Woundweavr]

If the password protects something important, then a piece of paper is bad. It can easily be thrown out allowing dumpster divers to get it, or left around, letting someone from inside get it.

A disk with the passwords that you keep with you and perhaps PGP encrypted is almost as easy and even more secure.

Numeric Keypad

[finkployd]

I like using patterns on the numeric keypad. Only problem, Linux likes to turn off num lock every chance it gets (you hear that Linus, forget about USB for a second and FIX THIS! :)

Finkployd

Modified V.I.N.

[:Eclipse]

The first 3 letters of my auto manufacturer,
followed by the last 4 numbers of the V.I.N.,
followed by my first, middle and last initials.

Remembering passwords

As a theoretical physics geek, I remember passwords by linking them to my favourite formulae in various branches of physics. For those of you who may be similarly inclined here are a few: RIJZERO TIJISROUIJDOUBLEDOT SISKLOGOMEGA DELTAPDELTAQISATLEASTHBAR

Old Commands, hardware and a password file

[Felinoid]

I use three stratagys...
One is to use old commands used on old computers for low priority accounts (stuff I don't really care about)
I use a combonation of favoret numbers (such as some of the numbers of my birthday or old vic20 poke codes) and again old commands or the cryptic names of hardware I have on my desk [not my main computer but my old XTs monitor things like that]
I'll also just not bother and have the computer remeber my passwords for me. or save them in a password file..
I've been moving more and more to the password file.. saving them on a backup flopy and keeping the flopy in a safe place.
This seems to work very well.

cross fingers...

I prefer to let the computer automaticly enter passwords for me. This is how I usually rembered my passwords for BBSes I call during the 1980s and early 1990s...
when the terminal program didn't support it I'd make a macro for each BBS.. when the terminal didn't support macors I wrote the passwords down.. I hated writing anything down but thats life

I try to make my passwords as hard to remeber as posable now a days...

Muscle memory

[Pelerin]

All my passwords consist of random, but readable, strings of characters that alternate each hand on the keyboard. That way I can type them a) quickly, and b) with a sort of rythmn in my hands and fingers.

Initially I remember the way these fake words "sound" (I also keep them written down for a while) but after a couple of weeks my hands remember them better than my mind.

I Have A Couple of Systems...

[ZaMoose]

Firstly, I take names/place names from the Star Wars Trilogy (no chance of any of them being dictionary words), then I pepper 'em with some random numbers and caps. Also, I've found Lewis Carroll poems have some great nonsensical words to use.

However, past this system, I usually use iterations of a same general password for a single puprpose: I use one set for my internet passwords (NY Times registration, Hotmail account, etc. ALl the unimportant stuff). Another set for my university account and account on my own machine. Lastly, my root password is different than all of them...

Re:I Have A Couple of Systems...

[JamesKPolk]

I take names/place names from the Star Wars Trilogy (no chance of any of them being dictionary words)

You don't think that by now, someone has taken the scripts of the whole trilogy, and munched them into a dictionary? You'd better believe that, when it comes to cracking passwords, Dagobah is as likely to be on the dictionary list as Mars!

asswd: Scheme

Passwords are nortoriously difficult to remember when rules change like no symbols *(&% and "must begin with a number" restrictions.

Take a page from public key encryption and generate passwords in two parts - one public part and the other private. The public part generally follows a phrase, acronym or symbol associated with the application/website. The private a knarly secret you'll never forget.

Login: Public key - Private Key

Slashdot: /. 9^&792$%
CNN: cnn 9^&792$%
WallStreetJournal: wsj 9^&792$%
WellsFargo wf 96779245
CharlesSchwab: 9677 cs9245

The convention generally applies whatever is found (in some form) in the URL and its rules.

WellsFargo doesn't allow character so symbols are replaced by the secret #'s.

CharlesSchwab rules require the password begin with a number so the secret is broken in half and the public part incorporated into the private.

Every login is dynamic, recreatable and generally memorable since the URL is always your *hint*.

Password archives

[DaveHowe]

Hmm. I keep mine on a Scramdisk (a free virtual disk encryptor available from Here. I also encrypt the data with PGP every so often and email it home, so I have a backup if I lose the scramdisk or forget IT's password
--
-=DaveHowe=-

My Way...

[iota]

I try to keep my password methods simple:

• For ssh, I use the encrypted key authentification method. That way I can choose hideous passwords for my machines, make a keyfile, and then never worry about the password again. Plus, I know I'm secure unless someone sits down at my box and 1) breaks my keylock and 2) unlocks my screensaver.
• For many other things, I keep them in an encrypted PalmIII program I made. It uses crude writing-recognition to authenticate -- I know no one can duplicate that.
• For all my physical logins (ie, my home machine), I have threefold security: 1) a username 2) a password and 3) a program in my PalmIII that I have to cradle the Palm and hit the hotsynch button, and the Palm sends a password file as part of the synch.
• As far as my passwords go, I try to forget the letters and numbers on the keyboard, and do it by sight. Trying to memorized random strings of numbers and letters is tough for me -- but memorizing a sequence of hand-movements is easy.

Thats just how I do it... has worked well so far! jason

Use another password

[jjd]

I put all my passwords in my HP100LX palmtop's database application. Of course the database is password protected. So -- I have to remember this one password to get me access to my hundred other passwords.

Muscular memory

[Seldon]

Every time I have to choose a new password, I use whatever comes to my mind at the moment, usually being careful not to choose words that can be found in a dictionary. After that, I rely in muscular memory, I mean, if I used it a couple of times then I don't have to think in it to write it, just let my fingers go.
Not so long ago I discovered I don't have two password starting with the same letter, so, I'm able to write down the first letter of each password and that's enough to recall it later. Now, I enforce this property on purpose.

My method works everytime

[GW+Hayduke]

But you have to be physically there
Reboot the box then

LILO: linux -s

# passwd whatever
# shutdown -r now

Now you have root back and change whatever the hell you want :)

Or in the Case of RAS equipment
do a NINDY by plugging the jumpers on the mobo
Upload a new TAOS/COMOS using a serial connection with 1K/XModem transfer
halfway through upload yank the jumpers
Reboot twice .... You're in, but your initial config might be all skiwompus!

OK OK all kidding aside. personally I do PGP encrypted files of router/RAS configs as well as passwd files stored offsite in 2 vaults. One at home, one in another office.

Hey it was either that or tattoo the passwds on my cat, and let the fur grow back!!
*JUST KIDDING PETA PEOPLES*

The mind is a terrific thing

[Jonas+�berg]

Until some time ago, I used the same password as the username. Not kidding. I got a few visits that way, people mailing me from my own account saying "Cool! Hey, your foo script didn't work like it should, I fixed it for you", and the like. People who want to do bad things seems to be lame enough never to just knock on the door and try the handle.
I'd like to still have the same scheme on some systems, but people in general are paranoid enough so that I choose strong passwords so that they will still be friends with me. I must say though that I find it much easier to restore a backup every once in a long while, than to use all the paranoid security that people force upon me. I even secured my own computer and removed the guest/guest, system/manager and login/password accounts, which had been there for, well, forever really.
So either way; how do I remember the passwords these days? Well, it's not only passwords, it's bank account codes and other codes too that goes with all plastic cards you get. I'm sorry to say that there really isn't any great trick to it. The mind can easily store atleast 20-30 more secure passwords (and probably even more), even if you change them regularly. To memorize a new password, I write it down on a piece of paper and try to attach images of the characters to the paper in my mind. If you attach graphical images, sometimes even smell perhaps, you will most probably remember it far longer than you need to.

Pick a phrase

I had a professor who was fond of the term tanstaafl. There an't no such thing as a free lunch. He even wrote it on the board like that. Expanding on the madness, pick a phrase that you can remember, use the first letter of each word and you have a 'random' password you can remember! It helps when your required to change all passwords every 30 days on as system that rejects old passwords and checks new ones against a list of 'bad' choices.

Fixed script, no rootpasswd

I use a 'script' (only in my head) to choose a new password, based on the purpose of the password, the machine, and the reason for changing the password (usually the date), and a personal factor. This way I can recreate the password in a few seconds, while to everyone else it would look like a random sequence of letters, numbers and signs. Only some really smart mind reader could hope to social engineer the passwords, but in the unlikely event someone would, a password won't do him much good to gain root access. None of the machines I administer has a root password. Group wheel (GID = 0, needed to su) can only log on from the console, not via the network. To gain root access they would need to gain access to the console. When that happens, security has been breached anyway. There is no such thing as a secure console.

Another Palm Pilot Password Keeper

[DrDebug]

I have about 50 different things I keep
passwords on. So I keep them on my PalmPilot.

I just add each account as a contact in
my phone list, and mark the contact as private.
Each contact has a separate memo attached which
holds the account name and password (and other relevant info).
All of the password contacts live under a list name (coincidently)
'Passwords'.

So, all I have to remember is the PalmPilot Security password
to get to gain access to all
of the other passwords. The trouble with this
scheme is that sometimes I forget to turn
Security password back on.....

Change my passwords?

[Chas]

Why would I do that? My password is completely secure! I even use it on my luggage!

123456

Whoa! How did that slide in there!


Chas - The one, the only.
THANK GOD!!!

Keeping it simple

I try to keep it simple. I have selected two letters of the english languge to translate to numbers, for example, t=8 and e=6. Then I chose common words I can easily remember that contain one or both of these letters and just substitue the numbers where the corresponding letters are. Thus, on one machine I may select the word "westside" and therefore the password is w6s8sid6. It keeps the simple dictionary lookup method from working and still is easy to remember. I can even write the words down and if they are "found" there is still some security. For a series of machines on a relatively secure network, I may make it a phrase, one word for each machine (if one is figured out the rest are likely to be guessed). Now that my secret is out, it would not be hard to write a dictionary code that also trys two letter-number substitutions to break into my machines, but... there are a lot of us Anonymous Cowards out here in the world to select me from.

Palm Pilot

For passwords I use frequently, it's not a problem. For those I use infrequently: I stash 'em in my Palm III and mark the memo as hidden.

In case the Palm gets lost or stolen: occasionally write that memo out to a file someplace secured/securable and encrypt that file with a good password that you're not likely to forget. That way you can always recover them and change them all should you need to.

Password and GFs

[Manifest]

Password and remembering them have been very easy for me ..

Well the process that I have used is as follows :

If I have a standing GF when I change the password, I would keep my password as "iluvxyz", and if I have just broken up with a GF i would have my password as "fuckuxyz".. :)

Isn't that cool. Maybe it will be cooler if I also add that I have never had a GF !

Manifest

Re:Password and GFs

istalkxyz ;)

Well...

[Chas]

Contrary to my previous, humorous post, I store my passwords in a plain text file, zipped with a password on the zipfile, then PGP-encrypted and stored on a CD.

The passphrase is something I'm almost unlikely to forget. But just in case, I keep a copy of the passphrase and the zip password in a locked strongbox in my room.

For additional physical security, I also own a set of swords.....


Chas - The one, the only.
THANK GOD!!!

for (some not all) musicians.....

[GW+Hayduke]

I just thought of this whilst reading all the posts..
for keyboardists, try the opening few measures of the theme of a composition, (hmm.Bach's Preludes would be a little too repetative though..) imagining the comp keyboard as a musical keyboard. Yeah Yeah I know, the keys are entirely wrong, BUT,If you know the piece, your fingers should remember at LEAST the theme, and hit the same area everytime..
I started testing this theory with not only keyboard themes, but also guitar licks... BTW, Chords don't work:), violin solos, bass lines.
Trombonists,flautists, and other brass and woodwinds would tend to have problems. Especially trombonists :) because of the registers requiring multiple fingerings....
I dunno, maybe I just need more coffee
and more testing.... please let me know what you think

Re:for (some not all) musicians.....

[CausticPuppy]

It's also a great way to practice certain passages. Your computer won't let you hit wrong notes!
However, I noticed that most systems won't let you have passwords that are as long as Flight of the Bumblebee.
I tried a different technique, only to discover that drumsticks can really mess up a keyboard after long-term use.

Re:for (some not all) musicians.....

[lanner]

Jumpin Jack Flash.. its.. hhmm. hhmmmm hhmmm....

Re:for (some not all) musicians.....

[Granis]

Have never thought of this but I think it could be very usefull for people who could play piano.

You also say that trombonists might get problems when using this method. But as a tromboneplayer I can tell you that a trombone have 7 major fixed positions, 1,2,...,7. If you imagine that you play a short song, say 30 notes. For each note you type the positions for it and then you have a 30 digit number that souldn't be too hard to remember.

Im not a cryptographic expert, but a 30 digit number couldn't be that easy to crack with a brute force attack. Please correct me if this isn't right.

Whack

[leonids]

Best way I've found is to just wham your keyboard. Of course don't just hit the alpha part. Hit everything. Get the resultant string, and remove characters here and there to get the length you want. Tada!

Write it down. Stick it onto your eyeball. Read it and recall it for an hour, or more if needed. Log on to the account every minute. Burn the paper.

There. Of course trouble comes with many different accounts with different passwords.

Re:Whack

[Gadgetmad]

For most of my passwords, I use Ferrari model designations. There are hundreds of them, eg f550m, f360m, 412t2, 355f1 etc. That way I can just keep trying them until I get the right one. Of course, internet related passwords are usually "8o11ox2u" or something stupid like that.

Key to Passwords: Random-mess

[Soldier3585]

I used to do the single password thing. I took a word and shifted it and then scrambled it... I've also used a make-shift cipher wheel. The best thing to do is open a text file and then bang on the keyboard with both hands (lightly, of course...don't want to break anything). Make sure you hit the shift key while you do it, and make sure you get close to all the keys... then...well, you pick a string from the mess. Random as it gets....

j&^UFVotygOU^ryf*$RF9ogLMg9*%&Tk

and there you have a password, you just have to memorize it :)

5 Passwords max...

[maroberts]

I only use about 5 passwords ever
a) two for my home machines (root/normal user)
b) one for work
c) a couple for web login accounts

As i change jobs I do change my work password. Only my web login passwords are likely to fail a standard dictionary attack.

I find about 5 words which have been garbled is about the limit my brain can store. ;-P

Use first letters of a meaningful phrase

[Wiktor+Kochanowski]

I store them in a text file :-) the catch is, I encrypt the file with PGP. Any time I decrypt it for reference I am careful not to leave the unencrypted file around, too.

My password generating tactic is to use the first letters of a phrase that is meaningful to me. Let's say I like Vengaboys, especially their catchy line "Boom boom boom boom I want you in my room", which generates the password "bbbbiwyimr". Or "4biwyimr" if you have to have numbers in your password.

Note 1: don't use phrases that are meaningful to you but to many other people too. Crackers have them in their dictionaries. So don't use "to be or not to be", nor "there ain't no such thing as a free lunch"; I had the latter actually guessed by the dictionary cracker run by my sysadmin once. Don't use common proverbs etc.

Note 2: as an additional criterion I apply the speed of typing the password on a keyboard. Believe me, I guessed many passwords looking at people's hands and would not rather have it done to me.

Use a hashing function

[Hynman]

Proposal:
Biological retrival of "random" paswords is a comlicated task, when new passwords are added to our collection every day. A "secure" method of password generation is required to 1) eliminate the need to store a pasword at an insecure location and 2) be able to retive the password if the storage location is not accessible. Therefore I use a hashing function, H that takes arguments var1, var2 ... varn ( H(var1, var2... varn) ) to produce a unique password for every site. (I usually use something like (myname, domain name)

Justification:
I don't think I'll forget my name, or the site that's asking for the password. So as long as you can remember a scheme like initials+1st 5 letters of domain name, you'll be ok.

Analysis of running time:
The hashing can be done in 0(1) time (constant time). Furthermore hash collisions are not important and do not affect performance of generating and retreiving H(var1, var2,...,varn).
Furthermore the algorithm is scalable.

Modifications to H():
Everyone can just have a particular modification to the generic hash function. For instance use "1LFMdoamin.com"

Weaknesses:
Unfortuneately, if someone figures out H() you are escrewed. The solution is to use an array of hashing functions (26) and select a hash routine according to some criteria. i.e., use the 1st letter of domain name, c to select H[c](). Be sure to not make the modification(s) on the hashing algorithm easily observible and guessible. That should create seamingly randomness to anyone who gets a pasword or two. They might figureout the H() for particular c, but as long as they don't get more than 1 password with a particular c, they should not realize that they know H[c]().

Final Comments:
passwords ahould be made of "random" characters from S where S is set of all valid characters. However has bioligical organisms, we cannot be expected to remember a growing number of unique passwords. Therefore a hashing function on string literals (dynamic or static) can provide a not-so-easily-guessable but easy-to-remember-password-scheme that is "reasonably" secure.

Followup:
For really important passwords though, I ditch the whole scheme all together, and use something random - I can remember a few of those.
My password for slashdot is random, btw.

Hm.

I take a word that readily comes to mind. For example, looney. Then I exagerate the letters. loonee. And do that lame letters to number thing, so it becomes alphanumeric. l00n33. And that's a password that no one would guess, and one that I remember because the word is the first thing to pop in my mind.

Phrases with a formula

[martymouse]

I have a piece of paper with several phrases on it. I just have a formula I memorize for generating a password (mixed capitalization, punctuation, and alphanumerics) from the phrase. If you were to find the paper, you couldn't distinguish it from a grocery list or a "favorite quotes" list in my pocket and it would do you little good without the formula.

Placement on keyboard

[slaker]

My way of creating and remembering passwords is
to take a word I know, or phrase, or whatever,
and transpose it on my keyboard -- move all the
letters one or two letters left, right up or
down. Usually I shift one or two characters
and one control character. Ususually, after the
second or third time I type it, I don't have to
look at the keyboard, either. =)

The net result of this is uniformly
line-noise-type passwords.

I have a total-foolproof method.

[doce]

I just tell my wife all of my passwords. Women are WONDERFUL at remembering non-trivial things like this.

The oil light on the other hand... ;)

memory&counterpane

[jacobb]

Well, many people say I'm lucky to have a photographic memory, and in many ways I am, including my method of password storage. I have 50 different passworded accounts (ok, 47), and each has a minimum of 8 (some places dont let you put any more) alphanumeric passwords which I generate using truly random numbers (radioactive decay), see http://www.fourmilab.ch/hotbits/ My pgp passphrase is 53 chars and contains all special characters as well as caps, lowercase, and numbers. But, it's not truly random, but a combination of my other passwords. I find this helps people a lot when they ask me how to choose new passwords. Combine some old ones! Most people cant store them all in their memory, tho, so I point them to Counterpane's passwordSafe. there's a link on their site, http://www.counterpane.com hope this helped. JacobB

NBA Players I HATE!

I use a derivitive of the NBA player I dislike (OK Hate!) the most.

Being a Sac Kings fan, It's Olden Polynice!

OP_IHateU
and
OP_Sucks

Part/Model Numbers

Everyone knows part numbers or model numbers that they can't forget, even if they want to. Many include non-alpha characters.

i80486/DX33

Or, use serial numbers. My mouse has a model number, serail number, and FCC registration code printed on it.

ISBN numbers. Let Amazon store 'em for you.

1-56592-124-0

Use memorable events

[[Xorian]]

Here's my method, a specific mnemonic technique. Start by picking some specific event or time in your life that's easy for you to recall but is not an obvious one to someone other than yourself. For example "in 1996 when I traveled to Vermont to celebrate Thanksgiving with my best friend Bob," or "when I used to play Shadowrun with John and Paul in college," or "when I first started working for Peter and I had to fix up that unbelievably crappy Perl code the last programmer, Matt, put together." Make a point of choosing a specific event (a particular thanksgiving) not a generic or repeating one (any thanksgiving). Also don't pick something obvious (your wedding) or something someone could easily get information on (if you have a web page about your trip to Mexico, don't use that).

Now take the date, place, activity, and people involved in your chosen event/time-span. For example:

• November 1996
• Thanksgiving
• Vermont
• Bob Jones

Pick out specific fragments of those to use in your password:

• Nove[mb]er 199[6]
• Than[ks]giving
• [Ve]rmont
• B[o]b Jo[n]es

Glue your fragments together with non alpha-numerics:

mb-6.ks/Ve=on

After typing it a few times, you should be able to get it just by remembering "Thanksgiving at Bob's, 1996."

Of course you still have to remember which password goes with which account. If you find this to be the tricky part, you could probably deal with it by writing down just enough information to get you to remember, like "11-96". Unless someone can guess the event (thanksgiving) and knows the details (at Bob's place in Vermont), they can't even get near your password, and even with all that information the number of permutations makes a brute force approach prohibitive.

If you have a pilot...

[DrJolt]

...try Strip

Keep them in an encrypted file... usually

[Fedy]

Funny that you ask :) Because just today I had to guess my password account. When I create a new password, I usually take the first word which comes into my mind and cripple it using upper and lower case, numbers and little cyrilic ... Then I write it down into an encrypted file.

But two day ago I had to change my password on a very ancient and dumb terminal and I couldn't save it (even vi didn't display correctly :( ). Of course I remembered the word but not the permutations I did with it... Now I have it again :) after trying almost all of 2**6 combinations that seemed possible to me :)

Keyboard Word Cypher

[grahamkg]

One of the techniques I use is something I'd call cypher words. I will use a base word and use proximate vertical keyboard locations for the password.

Look at the keyboard (US in this case), and consider vertical groupings of letters:

qaz
wsx
edc
rfvtgb
yhnujm
ik
olp

That's 7 groupings, covering four fingers on the left hand and three on the right.

Now pick an easily remembered password, for this example, "password".

Cypher scheme? First two letters are both in the top row. Second two letters are in the middle row. Third, bottom row for the left hand, top for the right hand. Fourth, middle row for both hands.

Hand pattern? Top, top. Middle, middle. Bottom, top. Middle, middle.

So, how does it work?

password becomes pqssxofd. I type it out in a text editor a half dozen times to ensure that I can reliably and repeatably produce the pattern. I also look at it to ensure it has not produced something easily open to brute force attack. Then I delete the text file and I'm done.

This gives me strong passwords/passphrases that are not subject to attack, I use "simple" passwords/passphrases, and I don't forget the seed words.

One final curious thing about this is that I actually don't know what any of my passwords/passphrases are. They are secure, even from me. ;-)

Graham

Physical Passwords / Keys

[cmason]

I've always wanted to use some kind of hardware to store authentication things. For example,

Idea 1, SSH: I don't allow telnet to any machine I admin, just SSH. I've wanted to generate RSA keys for every host, and then burn them onto a CD. Use the same password to protect every key. Then, you'd have to have both my password and the CD to hack my boxes. This, of course, requires both SSH and a CDROM drive on any client machine that you access from. It doesn't work just for general passwords.

Idea 2, iButton: Maybe a different system would, however. It involves those funky iButtons. These are little watch battery sized devices which store some fixed amount of data (different sizes up to about 64k), and can be addressed by a simple serial interface. You touch the iButton to a small contact (called a "Blue Dot") which plugs into a serial port, and software downloads the data. Store the authentication data (RSA key or just a plaintext password) in the iButton, maybe all encrypted with a single password. Then when authenticating, touch the iButton to the contact, and type in the (single) password to decrypt. The software could figure out which account was being accessed, and use the appropriate key. I think the software bits here wouldn't be too hard (I only see software on iButton's site for Windoze machines, is this being remedied?). Of course, this would require a iButton contact on any client machine that you access from; or it would require you to carry the contact thingy around and plug it into a serial port (pain in the ass).

I've often wondered how well this would work in an environment with lots of people. Could you reasonably expect people to hold onto an iButton or a CD? Maybe the iButton, if it attached to their keys? Is this too Draconian?

Thoughts?

-c

Re:Physical Passwords / Keys

[Abigail-II]

Could you reasonably expect people to hold onto an iButton or a CD?

That would even be less secure than an ATM card. With an ATM card, you still need a password - the PIN. Granted, 10000 numbers isn't much, but it's still better than nothing.

Losing an iButton is worse than not being able to remember a password - not only can't you login, but someone else pretending to be you can.

-- Abigail

CODE

i write a series of words on paper personally emphasizing certain letters ( too big too small extree inkage ) and then in order or backwards might be the key ie sUzy cAlleD at 9:oo 911-5150 abouT your Ad in the Paper

Re:CODE

better idea than most on this page

my scheme

[normiep]

I actually have two schemes. The first is just to come up with a password that forms some sort of shape... then I just type the shape. (Yes, yes a lot of people do this). Although I find that this is most useful for telephone based passwords, its easier to type shapes when pecking IMHO.

Anyways, the other scheme that I use is that I come up with a fixed 4 character string of random symbols and numbers (like 1!.] or something like that) and then for each of my accounts I assign a four letter word (pick your favorite!). Then for the password I reverse the word and interleave it with the random string, so if you picked the word "this" for a particular account the password would be '1s!i.h]t'. So I remember one random string and then I just have a bunch of four letter words to associate with each account.

good password schemes

The best one for me so far is to use phrases, but not from any one language. I'm lucky in that I know japanese, english, and a bit of turkish. The algo: Take whatever phrase you want (I get spammed in turkish; You'd be amazed how useful that stuff is for passwords when dealing with accounts in the US!), randomly change the words so that you are switching languages for each word, misspell the words (fairly easy; I take english words and apply japanese phonetics to them) then concatenate the number of minutes of uptime the windows box you're on had (this is usually pretty short, so its easy to remember; don't try that with a linux box, it just doesn't work) and you're done!

My Scheme

[Ranger+Rick]

I usually think of a simple to remember password, and mess with it a bit (bu11Y4u, whatever), or come up with something more random if the account is important, then scramble it by typing it in dvorak on a qwerty keyboard, then doing the translation...

ie (bu11Y4u = nf11T4f, etc.)

it becomes fairly unreadable, but I suppose if you had a dictionary cracker that did dvorak conversion, it would be easier to crack, but hey, that's what backups are for...

password memorizing

[British]

Back when I was heavily into BBSing, I somehow remembered every phone number and password for each system in my head. To this day I still don't know how I managed it. As for coming up with passwords? No definite method.

All I gotta say is

mUmI$ThEWoRd

Password safe

[Gregg+M]

I use password safe at work. Bruce "Applied Cryptography" Schneier came up with it. It works like all the others I guess and it uses a blowfish somehow!
But I am losing the Win95 machine I use at work (yea!) so I need one that will work on an iMac. Ideas anyone?

Re:Password safe

Mac OS 9 has a keychain where it will remembe all of your passwords (ftp, www) and unlock it will just one password. Only problem is current web browsers don't support keychain but supposedly mozilla and ie5 will

Foreign languages help

My method:

• Pick a random word from any foreign language.
• Either misspell it or spell it phonetically.
• Insert a number somewhere.

The "garbled" method also works with sentences, sports teams, etc. Just avoid the obvious (any sport you're obsessed with, your name, your dog's name).

This question irritates me and (imo) troll bait!

I'm not going to pull education on you, but this question, would be a question, I would include on a survey, for a graduate student's paper on password cracking.

It also reminds me of an experiment I participated in during the latter part of the 70s'; where, we set up a BBS and requested one's social security number "in order to post".

87% of the people, logging in, supplied their name, address, telephone number, and social security number.

...And to tell you the truth, I, sometimes, can not believe how gullible I am! I guess it's geek and goes with the territory?

alphabet

[MrEfficient]

One method I have used to make easy to remember but difficult to guess passwords is to use the number associated with the letters of the alphabet of someone's name or any word for that matter.

For example "Mr" would be 13 18 or 1318.
Even if you knew my method it would take a while to guess which combination of numbers corresponded to a letter.

Write them down.

[MattEvans]

Unless you work/live in an environment in which you can't trust your co-workers/family, just write your passwords down and keep them in any convenient place. If someone breaks into your home/office, probably the last thing you'd be concerned about is someone having stolen your passwords. You'll be able to remember them easily, and someone attacking your system remotely certainly won't be able to see a piece of paper sitting on your desk (barring some sort of bizarre webcam setup...).

password schemes

[medcalf]

I have six passwords that I have memorized. They are each long, complex and difficult to crack. I rotate through them, and change all of my frequently-used account passwords at the same time. That way, I try the current password first, and if it doesn't work (because I forgot to change this account, for example), I know I'll get it in five more tries.

-jeff

It isn't remembering the passwords that's hard

[Sneftel]

Remembering a few medium length, random alphanumeric passwords is easy. The trick is corellating 'em to sites. I have 6 passwords which I've memorized. Each begins with a number, from 1 to 6. When I go to a site, I use a stochastic option selector (read: dice) to decide which passord to use. Then, I have a file in my home directory like this:

slashdot 3
somenews 1
crash 6
chromium 1

I also have a printout somewhere, but it gets outdated pretty quickly.

This also simplifies password changing; every two months or so, I'll add one to each number (should make a script to do this, but lazy) and go around to the sites and change 'em.

All good ideas.....

But I'm still going to use my tried and true method. I use the same password as the guy next to me at work. That way if I forget it I can ask him. Sincerely, Al Gore

ANONYMOUS COWARD

Anonymous Coward= CHEMIFREAK i thought that i would go ahead and give another suggestion, create a bitmap (paint a picture) or modify one in one(several) spots manipulating one pixel at a time to write it out possibly only a shade or two off of the background color and possibly on bare skin ;o) so that zoomed in you can see it quite easily. you can also alter screensavers in this way adding home cooked subliminal messages (especially on school servers)it drives administration nuts to see a smily face on the rotating afterdark globe

Re:ANONYMOUS COWARD

who knew genius was humorous

Stupifingly Simple, Most People THINK Its Dumb :-)

[citizenc]

Here's what you do.. I've included the steps :) (If I haven't gotten the linux commands QUITE right, dont flame me.. I've tried getting linux installed about a bazillion times, but X doesn't support my Creative Labs Voodoo BlasterBanshee yet... if you have a solution, dont hesitate to email me :)

1) Put a blank, formatted disk in your floppy drive.
2) type "md /mnt/temp1"
3) type "mount /dev/fda0 /mnt/temp1"
4) type "cd /mnt/temp1"
5) type "echo /// >> pass.txt" (Replace the 's with actuall stuff ;)
6) type "unmount /dev/fda0"
7) remove the disk from the drive

There.. CitizenC's magical password-keeping strategy.. lets see pesky rooters get at an unmounted disk! :)
,-----.----...---..--..-....-
' CitizenC
' "Bug? That's Not A Bug, That's A Feature!"
`-----.----...---..--..-....-

Crap.. step 5 got messed up :)

[citizenc]

5) type "echo (login)/(pass)/(account)/(description) >> pass.txt" (Replace the ()'s with actual stuff ;)
,-----.----...---..--..-....-
' CitizenC
' "Bug? That's Not A Bug, That's A Feature!"
`-----.----...---..--..-....-

Re:Crap.. step 5 got messed up :)

[Hector]

hah, thats a great idea, except, the fellow was asking how to remebr his passwords. If they're on a floppy disk, and you forogt your password and cant log into your computer, how can you get at your apsswords =)

My thoughts on passwords

[xpurple]

Ok, instead of actualy retypeing, or trying to cut, and paste with lynx, just use this url.

The Password

Thanks!

My thoughts on passwords

[xpurple]

Ok, instead of actualy retypeing, or trying to cut, and paste with lynx, just use this url.

The Password Thanks!

proverb

[frederik]

I take the first letters of each word of a proverb ... hmmm ... for example ... "Total world domination" (I know: That's no real proverb ;-) ) and add some numbers (let's say: 666).
Twd666 (In this case it's a little short)

Pass Safe...

[wbraunoh]

Excellent Windows utility to keep all passwords... http://www.counterpane.com/passsafe.html

Length = Security = Easy To Remember

[sansbury]

I hate sites and services that limit the length of the password I can use. It's like saying "There are better locks out there, but you can't use them."

If you use a sentence or sequence of words strung together, it makes it fairly hard to guess randomly (Use Bartlett's instead of dictionary for cracking?), but I suspect that most people could remember "hereslooking@youkid99000" eaiser than they could remember "hl@yk99k", even though the security levels are comparable. (Is that true?)

I just use an obscure latin phrase that I memorized for a fraternity ritual, and my ATM card pin number. It's XX chars long, but very easy for me to remember.

-cwk.

Re:Length = Security = Easy To Remember

[TummyX]

Um, databases use fixed length strings (generally) so limiting the length of a password makes sense. Although I wish the limit would be something like 255 bytes :).

Play the keyboard like a piano

I play the keyboard like it's a piano (usually the old OctaMED keymap, or an offset from it) This has two advantages :
i) it uses "music" memory - notice how easily humans tend to remember songs.

ii) I don't always even know what letters my password is mde up of, so sodium pentathol aided quetioning will be harder. :-)

ISPs generate great passwords

[mtnbkr]

I tend to use old passwords generated by ISPs I have used. At least in the past, they have created passwords that are completely random collections of numbers and letters. I also use phonetic spellings for passwords at work. Either way, I don't write them down and I rotate them fairly frequently. I have a pool of about 5 seemingly nonsensical passwords that I use for everything.

Chris

If you can remember song lyrics ...

[EisPick]

... then you can create passwords "that are hard to crack but possible to recall."

Take the first line or two of a song or poem you like and use the first letter of each word to build a password.

For example, take the first two lines of Poe's The Raven:

Once upon a midnight weary
While I pondered weak and weary

The first letters of each word give you the seemingly random password ouamwwipwaw. It's easy to remember, easy to type (just recite or sing in your head as you type), but won't be found in any dictionary.

Systems that require non-alpha characters will barf on it, but you can just add a digit or two at the end to fix that.

just one more

use old chem nomanclature and or stoiCHiometry(the same goes for any subject with specific jargon ie computer progamming languages(i love logic)or modified forms(so many possibilities) ie- arsenic pentasulfide- As2S5 epinephrine "adrenaline"- C6H3(OH)2CHOHCH2NHCH3

Re:just one more

good idea!

the trick is the reference...

[Chakotay]

as many have already said, the trick to remember a password is to find a reference or a "source path" to it which can be remembered more readily. but then there's the problem of how to find out which reference that is...

references and paths to a password work because the human mind excells at finding references, and at remembering paths. what always seems to work for me is the repeat the password or whatever I wish to remember in my head, and the reverse process will take place. your mind will get busy generating references from that password. and some of those references away from it, will also easily lead back. and ofcourse the same applies to any paths your mind may come up with.


)O(
the Gods have a sense of humour,

Shocking Nonsense

[meldroc]

One password scheme I've read about on Usenet a long time ago was called Shocking Nonsense. The idea is to come up with a phrase that is shocking, vile and disgusting, and at the same time total nonsense. The combination of shocking and nonsense will guarantee that you'll remember it.

Example: "Rape 256 nemotode worms with a trash can lid." Take the first letters and numbers and you have a password: "R256NWwaTCL".

Shocking and nonsensical, you'll never forget it.

Use a password algorithm!

[brandonrhodes]

Notes

The following may sound rather difficult or obscure, but I have found with practice that it is a quite reasonable way to generate personal passwords when I have access to a large number of accounts that need separate passwords. I have the following goals:

• Every one of my passwords should be different. Access to one machine should not give an intruder access to others.
• Knowledge of one or two passwords should not allow guessing of the others. Remember, you do not know whether or not your friend's copy of ssh has been compromized and is sending your plaintext password somewhere in the Andes.
• The amount of stuff I have to remember should be linear in the number of accounts I possess. Eight accounts should require no more memory on my part than three.

The following outlines (only vaguely) the sort of technique I use. I hope it helps others consider how to construct their own passwords.

A Sample Algorithm

My technique is to use properties of the system host name and domain as indices into quotes that I have memorized, then used properties of the indexed elements to form the password. If I can remember the quote and the algorithm, then I can get into any of my accounts even if I have not used them for a long time.

For example, take the following snippet of poetry (which I find easier to memorize than prose):

Tis not too late to seek a newer world
Push off, and sitting well in order smite
The sounding furrows; for my purpose holds
To sail beyond the sunset, and the baths
Of all the Western starts, until I die.

Now define two ways of turning words into password fragments:

• (#1) The letter alphabetically before the first letter of the word, followed by a digit which is the length of the word minus one. (the=s2, neuter=m5, I=h9)
• (#2) The letter alphabetically after the last letter of the word, followed by a digit which is ten minus the length of the word. (the=f7, neuter=o4, I=j9)

And now we can define our password algorithm:

• Length of machine name -> selects nth word of poem -> through hash #1
• Length of domain name -> selects nth word from third line of poem -> through hash #2
• First letter of host name -> selects nth (n=distance from left side of keyboard of letter) word from fifth line of poem -> through hash #1

So when logging into frodo.shire the password would be s1z8v6.

Dangers

The above algorithm is obviously rather weak. The following thoughts should help you develop your own, better algorithm.

Obviously you should choose an algorithm which makes sense to you and you can remember and implement accurately in your head without scrap paper. This may be difficult at the first try, and it is important to keep in mind that you will not get much practice using the algorithm - you will use it three or four times to log on to each machine you use regularly, then you will start remembering the password out of habit and not use the procedure any more. So you had better make sure you will be able to call the procedure up later when you need to generate a password you have not used for a long time. Keep the following in mind:

• Key off of host properties that vary considerably between the machines you use. Using host name length is useless if all of the hosts you log in to have names of the same length. Using domain name is useless if all the hosts are in the same domain. You can obviously use other properties, including the name of your account (if that varies between the machines, or you are in charge of several accounts - like your own and the root account), the organization or purpose of the host, and properties like operating system or your opinion of the machine ("fast", "stupid", "slow").
• Choose an algorithm that produces fairly random characters. The above algorithm is quite bad because it will tend to use common letters rather than uncommon ones, for instance. In your real algorithm also try to work some punctuation in.
• Make sure you know the quote! Remember the point of the quote is to produce a unique map between facts (letters and lengths) and other letters and lengths that have (apparently) nothing to do with them. In this sense the quote works like a one-time hash - knowing one part of the mapping will not in general help an intruder know another since the words in the quote are not produced algorithmically, but are simply given.

Anyway, I hope this technique is useful to other people with the same needs I have in the area of password choice.

ASCII number codes work.

Back with the dos & novell accounts from high school, a friend and I picked random characters from the ASCII table, such as the 'border' characters, the pipes and lines. We would then enter these by their ASCII number with the number pad (ALT + NUMBER), noone could look over your shoulder and I could enter the password in a matter of seconds. No feasable password lists could work, as we combined both alphanumerics & extended ASCII.

Good password is most important

[PapaZit]

Carry your passwords in your wallet, on a piece of paper.

I think that random people on the internet are a far greater threat than the people who have access to my wallet. I generate random passwords and I carry 2 of them with me: one for my account on one of my machines, and another as the password for the encrypted file on that machine that has all of my other passwords. This piece of paper doesn't list the machine or give any hints about what the words are. I have another copy in a desk drawer at home.

If I lose the paper for any reason, I use my backup copy (if I need it) and change all of my passwords immediately.

I think that this is far better than coming up with passwords that are easy to remember and using them for months before changing them.

Glyph encrypting

Write a small text about ANYTHING, but make it so that the first character of every line contains a letter of the password, or something like that.

And if you want to live on the edge, write an interesting article with the same style and put it on the net.

Forign Languages help

Personaly I find a word in a forign language (Usualy german because I speak it). The word itself would have some relevence to me. I then spell the word with English phonetic patterns, then add capitalization, then add puncuation or special symbols. EXAMPLE: Kennenwort == password (in german) keninvort == approximate english phonetic spelling KeNiNvOrt == adding some capatals (let us assume, incorrectly that 2597 are the last digits in my SS#) 3K6e0N8iNvOrT == adding my SS# +1 to each digit (9 becomes 0) 3K6e0N8iNvOrT! == Let's end with a bang... thus my password becomes 3K6e0N8iNvOrT! Probably not the first thing a someone would try. (Yes, that is a huge password, if I wanted a simpler one I'd use a smaller root word, something like wurst or viel) If I wanted an even MORE secure password I'd use a language like portugeese or Navajho (for which I'd need to buy a dictionary)

I make words of letters and numbers:

[HaKn5La5H]

S133739 would be sleeper, etc.

I use them by priority

[redhotchil]

I use my passwords by priority, they are kind of recycled.

My most recent (and hardest) password is for root on my box. Second is for user accounts and maybe a organizational password. Third is my ISP and crap like hotmail. 4th is all the other junk that I never go to but sign up for anyways.

Random Passwd Blocks

[Stochi]

I wrote a small program called genpwd that will simply output a randomly generated 8x8 block of characters (upper, lower, numeric, symbols) that I can use for password selection. An example:

dCPt|vHz
*E6o TzT
kB\19F^3
u>49V&t-
ch{H{mVw
02n0.f7/
2fO3b3SL
+>*?4NEj

This allows me to select a row, column, diagnol, or some random pattern for my password. Once I've chosen my block and password, I print out the block onto a small piece of paper that I carry with me at all times. If anyone happens to find it, they won't know where to start to guess my password.

acronyms

[mikeraz]

I use phrases to generate my passwords. A recent one was lnihags - Last Night I Had A Great Stout gererated after tasting wonderful stout at a new brewpub. reasonably random, and someone would have to know how I would express whatever piqued my interest at the time I needed a new password.

Other examples are:

tst:vda - the summer triangle: vega, deneb, altair for the bright guide stars of summer

bfsdpe - Beijing Food, Scorpion, Duck, Pig's Ears (scorpion tastes like popato chips, Pig's ears like pepper bacon)

fmtrc2k - Fucking Mazda Trasmission Repair Cost $2,000

Foolproof method

[alhaz]

When I'm putting a password on something I'm not going to use every day, or at least not often enough that I'll remember it, I generally use CD catalog numbers.

You know, the string of numbers and letters on the label. This has saved my butt many, many times.

I may forget the exact string of letters, numbers, and non-alpha-numerics. But I always, always remember which CD.

If I'm home, I can pull it off the shelf. That's easy enough. But here's the cool part.

If you're away from home, any record store can look it up for you. This has saved me from having to hack into my own systems many times. And when you call a record store at 11:00 in the morning and say "I have a strange request", the lone person managing an empty store in off business hours is generally eager to help, too.

I don't care if they know the password - they don't know who i am or what i'm unlocking.

Sure, you could come to my house and take down a list of my entire cd collection, but it would take you a while. I have a lot of music, and i also mix upper and lower case on the letters.

Of course, if you have a small music collection, or predictable tastes, maybe it's not such a good idea. Personally, 70% of my cds were special-order.

Re:Foolproof method

[dist]

cduniverse.com actually includes these numbers in their album detail pages. Sometimes they're incomplete, but you could just look the album up on that site before you sign up for something so you know the password you use matches their listing.

Re:Foolproof method

[ghazban]

Mp3 md5sums? take the first five letters? Sound al-right to me. Though, I'll have to make sure I keep them mp3s, and make sure that I don't change their id3 tags ;)

I generate my own random ones, then remember them

[Drakino]

I simply open up notepad, pound out some random stuff, and pick 8 characters out of it. I then retype it a few times, and start to use it. Typicially I write down the password on a postit to hold onto for the first week I use it. After that it's in memory. (And in a password protected file on my Palm V / Palm Desktop software just in case.

-----

A small notebook in a lock-box

[Infonaut]

Sounds extreme, but if you're serious about passwords, you need to create one that you won't be able to easily remember. At work I've got several servers and various admin passwords to keep track of, so I write them in a small notebook which I then place in a lock-box. I've got one of two keys to the lock-box, and my boss has the other key.

The real difficulty with passwords

[Robert+Link]

In my experience, the real difficulty with passwords is with accounts that you use very infrequently. Sure, we can all use various tricks to remember a dozen or so reasonably secure passwords, and we can rotate them as necessary. But, when you find yourself needing to log into an account that you haven't used in a long time, can you remember reliably whether it was a year ago May or a year ago July that you last accessed it, and can you remember what password you were using at the time? Ok, so you shouldn't keep around accounts that you seldom use, but it's amazing the way accounts tend to linger long after you've forgotten about them.

-r

Its plain text! :-)

[citizenc]

Its plain text! You can open it on ANY box! just haul the disk around with you!
,-----.----...---..--..-....-
' CitizenC
' "Bug? That's Not A Bug, That's A Feature!"
`-----.----...---..--..-....-

associate with function

[Hard_Code]

In the previous password poll on slashdot I revealsed that I 'leet my passwords (password -> p4ssw0rd). This is hard to crack and easy to remember. The only thing left now, is to associate all the many passwords with the accounts they belong to. Unfortunately I do this by simply making passwords from services they are associated with (e.g., randomportal.com -> r4nd0mp0rt4l). I guess that's a weak link in my scheme...although the only way to break it would be to actually know my scheme...which I guess I've just given to every slashdotter :\

Re:associate with function

[Legion303]

In the previous password poll on slashdot I revealsed that I 'leet my passwords (password -> p4ssw0rd). This is hard to crack and easy to remember. The only thing left now, is to associate all the many passwords with the accounts they belong to. Unfortunately I do this by simply making passwords from services they are associated with (e.g., randomportal.com -> r4nd0mp0rt4l). I guess that's a weak link in my scheme...although the only way to break it would be to actually know my scheme...which I guess I've just given to every slashdotter :\

What is "hooters.jpg," and why is it in your home directory?

Seriously, though, this is not a secure system at all. Several password cracking programs have a switch that will try "L337" combinations of dictionary words.

-Legion

Re:associate with function

[_blueboy]

I've done that before, but it's pretty easy to crack, isn't it? especially if you make your slashdot passwork "sl4shd0t". and even if i didn't know that i could just go through a dictionary, adding 4's for all the a's, etc. it would just be like increasing multiplying the dictionary by however many letters can be morphed into numbers...

i don't know, that's the way I see it.

Re:associate with function

[Abigail-II]

In the previous password poll on slashdot I revealsed that I 'leet my passwords (password -> p4ssw0rd). This is hard to crack and easy to remember.

"Leeting" passwords has been part of crack algorithms for eons, hasn't it?

-- Abigail

Re:associate with function

[goon]

I use the same idea, it's a good one. Though I question,

• 'p4ssw0rd'. This is hard to crack and easy to remember.
  

... hard for your human cracker but not for machines... (says in best arrogant imperial starship captain voice before darth crushes skull). I would change that to 'easy to remember non human readable...' making it easier for users to use a password that's not vulnerable to a dictionary attack.

Shakespeare Makes Good Source

[MartinLuther]

I personally find that the best balance between security and remebering a password is to take the first letter of each word in a phrase. E.g.:

tbontbhao: To be or not to be, (from) Hamlet, Act 1

Of course, you can alternate upper and lower case, use digits, etc. to increase the security:

2bOn2BhA1: To be or not to be, Hamlet, Act 1

The good thing about Shakespeare as a source for lines is that there are thousands of them, so even if someone knows your method, it doesn't really help, and many of the lines are very easy to remember.

Re:Shakespeare Makes Good Source

[Abigail-II]

The good thing about Shakespeare as a source for lines is that there are thousands of them, so even if someone knows your method, it doesn't really help, and many of the lines are very easy to remember.

Given your method, it doesn't take more than half an hour to write a Perl program that takes all the works of Shakespeare and adds passwords constructed based on first letters to a crack database. "Thousands of them" doesn't really impress a modern version of crack.

-- Abigail

Works really well, takes a while to brute force.

Throw in numbers, or punctuation, in reverse of the order they appear on the keyboard..

ouamd)wipwaw(ovaqac*vofl

for example.

Also take advantage of the fact that most password entry systems, Scramdisk more than others, allow cursor movement. Enter the "first" few characters, then left-arrow over a bit, enter a few more, smack the End key, and enter the last bit. You'll remember the password easily in its "normal order" and your fingers will soon memorize the movement. But when it's actually in the system, the contents will be hard to guess even for someone that heard you blurt out the password while you were sleeping.

Mnemonics, usually.

[Count+Spatula]

I have used, for example, the first letter of the first name of my immediate family, alternating the caps according to gender, sorted on age. Or, sometimes, I will use the third letter of each name, arranging them in alphabetical order on first letter, or on age, or even on gender/age. It usually generates good, easily rememberable passwords, and someone else would have to know both your method and whole immediate family to guess correctly. If I feel the need to throw a number or symbol in the mix, I put it either after the parents' names or at the midpoint.

Works for me.

significant names and dates

[ExRex]

I find that there have been enough people and things in my life associable with certain dates that i can cobble together mathematically random passwords that are memorable.
F'rinstnce:
A married couple who became close friends. I use their nicknames, init caps, separated by a special character or two and prefixed, or postfixed, with the month/year I first met them. The nicknames tend to avoid dictionary cracking, the non-alphanum characters throw something into the mix and the date adds the numeric difficulty. Yet it is easy for me to remember because it is meaningful to me.
So, take a pet's name, add to it the year you got it and/or your age at the time, also it's favorite treat linked with some special character.
BlackMax72-12&Snausages
Effectively random.
And you can keep an unencrypted file, or just a notebook, that says Server#1 - BlackMax. Yet it will be unlikely that anyone viewing it will be able to crack your password in any short order.
Codes are always more secure than ciphers.

one thought

[ancient-mariner]

old credit card numbers. I remember about 30 of them. Also, random selections from pi out to about the 58th digit.

Keychain on MacOS

[Kesh]

MacOS has a nifty answer to this problem: the Keychain. It's a feature built into the system that allows you to store your passwords in a single file, which is then encrypted using a 56-bit cypher (not the strongest, but then again, I don't expect to be raided by the NSA anytime soon. :) ). When a program that supports the Keychain requests a password, they Keychain pops up a dialog box requesting you to type in your master password. Optionally, it will then remind you which program is asking for access to your passwords, just in case you didn't notice which one had, to prevent Trojan Horse requests and such.

It's extremely convenient, but only a few programs support it right now. More are being updated for compatibility as we speak, but it's great for keeping track of your passwords using one master key.

Keychain

MacOS9 Keychain is always a good way to go....

What I do.

[antizeus]

I memorize those few passwords which really matter (unix login, financial stuff, etc), and write the large number of trivial ones (slashdot, irc bots, etc) on index cards.

I'd tell you...

...but then I'd have to kill you :)

business cards are your friend

Since I have to keep up with tons of passwords for work, we put them on the back of business cards. Not our business cards, get someone elses cards (say microsoft), just incase they get stolen the person - if they know what they are doing - may try to hack microsoft. And put the passwords in this format:
w.s.r:myPasswOrd
Where w.s.r is web server root, that way even if the card does fall into the wrong hands, chances are they won't know what they actually have access to.

(Not) My Password Scheme

[Phrogz]

The most important advice I have: if you're going to decide to use a password scheme, think of a good one and decide to use it before you start toying with schemes. I originally came up with a pretty lame scheme, but I now have so many accounts based off of it that it would be hell to attempt to convert them all. I'll likely change over eventually, but my point is that while dealing with legacy computer systems sucks, remembering legacy password schemes (and when and when not to use the old scheme) really sucks!

If you haven't thought of a password scheme for yourself, here's an example idea. I (don't) use something along the following lines:

1. Use one or two different usernames. (Perhaps have a general-security username, and a high-security username.)
2. Pick a word or two as the password base.
3. Use the URL/Name of the site to encode it.

For example (truly not my scheme) let's say the base word is "cheeze", and the algorithm is to alphanumerically add (with modulus) the name of the site, postpending the number of letters in the site name. "cheeze" encoded with "slashdot" is:

cheese
+ slashd
--------
= vtfxai8

The scheme may not be terribly secure, but someone who steals your password to slashdot isn't going to automatically know how you came up with it.

Disclaimer: I sure ain't a see-curity pro-feshinul. This advice could be really dumb.

Use international keyboard

[AndyElf]

Granted, this works only if you know somewhat obscure, i.e. non-latin language. Russian, for instance, works very well. You take a fairly simple phrase in this language and type it on a Qwerty (or Dvorak -- does not really matter) keyboard, using native language keyboard layout. Say, if you were to use word "Linux" (Russian would be something like "Linaks"), then a Qwerty keyboard would yield: "Kbyfrc" ("Txfupj" for Dvorak), which, I guess, is cryptic enough for not-too-sensetive stuff.

Re:Use international keyboard

Yes, I've used that exact same method... typing a Russian phrase on a QWERTY keyboard as if it were a Russian keyboard.

The bonus is that some Russian letters fall on QWERTY punctuation keys, so you can get [];',. in your passwords.

But you're vulnerable to dictionary attacks if it's known that you use this method.

×ÓÅÇÏ ÄÏÂÒÏÇÏ

Characters from books

Especially sci-fi and fantasy books, which should have no shortage of non-dictionary names. Pick a memorable chracter with a weird name from a book you read when you were about 15.

For more security, pick a random number and replace the most common letter with that number. It's better to use a non-"1337" replacement - Fr5d5 is better than Fr0d0. Then you just have to remember "Frodo5".

Use Gpasman or Kpasman

Use either gpasman:

GPasman homepage

or kpasman:

KPasman homepage

to keep all your passwords safe and secure. :-)

Simple - spoonerisms!

[schon]

This is the best one I've found so far..

When creating a password, I take the first word(s) that pops into my head, and then spoonerize it..
(for those of you who have forgotten third grade english, a spoonerism is a play on words, where syllables are swapped.. for example "start the car" would become "cart the star." "slashdot" could become "dlatsosh", "datslosh")

Then, all I have to do is remember what I was thinking of when I created the account (pretty simple - if it's non-critical, I just use the name of the site.)

Oh, for those of you who think I just told you my slashdot password, this is the place I didn't do this :o)

Re:Simple - spoonerisms!

[Jimithing+DMB]

Does your sig and spoonerisms make you a crashdot slackpot?

Re:Simple - spoonerisms!

[rlkoppenhaver]

Perhaps a plashcot dracksot?

I use a house of loci

This is a very common memorization technique.

First, you imagine a house that you know very well, like your house. Then you create a set of locations and a path that goes to them all. start in bed, go to the john, the toilet, then the shower, then the hallway, then the kitchen, (like you're getting ready for work or something you won't forget)
Then once you have a "House of Loci" with about 80 locations you imagine the digits of your password each being in one location.

for example:
pcj2eme92#slcd9ljd6lwserfmve54
is a good password
imagine a "p" in your bed.
then imagine a c in the john,
then imagine a j in the toilet.
etc... You get the idea. Then when you need to remember your password you just walk through your imaginary house in your mind and look at each location. Pretty soon it starts making sense to see a j in the toilet. It usually only takes me 20 minutes to log in and I only screw up about 40% of the time and need to reset my password.

Sort of encrypted...

I make a note of the date I created the PW (today would be 111399). Take that number, Multiply it by the last 4 of my SS, divide by my age...convert the number to hex, add my initials (in german). Complicated...but then again I have no life :)

Re:Sort of encrypted...

[sherms]

Neither does the rest of us or we would'nt be making these comments.

I usually think of a phrase someone said and take either the first or last letters of each word.

Sherm

Re:Sort of encrypted...

[vkint]

This is exactly what I do, but also throwing in a few numbers and punctuation marks where they make sense.

make them easy to remember

[blkwolf]

I keep all my passwords in my head, so I try to make them as easy to remember as possible but still somewhat secure.

For general everyday logins, websites etc I use a two word scheme bound by a character or number. I.e. perl@Palace Kane*epics pyle&hume etc.

I even wrote up a simple little perl script to generate them for me.

So far the passwords have withstood various tools like lopthcrack etc without being comprimised.

diverse and quick!

[dulles]

I ussually sit around for about 10 minutes trying
to think of a sequence that is:
1. VERY fast to type
2. Has a lowercase letter, capital letter, number, and misc. character.
It takes a while. I can't type too many things too
fast, and I'm a bit paranoid about shoulder-surfers, so it ussually takes me a while
to come up with a password I can type in under a second.

Old Gateway Keyboard

[Lt.Hawkins]

one way i found is to use cheat codes from a game, intermingled with non-alphanumeric keys... A post here mentioned converting it to 3l337-speak, which could also be a good idea. it'll still be relatively easy to remember...

another method i use helps me remember it, and also helps me be lazy: I have one of the old AnyKey keyboards from gateway- the ones that are programmable.

i've programmed in some of my 8+ character passwords to type themselves in if you press a 3-key combo on my keyboard. not at all very likely to be found accidentally, and very secure... unless someone hacks my keyboard... and if you spend your time hacking keyboards... well... you have less of a life than I do.

Backwards on my forhead

[DoorFrame]

All you have to do is write your password backwards on your forhead. Since it's backwards, nobody will be able to figure it out. They'll try it, but they'll be wrong because they won't have reversed it. Then all you need to do is look in a mirror. Pure genious.

Reduce the number of passwords

[Danh]

I reduce the number of passwords by using the same password for accounts of the same security level, e.g. a short one for the library, /. and user prefs... a better one for email, web accounts, etc. and a paranoic for each crypted partition, each admin account, bank account...

Use one password for all accounts

[elflord]

... or something like that. I keep three passwords at a given time.

• A password for accounts that require me to submit over an insecure channel ( telnet, internet )
• A password that is used for all of my user accounts that I get a secure connection to (ssh ). This password is never sent in the clear ( if I need to send it plain text, I change it immediately )
• The root password for the machine I admin. Only submitted over secure channels

I tend to rotate them, ie root password->user password->insecure password->trash can.

If I get a new password , I immediately "rehearse" by typing it several times ( or logging in and out ), until it's "burnt into" my fingers. Once it's "burnt in", my fingers remember it even if I don't.

simple but easy to guess

A. remember your name
B. remember a number

$ echo A | caesar B

example:

$ echo joeblo | caesar 10
tyolvy

maybe its easy to guess. I just made it up now.

Re:Whack... I think I have a better idea

[vanguard]

My passwords have a theme. Currently, I'm using radio station call letters and their fequency with a ~ built in. 944~wkjr may be line noise to a cracker but you probably hear it on the radio every day. The ~ forces crackers to use a pretty broad character set during a brute force attack.

Something similar

I use easy to remember words, but I shift my hands a key to the right, or exchange hands, etc to type it. Result is a keyboard encoded password that is easy to remember.

Tattoos

So I kinda look like the Enigma.

That's what we do at work...

...I work at lksa2#$%' NO CARRIER

Re:Strip for the Palm Pilot

[jeff_C]

I also use Strip. It's a lifesaver for remembering the 30+ passwords I've got to keep. Otherwise I'd be stuck in the old synch password game.....

Password for one system expires, pick new password, then go change 10-15 other passwords at the same time. Forget to change one, then need to use that machine, lock your account trying to remember the password you used 3 cycles ago.....

It was a real pain. Strip is easy and secure.

jeff_C

Computer model numbers/names.

You know, stuff that's right in front of me. LIke when I used my C64 supercomputer, erodemmoc was a memorable one...

It'd be easier to remember a password...

..now I just gotta find a girl named 3jrr031 and make her mine.

ot: 'da'?

I could never figure it out: what does DA mean in the Mac world?

Umm.. billc?

or are you bclinton kinda guys?

Maybe you're real sick & it's clintobi. No, wait, thats his Star Wars name.

My strategey - 3 "zones" - one password per zone

Zone 1 - very secure - banking, schwab, my own login on my home unix box. changed often and generated by me closing my eyes and hitting numbers and keys (random even to me).

Zone 2 - logging in to unix boxes at work.

Zone 3 - Any non-secure web site (my yahoo, etc.)

Foreign languages

My password is currently in Ancient Greek. I tried Latin, but since most Latin words are related to English words, they tend to fail dictionary checkers badly. Transliterated Chinese (esp. Wade-Giles) makes for some good password material as well:)

I use a DES trick

[deanthayer]

I pick some word that I can easily remember, like my name or something. Then I use a 2 line perl script to DES encrypt it, using that same word as the seed. Then I memorize the result (well, the first 8 characters anyway). Then, anytime I forget my password, I just run "pcrypt ", and I've got my password. Of course, this only works if you can log in and run the script somewhere, which means I don't recommend this method to people with only one account. It's a little wacky for some folks, but it's the best way I've found to use passwords like bo1Qz2Hf. I've thought about always using my name as the word to be encrypted and the hostname as the seed, thus having different passwords on each system which I can easily generate from a single word, but maybe that's going too far.

Domain specific scheme

[Faed]

I started using the last 4 characters of a domain name, reversing that, and appending my usual password:

slashdot.org --> hdot --> todh
usual passwd --> yo69MO

becomes todhyo69MO (Not really my slashdot password :-)
This (or any other consistent scheme) can be very effective and relatively uncrackable - as long as you don't tell anyone your scheme.

Faed

Yes, patterns is the way to go

I memorize my passwd's by using different patterns on the keyboard that make sence to how I type them in. That way they are never connected to any word, phrase or something which can be found in written. Still...keyboard patterns appear to be very easy to memorize, plus you can make them easy and fast to type. / Andreas

kinda like personalized licence plates

use numbers and special characters befor or between small (1-5 letter) words to create a simple phrase.

Re:kinda like personalized licence plates

[drum]

I use a similar method, except I take the algorithm farther.

I have several of these vanity-plate type phrases, in a variety of languages. So, if all else fails, I can just try each of them in succession.

But that doesn't always work, since I not only have two handfuls of passwords, but two handfuls of UID's. So I make sure that each password has a unique character or series of characters that is non-alphabetic, and I keep a file hidden away that contains a list of the machine name, my UID, and the single non-numeric character in the appropriate password (for each account).

I don't bother to encrypt the file because I find it unlikely that someone could guess the phrase from looking at a series of non-alphabetic characters, let alone tell the difference between machine names and user names and passwords. Basically, it's encrypted by my own logic and personal knowledge. If I really wanted to encrypt it, I could turn the list into a story. . . :)

palmgear

[mattdm]

One good source for PalmOS software is PalmGear HQ.

--

It's desk accessory

[binarybits]

Where to find this software...

[kuperman]

For pilot software, I go to Palm Gear HQ. Here are the links for the software I mentioned:

• Secret!
• Strip

I'm pretty sure that the SecureMemo is by CertiCom.

kinda like personalized licence plates

use numbers and special characters before,after or between small (1-5 letter) words to create a simple phrase.
(DOH, sorry)
things like;
2 = too, two
4 =for, fore
8 = ate
@ = at
& = and
! = not
| = or
as in
this|that
!2long
party@als
8mycake
gone2far
dont4get
seeyou@3

It's desk accessory

[binarybits]

In the olden days before Macs did multitasking, there were things called desk accessories. They were located in the Apple menu and could be run in the memory space of other applications-- a sort of poor man's multitasking. As you might imagine, this became kludgy and unneccesary once we got full-fledged multitasking in system 7, (yeah, I know, we still don't have "real" multitasking.) so DA's are not used much now. People will still sometimes refer to any small app that resides in the Apple menu as a DA, even though you can put anything you like there now.

crack defense

[joshua_doesnt_know]

I usually create passwords that I can easily remember, but a cracking program would not guess. I do this by combining letters with numbers, where the numbers are relevent. Something like 411info, or info411 would be easy to remember, but a cracking program usually goes for a dictionary of words and sometimes attaches numbers like 123 or similar.

_joshua_

How I remember

I have one of those scrolling screensavers. I put all my passwords on it, as well as my bank PIN numbers, just so I can remember them. When it flashes by you all day, you get it pretty quickly.

Use PI

[Skim123]

Choose some random number of consecutive PI digits starting at some random place in PI. At the end of every week, repeat process.

Re:Use PI

[Abigail-II]

Choose some random number of consecutive PI digits starting at some random place in PI.

For UNIX style passwords, that only gives 100M different passwords [1]. It took a Perl script on my computer 89seconds to crypt 1M passwords. Extrapolating means less than 3 hours to crack your password, given your entry in /etc/passwd or /etc/shadow.

At the end of every week, repeat process.

With 168 hours in a week, and on average, less than 1.5 hours to crack your password - that means your account is insecure 99% of the time! ;-)

[1] Of course, this is only true if you have a big enough file with digits of pi. If you only have 1M digits of Pi, well, then you have at most 1M passwords. Estimated cracking time: 1-2 minutes, depending on the hardware.

UNIX style passwords are hopelessly insecure.

-- Abigail

Re:Use PI

[Skim123]

Of course, this is only true if you have a big enough file with digits of pi. If you only have 1M digits of Pi, well, then you have at most 1M passwords.

Uh, no. First off all, I have an infinite number of digits from pi to choose from. Furthermore, say I choose to have my password be 10 characters, then there are 10^10 possible passwords, since each character can contain one to ten digits...

I wrote a program to store them for me.

[gpf]

You can get it here.

It's not awesome by any means, but it serves my purposes just fine. The source is included, so you can make it way cooler if you want.
(BTW, it's a java program, so you'll need to get the runtimes for it, IBM released them for Linux, so you have no excuses now).

Jay,

Finger memory

[Rodavlas]

I dont do this anymore, but I sort of liked this way of getting a new password, especially when youre out of imagination:

Let your hands drop on the keyboard (once or twice) and look at what comes out. Tweak the "password candidate" a little so its a little better (l33t or some such), and then start using it.

I usually also keep a piece of paper with the new password for 2 or 3 days, trying to login as often as possible in order to memorize it faster (practice!).

twonz?

There's a program called twonz that looks pretty good for creating passwords. You give it a password (the "pad") in one box, and an obvious string (like "www.hotmail.com") in another. It then uses SHA1 to generate a hash, base64 encodes it, and gives you the result to use as a password. It doesn't store the passwords, so you don't need to worry about protecting a password file (or keeping it updated between several computers). SHA1 is a one-way hash, so it should be pretty secure (one site could not find the password of another site, even if you use the same pad).

Apple Data Security

[Oniros]

http://arcanum.apple.com/

Apple has a nice system they had with PowerMail ages ago and that they resurected with MacOS 9: keychains.
Basically a keychain is an encrypted file that hold keys, like username/password pairs. If a keychain is open apps can query it on a per need basis (and yes the OS ask for confirmation that app X is allowed to use the keychain each time the app try to.)
It's pretty neat.

Just add some password generator to that and you actually only need to know the password to the keychain (better not lose or compromise that one tho :)

I wish there was the same kind of system for Linux and PalmOS and that I could synchronize keychains between the various platforms. Would be handy for all the junks passwords.

Just my $0.02

Janus

Simple scheme, but for Microsoft

[Sentry21]

Okay, my scheme is simple, but effective... I just use things that people wouldn't guess, but make them long enough so that you couldn't brute-force them easily.

Example: qrweoupiyt

Ten characters long and impossible to guess. Not the most secure, but oh well. Add a number or some punctuation on there (qrweoupiyt5! or qrwe72oupi#yt) just to make brute-forcers have to use everything.

My problem is sites that assign passwords. Ive been assigned passwords like 'smellycamel' (which I changed), or even 348751 (which I couldn't change). Great, a site with only 1M combinations of passwords per account. That has barely more protection than a 'strong' password 3 characters long! Come on!

Another problem is Microsoft. When I log into their site for whatever reason (download, MSDN, etc), I have to play a guessing game. One of my usernames for one of the services is something like 3216921, the other two, for different things, are 'sentry21'.

Okay, so I have three accounts. I do remember what the password for my numerical account is, so that's no problem. Then I go to my two 'sentry21' accounts. One has an MS generated password (secureish, like L8sj4Ke), the other is the password of my choosing. Not only do I have to get them to e-mail my password, which I don't know, I have to get them to e-mail me my username! One day, when I was feeling lazy, my inbox ended up with like five e-mails from Microsoft with usernames and passwords.

I swear, it's insane. Use MSDN and Hotmail, and then whenever you try and get into the MSDN site, someone cracks your hotmail and where are we now?

Hmm... I wonder what my PGP password is...

~Sentry21~

biological and chemical terms.

[JungleBoy]

I usually open a biology or chemistry text, and find a class of molecules or group of animals. I then map a chemical name, such as an amino acid, or a taxinomic name, such as the genus or species, to each of the accounts I have access to. I then basterdize the crap out of the name with mixed caps, and non-alphanumerics. I use a different groups of names for root passwords than I do for regular accounts. This way, no one knows where the heck I get my password, nor how I basterdize then.

I seem to be quite effective, and as a result I can quickly learn and remember chemical and taxinomic names and their spellings. Given the volume of chemical names and biological terms out there I don't see myself running out anytime soon.

what Fun!
--
...Linux!

What's with all the hard stuff?

I just PGP some random text, PGP it again several times, close my eyes and highlight a random portion, and viola! random password. Store in a PGP'd text file.

Um....

What's 31337?

Re:Um....

[Zurk]

the ph33r term that 31337 h4x0r d00dz use for really k3wl h4x0rs. 31337=Elite in english.

Re:Um....

Everyone ph33rs 31337 p4sw0rd$

Re:Um....

[Disco+Stu]

As those above me have commented, it means "elite". It refers to a style of writing that "elite hacker doods" (31337 h4x0r d00dz ) use, in which they replace letters with numbers and a few other things.

Re:Um....

[m3000]

See the Jargon File

Is it important?

[Coward+Anonymous]

First ask yourself two questions:
1. is the information your password is protecting really important?
2. do you really think anyone is bored enough to actually want to break into whatever it is you are protecting? Hackers/crackers have alot of work to do and I'm not so sure that your shell account is a priority.
3. is the information you're protecting on your computer?

If all three answers are false (and this is the case 90% of the time, e.g. hotmail account or countless other web accounts) then make your life easier by keeping this trivial password, along with all the other trivial passwords, in a plaintext file in a convenient place for you to look up.
If your account/information is on a remote computer then keeping your passwords in plaintext on your home computer will not compromise your security unless someone decides to rummage through your home computer (not very likely if this hacker is sitting 1000 miles away and attacking the server. How would he know to find your computer?).

If, against all odds, you find that the information is important (secret diary? Swiss bank account? Nude photos of your neighbor and his dog?) invent a password that is easy to remember (try any random jumble of letters and stick in some vowels, for example: ynbsk --> YaniBusek) and use your memory (the gooey kind in between your ears).

Has this ever happened to you?

[Mr.P]

I have this 14-letter (yes, it was originally for NT) password which is entirely random, including the amount of punctuation stuffed into it.

Now, this isn't the case anymore, but when I finally burned the piece of paper it was written on, I had the exact keystrokes tucked away somewhere in my head, but the actual password itself wasn't there. I could think "type the password" and quickly spin it off but I could not remember the password.

I've had to tell a few other people, and I always had to type it out into Notepad just to remember it, but I have it completely memorized now (along with 6 or 7 other 8-letter passwords).

Re:Has this ever happened to you?

[Ello+Darkstar]

I, too, have the same "talent" or burden. My first password was so small and simple that to think back upon it now I blush, but I have two long strands of random letters and numbers and punctuation that I can just "type". The only problem I have (and the reason I am responding to your post) is WHAT ABOUT PASSWORDS THAT ARE GIVEN TO YOU, AND YOU CANNOT CHANGE?!?!? I recently had to rely upon the wonders of temp jobs, and I was placed in a facility that requires a password to get into the data entry program. True, the password is relatively easy to remember after a week or so of using it, but every time I sit down to do my work, my fingers itch to use one of my two "chosen" passwords. After a few chastizing remarks from the network software, I recall the correct string and type it... Any thoughts on this?

Re:Has this ever happened to you?

[hellbunnie]

Yeah, I do that too. I do it with phone numbers too, which is a bit of a pain in the arse. Whenever someone asks for my number I have to start frantically tapping out a sequence in the air before I can tell them.

Re:Has this ever happened to you?

[orangesquid]

I do that with everything... I'm both a touch-typist and a hunt-and-peck typist. If I've typed a word a number of times before, I can spit it out really fast, but if it's a new word I have to type it out really slow (although I don't actually have to be looking at the keys...)

Re:Has this ever happened to you?

[Fuhrer]

Can you believe it? On the topic of phone numbers, I actually dialled my ISP's IP number instead of their phone number. A sign technology has taken over your life.

Re:Has this ever happened to you?

[zogzog]

This is well-known to pianists. My fingers know lots of piano music note-perfectly; but if I try to play those same pieces in my head, or write them in manuscript, I get lost pretty quickly.

Of course, musical themes could be a good source of raw material for passwords, but you need a way of getting away from using [a..g] all the time.

Re:Has this ever happened to you?

[Benley]

Think of.... say, arpeggios on the computer keyboard maybe? Or as I have seen suggested before, "keyboard blocks" like "1qazxsw23edcvfr45tgb" which are very difficult to crack, and secure unless someone sees you typing it!

The solution exists !

[haggar]

he solution is to use tools that interoperate and enable you to manage multiple accounts, security, identity and authentication informations.
Novell provides Single Sign On to login to accounts on different systems and applications through the network. Another solution-enabler, for the Internet, is Digitalme. It stores your online identity information and helps you manage your accounts (the e-card is a particularly pretty thingy IMHO). LDAP is another element of the puzzle, and Novell Directory Services knits them all together.
And I almost forgot to mention; a year ago I tried some Java beans and VB ActiveX controls that connected to NDS, and I could, therefore, create NDS-aware applications. You could, for example, make a simple application that would tell you the number of servers and users in a certain organisational unit. OK, and I am pretty nostalgic because I'm working on totally different projects now, so I kinda miss the neat Novell technology....

Symbolized Acronyms -- The only way to go

[Capt.Pantsless]

Any Idiot can simply pound away at the keyboard to produce a random alpha-num, the trick is remembering it for several different accounts, and changing it LOTS. I like to use what I call 'symbolized acronyms'. For instance: if your favorite novel is Neal Stephenson's 'Snow Crash' you could 'achronize' the title/author to produce 'NS SC' which, of course, sucks for a password. However, if we then 'symbolize' it: i.e. 'snow' sometime looks like a '*' character, toss in a dash or an underline, and a few other appropriate symbols, we get out: 'NS_*Cr@s'. This can be read as (and remembered as ) (N)eal (S)tephenson's (_) (*)Snow (Cr@s) Crash.

Scads of titles can be converted in this way. Robert A. Heinlein's 'The Number of the Beast' converts nicely to 'RaH#B'; intersperse a quick 666 to get '6RaH6#B6' etc. etc. ad nauseum. As one can tell, these look awfully like random keyboard pounding, but are much easier to remember. If someone really tries though, one could make a password-cracker specifically for this algorithm, but it would take some serious effort to do.
--

"The longer I have been an atheist, the more amazed I am that I ever believed Christian notions." --Dan Barker, "Losing Faith in Faith"

speak friend and enter

I take a longish word:

rohypnol

change it a little:

royipno

add a *weird* character:

royipn3o

where 3 is the copyright symbol. I'm on a mac, so it's easy to type. I don't think any brute force attack includes *all* characters. Of course, it just requires a simple perl script to extract the password if you're at the console.

And on every machine I've ever owned, the account friend/enter has at least connection abilities. Occasionally, someone finds it.

lazy

[Kenshiro]

First, I used to take a common phrase and append
a site-specific phrase. Then, I started keeping
passwords in an encrypted file, so I could do
more random passwords. Then, one weekend, I got
bored, so I wrote a little c command line and gtk
interface prog to keep (username, site, password)
sets encrypted.

The concept of just remembering passwords doesn't
work for me :(

Password creation and maintenance

The proper procedure for password creation is: log into a linux box and do a 'dd if=/dev/random bs=8 count=1 | uuencode -m foo'. If you are creating a password on a UNIX machine that uses crypt(), use the first eight characters. If your password is going to be used in the NetBIOS world (i.e., going to use the LANMAN hash) use seven characters. (Still 42 bits of entropy, don't sneeze.) If you are trying to create passwords for a reasonable hash (such as md5 -- you do take the time to turn it on in /etc/pam.d/passwd, don't you?), then you can expand your passwords as follows. Log in and do a 'dd if=/dev/random bs=16 count=1 | od -d'. Use these numbers as indices into /usr/dict/linux.words. (Use vi to count lines, and discard any indicies past the end of the file.) Three words will give you about 45 bits entropy; four words, 60 bits entropy. I use three . . . Now you will need to write these passwords down. But do it properly. Write it on a small card and put it in your wallet. Don't leave it lying around. You will need to memorize it, and then store the card securely, in a safe or safety deposit box. (Get one -- they're only a few bucks a year for the small versions). You don't want to still have all your passwords in your wallet if you lose it. Now, to memorize it, think of silly phrases such that each word in the phrase begins with a corresponding character in your passphrase. Get creative and you'll think of something that won't soon be forgotten. If you are using the second method (words), just use it a few times, and you'll soon think of something. The best place for a backup password is written down and stored in a safety deposit box. You can calculate the entropy is passwords thus created as 6 bits/character and passphrases at 15 bits/word. You will want to target about 40 bits for just accessing systems (bandwidth limits the brute force rate) although you might want 128-256 bits if you use these methods for cryptographic keys. If you are responsible for a password-accessed system, implement password-failure lockout to really make it tough. Of course, always do the above on a local console to a trusted machine; you don't want you password on the wire. If you are using a one-time-password system, you can precompute several passwords, print them on a single card and keep them in your wallet. (Don't lose it.) If you have a lot of passwords, you will have to store them in an organizer or a small notepad. (If only organizers had built-in RNGs...) Naturally, you'll have to dedicate a pocket to them as you won't be able to leave them anywhere. If you get stuck at a bank wanting to chose a random PIN, dig out your stopwatch if it has 1/100 s counting. Flick it on an off, and use the last digit from each trial (it is hard for your hand to be precise to more than 1/10 s, so the last digit will effectively be random if you don't pay attention. You can do it in advance and memorize it if you are paranoid about somebody watching. Basically, choose passwords from places that are guaranteed to be random, write them down, and store them carefully (on your person or in a safe -- you wouldn't leave cash lying around either). There is a good RNG in the linux kernel and in your stopwatch if your stuck. Have phun.

Re:My strategey - 3 "zones" - one password per zon

[Pascal+Q.+Porcupine]

My strategy is similar, though I only have two zones - accounts I care about, and accounts I don't. I have a set of 3 or 4 pronounceable-linenoise passwords I cycle through periodically (so far I've yet to have any problem with this); lately every time I cycle back to one, I change one character from a letter to a h4x0r-sp33k letter, though I keep that to letters which have a tactile mapping (e to 3, o to 0) since that also coincidentally makes it so that on my Datahand I just push down the numbershift key.

Personally, I don't see the need to change them very often. I don't let people see them while I'm typing them (touchtyping has many advantages :) and I usually ssh to other systems. The only ones I don't ssh to are the ones I don't care about anyway (such as slashdot and the various MUCKs I'm on), and for those I just use a common word.
---
"'Is not a quine' is not a quine" is a quine.

Try a password manager

[David+Jao]

A password manager such as gpasman can keep track of all your passwords for you. I find it much easier to remember one long master password than a lot of different passwords.

Some people might get paranoid at the thought of all their passwords being contained in one file. Gpasman at least uses a publicly known algorithm to encrypt the data, instead of just using a secret formula like most of the Windows programs do.

More password-hashing made easy

[OmniGeek]

Here are two other methods of hashing an easily-remembered password into a hard-to-guess password (I use some or all of these -- script kiddies, just guess which;-)

The advantages of hashing the password from an easy word are: the "seed" word can be written anywhere in safety (even on the server case!) and dictionary-based password-guessers will fail, as the number of likely hashing functions is very large.

1) Add an alphabetic offset to an easily-remembered word e.g., "smith" + 1 = "tnjui"; the offset can be 1 letter, 1 keyboard row/column, or a sequence as 1, 2, 3....

2) Choose a lousy potboiler novel you read in high school (do NOT use current popular books or books you have traceably bought or borrowed from the library -- Big Brother may be watching!). Combine two character or place names by concatenating or interleaving them. Here again, the result is easily remembered (you can write the book title on the server case with relative safety), but essentially unguessable AS LONG AS YOU HASH IT in some undisclosed way. Even a cracker who knows you will find the knowledge of little use...

Then too, there's the method I currently use...;-)

HP-UX hates this

[blackwizard]

Just a comment on the @ symbols -- HP-UX hates these. You can't effectively use #s and @s on HP-UX, and if you do, you might get locked out of your account. This is because HP-UX will treat @ as a character that means "backspace everything off of the login/password prompt", and # as a "backspace" key. So that password in your example would have been blank in HP-UX. =)

Passwords

[jgotts]

All of my passwords are completely random strings. I'm a touch typist, so I learn how my most commonly used passwords feel. Then I throw away the paper they're written on.

I use the same password for everything... (text)

[Carrot007]

Well maybe variations on it! like repeating it or capitalising a bit or adding a number if the account cries otherwise

Unsafe. Yeah.

Any problems yet. No.

Bwah ha haaaaaa.

Multilingual: Use an Arabic keyboard

One method:

Since I happen to know arabic, and have an Arabic keybaord [1]. I then remember something easy in Arabic which when typed in an "english" program produces gibberish (ie:a good password)...








[1] It does not need to be a true arabic keybaord, get the little stickies and place them randomly on the KB if needed...

confuse yourself

[ZxCv]

confuse yourself and you've confused others.

so pick a password that will even take you a week or so to remember. write it down on a small piece of paper and carry it with you till you remember the password.

using this simp technique, every one of my account passwords looks like complete random garble, yet i remember everyone.

2 THINGS

[NME]

Password Safe from Counterpane systems,
and passwords from "common" phrases. "A Screaming Comes Across the Sky..." Becomes ascats. And then you add non alphas to the mix. Yay.

-nme!

two factor auth. using ikey

For those in the windoze world, use an ikey. Thus all I need to remember is a password for the ikey.....

Encrypted file

I have an encrypted directory (via cfsd) in which I store files that are for my eyes only. One of the files has alist of all my passwords. Whenver I create a new account, I just add the username/pass/sitename to the list. I like this method, because then I only have to remeber 1 password to access them all.

2 more THINGS

[CdotZinger]

(aside from *Gravity's Rainbow* being a good source of passwords that'll keep kiddies at bay)

I'd suggest deriving passwords from Things You Know About Yourself That You're Not Likely To Tell Anyone Else -- examples (mostly utterly hypothetical): your favorite song is "Sundown" by Gordon Lightfoot; you voted for Lyndon LaRouche; you have diaper rash from sitting at your terminal for x-squared years; you have a years-long crush on Janeane Garofalo -- so you can remember them easily, but guesswork won't likely crack 'em.

If you need a couple numbers in there, the circumference of your penis is a good place to start (about 44% of the time).

Then again, my root password is "etoot," so ignoring my advice might be a good idea.

My password

I like to use mkpasswd! But, when I'm not, it's easy to remember a long word (say cthulhu) and turn it into W@rEz D00Dz talk. Ex, c+Hu1hU

Threesome

[Octavian]

Since i don't loke too much passwords to remember, i have a three-password system. I distinguish between my (a) my root accounts, (b) accounts, where i have a "save" connection and (c) accounts, where the passwords is going as plaintext over the net (POP3, telnet, ...).

Works well, i change all of them nonetheless every month or so.

Pro-active p.w. security & recalculable p.w.'s

I remember reading an interesting article a year or so back where the authors had implemented something very much like a password-cracker that used typical hacker techniques to try and guess the password you wanted to use. If it guessed your password too quickly, you wouldn't be allowed to use it.

IIRC, they did some studying to figure out how to pick passwords that would be secure but still memorable; the method they recommended was to compose passwords from a large list of short (3-4 letter) words, plus symbols, numbers and capitals. This makes sense, as it would be easier to remember "cat4@HOG" than "H@t4acOG", but neither one would appear in a reverse dictionary.

A technique I've used sometimes is to use a conventional word, but subject it to some sort of deformation that I can recalculate any time. For instance, substitute for all vowels the number at the top of the column on the QWERTY keyboard, and capitalize any letter located in the bottom row. The best thing is that you can use the same deformation pattern for all your passwords, so you don't forget the deformation, and then just apply it to simple and memorable words.

Password by host

My passwords often begin with a 3-5 totally random (or meaningless to anyone else) charecter sequence, and the remaining charecters are a string that are somehow related to the host I'm logging into.

Let's say my password root is NaCl, because I happen to be working at a Sodium Chlorhide producing facility:

telnet solaris3
login: me
Password: NaClsunburn3

ftp nt5
login: me
Password: NaClmssux5

telnet rh7
login: me
Password: NaClRHAT

This looks a bit on the insecure side, but all passwords shoot into at least 8 charecters and even if you do figure out one of them and have the root, you really won't know what the second part of the password is unless you know me REALLY well.

The root also changes with each "realm" that I am in. For example, my home network might use the root "FREE" because I'm free! And at work, all of my logins might have the root "slave"

Never had a breakin yet AFAIK.

I know that this is buried....

But I must point out, a very simular topic was on a few weeks ago. Why so many repeats?? Doesn't slashdot have a methode for easily checking the archives?

How I remember my passwords

[arikb]

My "strong" passwords (the ones I care about, root, etc.) are usually acronyms of famous sayings or song titles, garbled to my liking. The not-so-strong passwords are usually composed from IBM acronyms related to MainFrames, and believe me, they are in the plenty. It is rumored that IBM has registered trademarks on all 3-letter acronyms, so I just take two and add a digit. The really weak passwords are usually related to web sites, and it is some variation on the site name or address.

Is this really that hard? One PGP disk

[Pfhreakaz0id]

Keep one file on a PGP disk (or just PGP encrypt an individual ascii file) never change this password. Enter all passwords & accounts into this file....

for the web stuff, unless it's an e-commerce site I enter my card PERMANENTLY into (so I can one-click shop on Amazon, for instance), I just use one login and password. I find that cypherpunks/cypherpunks works for almost everything.

patterns + first letter of website

i use the same pattern for most of my passwords. for example, the nytimes.com i use nhytrfv that starts with n, see. but if i wanted one for gamasutra.com i would start it on g, and go gt543ed if it was on the far left side, i would 'flip' it to its mirror image, like for slashdot.org i go sw234rf or wallstreetjournal, i go wsxcvfr (flipped upside down) (note this is a sample pattern, my real one is more complex)

patterns + first letter of website + mirror images

i use the same pattern for most of my passwords.... for example, the nytimes.com i use nhytrfv that starts with n, see. but if i wanted one for gamasutra.com i would start it on g, and go gt543ed if it was on the far left side, i would 'flip' it to its mirror image, like for slashdot.org i go sw234rf or wallstreetjournal, i go wsxcvfr (flipped upside down) (note this is a sample pattern, my real one is more complex)

Nonsensical words

[Dougie]

When I ended up in a position where I had to apply passwords to important systems, it came apparent to me that I am going to have to find some way of thinking up a non-sensical password, that is not easy to crack, but yet, is easy to remember.

However, when it comes to passwords for box's that I do not use for soem time, I am still at a loss as to how I am going to remember them. I think the only thing I am going to be able to do, is some thing like the PalmPilot. We shall have to see.

But an example of out of date passwords is...

h3ll5ang3l5
r3dh0tbab35
01nkf3t15h (don't ask me where I thought of that, I was really strugling at this point, had to think of about ten at one time when I implemented some services)
j3llyb3lly
j3llyw3lly

None of these make much sence, and sertanly are not common words or phrases, so I could not see a cracker getting them (but then I could be wrong).

And they are all reletivly easy to remember, as they are all words.

However for a the really seure passwords, it has to be a random string of caracters that are pronouncable, and then just add numbers and replace letters. One you remember the sound you are sorted.

free password software from ZDNet...?

[eries]

If I remember correctly, ZDNet offers a free piece of software for solving just this problem. I'll go see if I can dig up the URL...

Re:free password software from ZDNet... URL

[eries]

Here's the URL:

http://www.zdnet.com/swlib/hotfiles/password.htm l

Simpsons and Pi

[_ECC_]

I use my favorite quotes from the Simpsons, which some how I can never forget.. if you and your friends have Simpson quote battles.... then this may be a good idea for you too =]

so like...
"The googles.... they do nothing!" -Wolfcastle
"TgTdN80" - cause I usually mix case and add on some numbers for good measure


Also... I've found using certain sequences in Pi working really well

so like..... 3.1415926535897 (for brevities sake)... you could use 926535897, and maybe add a letter or two to keep the brute force crackers workin' hard...


-Ecc

Re:Simpsons and Pi

[Lord+Dragon+PiLMaN]

Hmmm... well, be afraid, be very afraid because I've memorized pi to the seventieth decimal place and intend to go to 1,000 by the end of Q1 2000. . .
Ahh, pi:
3.131592653589793238462643383279502884197169399375 1058209749445923078164
Well that's pi to 70... I could have copied and pasted that, but, why not practice?

-Lord Dragon al'PiLMaN Dai'Shan

Re:Simpsons and Pi

3.131592653589793238462643383279502884197169399375 1058209749445923078164
Well that's pi to 70... I could have copied and pasted that, but, why not practice?

I don't know, perhaps for ACCURACY??
3.14159...

Re:Simpsons and Pi

[Lord+Dragon+PiLMaN]

lol. gotta love my typing skills... don't worry though, i speak better than i type...

accurate voice recognition is coming. be afraid, be very afraid.

*pasman programs

still another alternative can be found on freshmeat. theres is at least one program out there that will keep a list of passwords for you. i think theyre stored encrypted, and you only have to remember the one password to open the list. "gpasman" and "kpasman" are two examples...

i never liked gpasman... So i wrote a WindowMaker dock app that does almost the same thing. Haven't figured out yet if it's legal to give it to anyone outside the US though...

Password Prompter - get it at ZDNet

It's a very small Windows based password program that works very well. It's all you need in a password manager.

Description (that doubles as a dropdown for your saved passowrds), username, password (up to 50 character), hint field, URL (with launching button) and comment field. Also has a password generator for making all kinds of obscure passwords. Remeber 1, remember them all.

Check it out.

dont use english words

i just dont use english words. i take a hebrew word that means something to me and type it out using english letters. good luck using a dictinary crack, and it just looks like gibberish to most people

here's an easy way for all your sports fans

if you are into sports and can remember player's jersey numbers, this might be a nice solution. (i'm making up jersey numbers here) eg. Joe Montana - 17 David Cone - 35 passwd can be jm17dc35 easy to remember and has both alphabets and numbers.

Learn a foreign language....

I speak a few languages. All my passwords are common words in French or Hindi.

What I use

[twos]

I must admit, I've had the same password for the majority of my accounts for a few years, although, I do have different password levels. I have one for general access, one for "personal access", and one for "su" access. I presume these passwords are not easy to guess, as I use non-English words, with a splattering of numbers, characters and caps.

I do like what we used to do to our VMS users that refused to use "good" passwords. We would set the system to issue auto-generated 32 character passwords with an expire time of 23 hours. Being god was good :)

By how easy they are to type.

[fallout]

I find strings of random characters that I can type really really fast. For instance:

jfoels -- each key is on opp. side of keyboard.

How do I remember it? muscle memory. I know this probably isn't the greatest way, but it works. I HONESTLY couldn't recite my ATM code for the first month or two that I had it, but I could type the code in really fast because my fingers remembered how to do it.. How's *that* for secure?! :)

-Mike
---------------------------------------

My tricks:

[ph43drus]

As far as memorization tricks are concerned, I find that straight memorization of the characters is foolish. It is much easier to remember a phrase and what you did to it. Here's a good example:

first: take a phrase, say:
"I love Meg"
This is one that I can fondly remember.

second: mispell things:
"ey lav Meg"

third: truncate, abbreviate and shorten: "eylavm"

fourth: mess with the caps and characters: "eyLaVM"

There, you have a rather strong password, and all you need to remember is that you love Meg (which I do, I stopped using the password because I had to tell her what I'd done... ;).

Any way, it is a pretty simple hash, and you can use phrases as long as you like, anywhere from 2 words on up. All it needs to be is something you can remember.

For those stupid numbers (social security, bank accounts, etc), I have a little business card in my wallet which I write them on. Now, the first nine characters of every number is formatted to look like an ssn, and then when I have shorter numbers to remember, I tack them onto the end, so they don't really follow any format a person could recongnize. I can pick out which numbers are what, but that's because I know where I wrote them.

I hope that helps, but I also know that I have a pretty impressive long term memory, so what seems simple to me...

Jeff

Why have multiple passwords at all?

[idan]

IMHO, the best way to remember lots of passwords
is to synchronize them. First, you select a
hard to guess value. Select 2 or 3 if you
access some systems that you are afraid might
be compromised (e.g., local servers vs. public
WWW sites). Then, apply that password to every
account you have. voila - you don't have to
remember a million passwords.


with this in mind, we make / sell a commercial
package for synchronizing passwords:
http://www.psynch.com


-- Idan

on a quake server...

[Barbarian]

Better password spectator mode too (needpass 3), or someone can login as spectator, run "users", type "user x", where x is your username, and get the password...

Better yet, reduce them...less to remember.

[Christopher+Cashell]

Better yet, reduce the number of passwords that you have to remember.

I've found that about 85% or more of the passwords I need to remember are login passwords. So, in an effort to cut that down, I began using the RSA authentication available with Secure Shell. This lets me use the same password (passphrase, actually) to access all of them, while also allowing me a very quick and easy way of changing my password, and the increased security that comes with requiring my private ssh identity along with my password.

RE: Remebering Passwords.

I think of a phrase that I will remember. Usually has something to do with sex. Then I use what I call alpha-numeric phonics to create a password from that phrase. Example: (Cleaned up for mixed audience) "You are a cutie!" becomes Uraqt! or Death to Gates! becomes Death2g8s! Not me

Depends on proteced information...

[Flu]

I have a couple of standard passwords that I use (passoword, john_doe, xzyqyz-type of passwords, mainly), depending on how much I trust the service that protects my information, and the information stored there.

Generally, when the service asks me to alter the password, I change one or several position of the password (most often enough to fool the password change check-if-not-too-similar algorithm) in a way that is obvious to me, but not to anyone else, since there is no natural pattern involved.

Even if some passwords more or less by accident may look like a correct word in one or several well-known languages, most dont - not in english, french, german or my naitive (swedish) language. The reason is that I try to mis-spell or alter spelling of words into something completely unrecognizeable.

/Fredrik

Mnemonics that WORK...

[Jurph]

I change my major account passwds weekly; one week I needed to know the seven wonders of the world, so for the first week I used

gwcgptoz3wow
(Great Wall of China, Great Pyramid, Temple Of Zeus, 3 Wonders Of the World)

then I had to know a torsion formula for engineering:

theta_PLoverAE (theta = PL/AE)

onward to a new friend I met and whose birthday I needed to remember:

erica16june79

That way, after logging into my account for a week, I know my password and a useful fact. When I realize that I no longer recite the mnemonic to myself each time I login, I know it's time to change over.

--Jurph

I hope w3/.org isn't really the password

[J.+J.+Ramsey]

I'd hate to think that you'd have to find yourself needing to change the password because you gave it away on Slashdot.

My 200LX

I keep my passwords as well as TONS of other stuff in my PDA of choice... a password protected HP 200LX. What an excellent little machine that is! Steve

my strategy

[miahrogers]

take a random alpha code like "kynk" (no vowels mind you). then add in vowels to make it "keynok" then add some numbers to it "keynok894" i find that to be rather secure, also by making it pronounceable it makes it much easier to remember.

matisse:~$ cat .sig

Pretty Simple Method

[randombit]

Basically, I choose a phrase or common theme (like a musical group I like, etc) and then take the first letter or two of each word, then 37337-1z3 it. This can generate nice long passwords if you need them, for instance, my PGP key is encrypted with an 18 character long phrase based on a musical group, using such obscure things that it would be rather hard for someone to guess.

Also, using psuedo-perl code generates instant line noise passwords, and as long as you're up on your perl, everything is easy to remember. For instance (this one is easy, but you get the idea):

my=~s/$p4ss/@w0rd/g;

It doesn't make sense, but that's ok.

Character substitutions in other alphabets

Here's an idea: The Russian "z" looks very much like a "3", iirc. Their lower-case "t" looks much like an "m", apparently. Their "N" is identical with our "H". Add "x" as a sub. for "ch" (or "sh"), and a few more (Gujarati has a letter that looks very much like a "2") and you can replace quite a few letters of a plain word. Disadvantage is that you need to be a student of foreign writing systems (get a Unicode manual!).

One of these days, I'll compose a message that uses these char. subs. and post it to a cracker BBS, and see wht happens.

A related method (Dvorak layout)

Oen password I have is made with such patterns as "4py67gc9" on a Dvorak keyboard. This looks pretty arbitrary on a qwerty, but is a simple Dvorak pattern, where the top row is ',.pyfgcrl/= (on mine). Other variants are simple diagonals such as bhc9, kif7, qep5, etc. Throw in a few random case shifts, and you have something you might well be able to memorize, yet is rather secure.

tattoo

[mmmmbeer]

I have my passwords tattooed on my forehead. Before you go saying that's a stupid idea, let me explain. I have them written backwards, so that other people can't read them. Then, when I sit in front of the computer, I can read them in my reflection in the monitor.

Almost sounds like it could be true, doesn't it?

Segmentation: identifier + zone based sequence

[spid]

I generally use different password for each website, system, and device I have access to. I manage this by segmenting the password for each
into 2 chunks. The first is a 2 letter abbreviation of the site/computer/etc. So yahoo, for example, would be 'yh'. To this I'll then append a standardized sequence of 4 semi-random numbers, say S7m3. The password for yahoo would then be yhS7m3. Furthermore, I'll use a different semi-random sequence for each of three zones:

1. Public, untrusted websites
2. Private, trusted 3rd party systems
3. Personal workstation and systems

This seems to be pretty secure, and allows me to easily come up with the password for a given system knowing its abbreviation and zone...

Palms

[krital]

I keep my passwords to things on my Palm Pilot. Not the most secure method, granted, but it's secure from being h4x0r3d and it's easily accessible.

MD5 it up

Remember a decently easy password like "WooPie19", then md5sum it, and cut and paste the result as your password.
The cracker would end up cracking a long and hard to crack password (md5sum outputs a 128 bits string), not your easy "WooPie19". Of course he could think of it, and prehash in MD5 a lot of passwords before cracking them against the passwd file, but well, MD5 is a lot slower than crypt() and he still has to think about it.

Re:My strategey - 3 "zones" - one password per zon

[whoseon3rd]

Sounds like something I do, except I have 4 levels, with the top (hardest to break I hope!) being foe my ISP, online banking, down to some BS websites that ask for it.

Change it relative to current events in your life

[Cyric]

They don't have to be overly complicated. Some of my favorites have been to take short sayings from games I'm playing (Zub_Zug from WCII, for example), and combinations of abbreviations of games I'm paying. Take the game Thief (I played this some time ago). Shorten the entire title to TtDP (Thief, the Dark Project), and append another game's title: TtDP_98_MaMIV (Theif, 1998, Might and Magic 6).

-Doug

Hard, but it works

Well, all my passwords are just random numbers and letters, no rhyme or reason. they don't mean anything, not even to me. Needsless to say, it's a bit hard to memorise. I recommend writing the password down, then saying it 20-40 times, then typing it in a wordprocessor 20-40 times. After doing this, it should stick with you, no matter how wacky it is.

Finger drumming

Try drumming out a pattern. Place your fingers somewhere on the keyboard (change this start location for different passwords) and drum out a rythym with both hands. One example pattern is (L=left, R=right, M=middle finger, I=index finger):

LM, RM-RI, LI, RM-RI, (shift fingers up a row, repeat)

and one (weak) instance of this pattern is:

qpowpo109209

I've used a few different patterns like this and they're (usually) easy to remember and incredibly fast to type - it makes keyboard-surfing my password beyond the skills of the average bystander. It's also a plus that they look like line noise.
The problem with this scheme is that I actually don't KNOW my passwords - they're pure muscle memory so I always need both hands free to log in. Also, if I ever lose an arm I'm locked out of all my accounts...

Re:Finger drumming

[SamIIs]

Also, if I ever lose an arm I'm locked out of all my accounts...

I usually use the front of my cranium to bash passwords into the keyboard. I figure, if I lose the front of my brain, I can do without being able to login to /.

Just reandom ones...

[splice42]

My preferred way to remember passwords is through their use. For all my important passwords, I just randomly type letters and numbers until I have 8 to 12 characters, then capitalize some of the letters. Just jot down the password on a piece of paper that you'll keep with you., and keep it until you remember the password without help (takes me maybe a week). Burn the paper afterwards.

This ensures that you have a password no one can guess, and that would only be cracked through brute force after a few days/weeks of work (unless you don't burn the paper and someone finds it, that is). I also noticed that with this method, I tend to remember passwords a lot longer than if the password was somehow related to the machine I use it to login to. I still remember my first password made that way, from about 5 years ago for my first ISP (it was "fOe9Gm3C", but I never used it again).

Use cryptograms

[gatekeeper-eu]

Firstly keep the number to a minimum - for minimum password length of 8 characters 8 passwords is about the maximum users can cope with using this system. Users are required to think of a quotation, poem, a passage from a play, etc. which they ALREADY remember. Security administrators produce a card for each 'work-group', one per user. The card has the letters of the alphabet printed in any order, even random, in one column or line and a random selection of keyboard characters in a parallel line or column. Cards are replaced at 6 month intervals with a new combination of characters. The user simply spells out the remembered 'key' to themselves, one letter at a time, with the card to hand, looks at the alphabetic column/line and selects the corresponding code character for entry. When the card is kept 'private' this method of remembering passwords is far more resistant to cryptographic techniques than the machine on which it is being used. The habit of some users sticking the card on their VDU/terminal - "in case I loose it" should be discouraged - this makes the system vulnerable to cryptographic techniques. Loosing a card is no big deal anyway, as co-workers in the same 'group' have an identical card which may be borrowed to log in. Lost cards should of course initiate the replacement of all cards for the 'work-group'.

Re:My strategey - 3 "zones" - one password per zon

[Fuhrer]

Me too. All of my zones have random alphanumeric passwords, but I only have 2 sites including my ISP where I use Zone 1 passwords, down to probably about 50 where I use my Zone 3 password

Re:My strategey - 3 "zones" - one password per zon

[Steepe]

I do pretty much the same thing, I use a random character generator to kick out a few passwords, pick the hardest one for stuff that matters.. Boxes only I have root on, etc. Then I use the next hardest one for boxes someone may need root on at some point, then I use the next for personal accounts I care about, then i use the name of the week with a number or two thrown in for sites I could care less about. Once every couple of months I kick out some new passwords and change them all and voala. I have also figured out with the random garbage my passwords are, if someone needs root and I give it to them, they don't remember it the next day and have to ask again.

Cool way not to Renember

[Skyfox60]

I got one of those timex watches that has some nifty memory for phone numbers... hmm thats where all of my wierd unmemorizeble passwords go untill I use them so much that they type themselves. I never take the watch off so it gets all sort of combinations on it also. It does require you to input the info into the comp before it is transfered to the phone directory on the watch. However I can store ten entries by changing the string of the different alarms(yes it has ten programable alarms). Never have to memorize anything again. Reading the name off of the watch... Timex Data-Link Ironman Triathlon. $60 some time ago... extra... does numbers letters and some symbols... getting off topic ah what the heck I swim with it also. Can't loose it like a note on paper... I recomend it... Anyone else use one ?

Database

[Sanat]

I use a small database that is encryped. The program works similarly to "Password Pal" that is use on windows. This allows me to easily move from system to system and still have my 30+ passwords. For the windows systems that I am forced to work upon I do use password pal with is a free software package ( or was, it may be shareware now)

Almost a good idea...

The picture part is clean enough... but it seems that you might want to apply further encryption to your method of stacking the binary keys encoding your picture... simply collecting from left to right, top down may yield an arrangement which would be more suseptible to a forceful attempt than say starting in the middle of the keyboard and describing the picture as built in an extending spiral in a particular direction or something more inventive like say your picture is a happy face... well use "happy" to encode the picture by first encoding all keys immediately adjacent to "h" in a clock-wise (or not) manner and then "a" etc... until "y" and then tack the remaining keys that weren't yet encoded onto the beginning or end (or middle or first third etc.) of the string you have so far... I'm just going wild with all the silly strange schemes you could come up with here but it all is worthless if someone leaks the password or is filmed or Van Ecked or something else ... nothing's really secure... Sometimes it just seems like it is. TTFN & Shalom. -PipTigger

Passwords.

[kezdeth]

Well, I need to keep track of 28 different passwords for various machines, so my practice is to keep this info contained in a file on an electronic organiser (that has yet another password!) I have never shared the organiser password with anyone, nor do I allow anyone to handle the thing, so that is the one password that I never change. Any time I update a password elsewhere I update the organiser, and I am good to go. I realise there must be more secure methods, but what the hell, it works for me.

It all matters WHERE you store them!

[Lally+Singh]

I make completely unrecognizable, unreadable passwords that my muscles remember. The typical
problem with that is you have to write them
down for a bit to remember.

So, that asks the question, where do you write
the passwords? The one place only YOU would
look... that's right, on the underside of your
balls! Take a small mirror (usually a
girlfriend's compact works well :-), and write
the password down in reverse. Every time you
have to look up the password, unzip, insert the
mirror, and look for yourself! Unless you
have issues with your wife, mistress, or
favorite paid escort, your data is secure :-)

--
Insanity Takes Its Toll. Please Have Exact Change

My stupid method

[dxkelly]

This is a little embarrasing to say but I've been keeping a passwd.wps file on my winblows box. :-) No has access to the box but myself but I just now deleted anyway since I only have two passwords to remember currently.

Crypt() The ultimate solution

[Bruj0]

Well, i had the same problem, so i was thinking what about the func crypt() it does give u the same string if the same SALT and TEST is given,
so i made this really cool proggy:

The GateKeeper
Salt (0-99): 9
Test (0-8): mipass

the password is: C996nht8lq

So, the thing here, is that u just REMEMBER ONE number for all the PASSWORD, and u dont have to remember the pass for foo like "C996nht8lq" BUT,
like "mipass" see my point? later

Bruj0. any other ideas plz send to bruj0@phreaker.net

Easy way to remember passwords

[ixion]

Hi!

I take info about the box, say the hostname is
apple and the owner / sysadmin of the box's name is Peter, I'll use something like

"peter box" or "applebox -> peter" Of course the idea is to use short names so you can throw as many stuff in between the first 8 characters (which is what matters)

I also usually take usefull numbers e.g. my PIN numbers, ID number, Student number, etc. shuffle them and use them as well and I replace some of the letters with obvious stuff, e.g.

"5p0e1t3r" See, I mixed peter with 5013 which comes from my ID number, no I replace the E's with 3's and make the first and last letter capitals. Also if there we're spaces left, I would've added punct's (e.g. ^&*)*(, etc.) It's always easy to remember if you can visualize it and if it's symmetrical e.g.

")**(" or "%%HAHA%% (:"

I find it very useful to always use the info about the box on which the password is and the account as a starting point and I tend to standarize on which way I do substitutions and keep the subset small. That way, I never forget the passwords and even if I do, I can guess it with minimal effort.

Hope this helps...

Passwords

[KimmBadd]

I have eight passwords that I change every four weeks. I use George Carlan's "the 7 words you can't say on television" plus one of my own, and I rotate them.

PW Storage

[NeuralAbyss]

I encrypt my passwords (multi-pass twofish, blowfish and rc6) in a self-developed proggie (dozeCrypt)

My strategey -sillyness + moving hands + zones

I use word play, then shift my hands. I have a different password for each of my 6 zones. I change my passwords when my computer reminds me that today is a certain day type. Each zone has it's type.--Public holidays, anniversaries, birthdays, useless holidays, financial quarters -- stuff which I have set to be reminded of by my computer).

Word Play:
Start with a word: generosity
Modify it: jean ore city

Shift Hands:
-Shift one key up and to the right: i4wj054f967
-Use shift key for the first letter of any sub words (Jean Ore City) I4wj)54F967

After three uses, it's easy to remember. The words I use to "word play" are referenced in some way in my evironment. I spent one year using the "wedding anniversary gift" registry at the back of my diary. Who the heck needs to know that linen is the perfect gift for a 15th wedding anniversary???
NOTE: It works in large corporate enviroments as well.(Once you explain the method in the madness).

reminders

[orz]

I keep a text file around that contains vague descriptions of all my passwords. Things I can remember them from that wouldn't be very usefull to anyone else, like "a *judicious* injection of ____ ; a mountain" Unfortunately, I don't have a PDA, so I often don't have access to that file... so for some of my less important accounts I share passwords and/or use simple permutations to make things easier to remember. Unsecure, but for a hotmail account who cares?

Re:My strategey - 3 "zones" - one password per zon

[Corrado]

Yup, that's kinda what I do. I have a couple of important passwords (work, Linux boxen at home, etc.) that are unique. But most of the passwords I use are just throw away. I use them to download trial software or read news articles. Fluff.

Later...

Palm Revolutionised my password policy

[waz]

I used to have about three or four 'favourite' passwords that I'd use and rotate about accounts, slightly modifying it each use. Now I have a Palm Pilot running Cryptinfo, I can make up totally varied passwords any time, as I know they are securely stored. My favourites are now used to secure Cryptinfo. As my Palm rarely ever leaves my side, I can feel safe about my password repository, and know that all my accounts are using original passwords. Oh, and if you ever get the chance to change a friends password, change it to 'obvious'. Hours of fun can be had. 'Come on, what's my password?' 'Look, I told you it's obvious...!'

Physical constants and/or functions as passwds

[tapir]

I used to use very simple passwords like my name followed by a number and I would change that number. Problem was I became predictable with the choice of numbers. So I had to come up with a new strategy...
For those of you who know LaTeX and some physics, $y=\over{1}{2}gt^2$ makes a nice password.

A little trick.

[Abigail-II]

Here's a little trick that will allow you to store all your
passwords in a plain text file, or a piece of paper. For
the sake of the explaination, assume passwords consists of
numbers (but it generalizes to any alphabet). Start with a
table like below:

X|0 1 2 3 4 5 6 7 8 9
-+-------------------
0|0 1 2 3 4 5 6 7 8 9
1|1 2 3 4 5 6 7 8 9 0
2|2 3 4 5 6 7 8 9 0 1
3|3 4 5 6 7 8 9 0 1 0
4|4 5 6 7 8 9 0 1 2 3
5|5 6 7 8 9 0 1 2 3 4
6|6 7 8 9 0 1 2 3 4 5
7|7 8 9 0 1 2 3 4 5 6
8|8 9 0 1 2 3 4 5 6 7
9|9 0 1 2 3 4 5 6 7 8

Pick a secret key, as long as your password(s). This is the
only key you need to remember and keep a secret. Say, your
secret key is "14769134". Now you have a new password, say
"34987629". Encrypt this using the key on a digit by digit
bases, by using both digits as an index in the table, and
writing down the value. So, 1+3 -> 4, 4+4 -> 8, 7+9 -> 6,
etc. Or:

Password: 34987629
Key: 14769134
-------- +
Encrypted: 48646753

Write down "48646753" on a piece of paper and stick it on your
monitor.

Decryption is as follows: this goes on a digit by digit bases
as well. The first digit of the key is `1', the first digit of
the encrypted password is `4'. Look in the column marked `1',
drop till you hit `4', then go left. This gives `3'. Etc, or:

Encrypted: 48646753
Key: 14769134
-------- -
34987629

Alternatively, find the inverse of the key ("96341976") and use
the encryption algorithm to decrypt it.

You can encrypt as many passwords you want this way, all encrypted
using the same key. This remarkable simple algorithm can easily done
by hand; print out the conversation table and encrypted passwords,
decrypt letter by letter, and type the decrypted letters in as you
decrypt them.

If the passwords are picked randomly over the set of all possible
passwords, and no password has been comprimised, there's no way of
cracking this encryption scheme, as any possible possible password
will have a unique key that decrypts the encrypted password to that
possible password.

Of course, once a single password gets comprimised, the key is trivially
found, and all other passwords will fall as well.

-- Abigail
(*grumble* Slashdot screwed up the formatting. If only they would allow the PRE element....)

Oh it's Quite Simple Really...

[Lord+Bitman]

I pick a password so obscure and meaningless that it cant help but be remembered.
One that I dont use anymore is "cr02a". I saw it on my hard drive once and the name was so meaningless (I means cursor resource: version 2, file a) that my brain just couldnt help but remember it.

Ok fine, so it's not flawless, but I've never forgotten one using this method. The first time I used this was when I saw an obscure encryption in a book I dont know the name of and didnt even mean to open. It was so odd, I made myself memorize it. I didnt really know why, but within weeks I was using it as a password. That didnt last long, because I later used it as a folder name for a web page after I couldnt come up with a name for my page, but still. It works. I like it. And no one else knows what I'm talking about.

Random l33t babblings

[_outcat_]

I have a strangely sharp memory for retaining strange 3l33t-sp33k jargon. As expletives, my friends and I often use odd made-up geek words...

"Flarn! I forgot my passwd."
"Frig foo fleen!"
"Spootmonkeys!"
"Gtkwidgets, would you get that away from me..."

...and the like. The next step, then, is convert a random geek babble into 31337-hax0rese.

Lame examples:
GtKw1dg3t, sp00tm0nk3y5

But, any idiot can decipher 31337-speak, so separate the word sp00t and m0nk3y5 and intersperse the characters: ms0pn0k03ty5

Now you have a random mess of geek-babble, easy to remember if your brain is a random mess like mine.

Why must passwords be change once in a while?

Serious question,

Why are there security polecies that state passwords schould change once in a while?

1. When someone wants to really mess up the system, he/she/it would do so once logged in.
There is no use to change your password since nothing of the system is left

2. When somone wants to abuse the system otherwise, he/she/it would place an backdoor
http://www.phrack.com/search.phtml?view&article= p55-5

3. When it is an moron, that doesnt have an clue about what to do with your pass, then you really should have noticed him/her/it watching over your shoulder while you where typing ;-)

4. When you do let people change there pass every day, then they would start using real lame ones.
And the risc someone would sniff/watch the password would become huge,
since they would go over the network all day

Blame my teachers for my grammar...

Re:losing the ibutton

He said combine the ibutton with a memorized passwd.

Passwords?

I only have 2 or 3 passwords that I use on various sites. While this may be bad because it's possible that if I lose one, people can get onto other sites as me, but since they're mostly random web sites and such, it really would not matter - these are places where the sites being able to identify me is a convenience, not a necessity, so frankly, I don't care if the password gets compromised

Serial numbers work great too

[jdeitch]

I own lots of electronics (computers, TVs, stereos, pro audio, videogames, pinball machines, etc.) ... each has a unique serial number consisting of both letters and numbers.

There are endless combinations and possibilities, and if you forget the #, you just walk into the gameroom and read the # off the back of the game !

Unless someone knows exactly what equipment you have, and has the serial numbers of that equipment, it is likely to be highly secure.

So what? I'm paranoid.

[Rene+Tseraski]

I use entirely random means of generating passwords. Computer programs generate most of my passwords; Diceware works well for passphrases, and a modified form can be used for simple passwords as well. During the time it takes for me to memorize the passwords, I place them in a PGP-encrypted file on a floppy; after they're safely locked away in my mind, I burn the disk, grind the ashes up, and throw them into running water. Although I'm not sure exactly how secure it is, Password Safe on Windows is good for managing low-security website logins.

But if I didn't use entirely random schemes, I wouldn't be telling anybody. Why are so many people here giving away their schemes?

Sure, I may be paranoid; if the scheme is good, describing it only reduces its efficacy, and not many crackers will take the time and energy to analyze a scheme of that sort to attack one person. But then again...

-- Rene

passwords are nowhere to be found

[The+Queen]

The ultimate security - I just REMEMBER them.

I try to make sentences with characters, like OU812. :-) Sort-of like license plates.

Some of them can get pretty dirty, hehehe.
The Divine Creatrix in a Mortal Shell that stays Crunchy in Milk

simple and easy, but seems to work

[iseymour]

I started reading this thread hoping to pick up a new password strategy. I guess I did this based on the assumption that my system/strategy was fairly weak, but honestly, after reading through some of the hopelessly complex, overly simple systems, or PDA dependent (working on breaking my 3rd Palm now) systems listed here, I think I'll stick with what I have.

Ok here's what I do:

I use a set of names that have meaning to me, and intersperse them with alphanumerics. I then rotate all passwords through this system so that all of them are on the same system. In order to keep my life simple, I also keep one single, simple password for all of those things that need a password, but aren't really life or death.

I don't think that the explanation above made a hell of a lot of sense so here is an example. I was a real Francis Ford Coppola (FFC) run a while back, so all my passwords dealt with him, his work, or his personal life.

Whenever I needed a password, I would take something FFC related, such as Apocolypse Now, and "password-ize it". Apocolypse Now would become a8pocolyps8en8o8w. Probably not susceptible to dictionary cracks, but it does follow a pattern that has meaning to me. All I have to remember is the "key" (not a totally accurate term, but you know what I mean: Francis Ford Coppola), the pattern (where I insert the alphanumerics), and the correct alphas (8).

At worst, using this system, I have had to hit one of the big movie sites to look of FFC's filmography and then cycle through the list of movies.

If I thought I needed something really obscure (i.e. for anything work or finance related), I might take someone who worked on the film, such as the editor, and work their role and name into the password.

The trickiest part is remembering everything that I have a password to, and figuring out when I signed up for it so that I know which system I was using at the time. This is why I try to update everything at once in a single, super boring password update fest...

The topic that I honestly haven't seen covered very much that is probably just as important is the remembering of usernames. As more and more people come online, it is harder and harder to get be the first person to sign up for a service using your 'nick. I try to keep a couple, and then hope that I can get one of those to work.

Anyone found anything better?

Non-roman languages

[oakestv]

A previous poster had a suggestion for people who had a musical background. This method could work for those who know a language that does not use the roman alphabet (uses letters A-Z -- Most Asian, Greek, Russian, Arabic, Hindi, Aramaic?, Phoenician!)

Obviously this is somewhat subject to a dictionary cracker but the spellings are usually based on phonetics so precise translations are tricky in non-roman languages. With slight modifications you can assure the words wouldn't show in a dictionary attack.

In my case I was learning Japanese
The word for boy is pronounced otoko-no-ko I didn't use the hyphens if they were part of the word but I suppose that would help the quality. This happens to be something of a compound word but you can experiment in your language.

The result will not produce root qualiity passwords -- they'll be all alpha, but the products can easily be long if you use a sentence ( watashi-wa-gishi-desu - I'm an engineer ) making cracking that much harder.

Add some spice here and there ( begin and end with important dates ) and pow! Fairly strong, easily remembered passwords.

Try it with perl or C!

Movie Buffs?

[tommck]

If you're a movie buff, just take a line from one of your favorite movies, like, say Pulp Fiction. "Royale With Cheese" Then, you can just jam the words together. Maybe insert some special chars in front, in the middle, or at the end.

Examples:
"Royale*With*Cheese" or just "1Royale"
"Pig%Filthy"
"African&Swallow" (Holy Grail)

OR, for those of you who are Brazil (the movie) fans, use the elevator password: "ereiamjh"!
(jeremiah scrambled)

Anyway, otherwise, you could use things like book titles or your favorite cars. Not too hard at all.

T

~~~~~~~~~~~~~~~~~~
Tom McKearney

prefix and paper

[engel]

I got this from a guy who has been doing mainframe security for 16 years.

OK, decide on a really, really uncrackable prefix, like $9_vI4! or something that is SOOOOO not a dictionary word.

Then, every time you make a password, prefix (or suffix) this SAME set of characters to a word or other password (for the really paraoid, use something just as esoteric as the prefix. for simplicy, use a word) and WIRTE DOWN this word.

Now, memorize the prefix/suffix and make sure that you know the current password.

For example, in week one I have a password of:
$9_vI4!engel
and have 'engel' on a piece of paper on my desk (and memorized $9_vI4!)

the second week i change the passwd to:
$9_vI4!marx
and I have 'marx' written on a piece of paper on my desk.

Now, anyone who sees the paper will still not be able to get into the account becuase they don't know the prefix/suffix. BUT you use the prefix/suffix so much you aren't going to forget it, so that is safe, too.

There is no such thing as an easily-memorizable password that is secure, but this is about as secure as it gets without getting rid of 'memorizability'.

Closed cryptographic software is a liability

[Morgaine]

CryptInfo may be a great bit of software, but what use is that if you can't trust it since the code isn't open?

This isn't to impune its author in any way: the software could have been compromised without his knowledge, or else his family might be held under risk of murder unless he distributes a non-obvious backdoor.

Cryptographic software has to be open-sourced, full stop. No exception.

Strip is GPL'd, so even if it were god-awful (which it is isn't), at least one can trust it.

Aging for ease of memory.

[Squeamish+Ossifrage]

I haven't got any grand insights into generating passwords, but I have a system I like for tracking them. It's a little like the "zones" idea someones else mentioned.

For the most critical things (bank, broker, root on anything important) I have a different password for each one. I come up with passwords using any of usual "easy to remember, hard to guess" schemes. I change passwords every two months for these.

But, having gone to the effort of memorizing the passwords, I don't want to throw that work away. So once I'm not using a password for anything critically important, I push it down the stack for use on less-important accounts.

Repeat as far down as one cares to go.

Speaking of 3l337 rules

[grappler]

does anyone know of a UNIX command line filter that can convert plaintext to 3l337 text? There are some cool things one could do with that.

Actually, what I would really like is a proxy server that "Eleetizes" all communication going through it, while keeping links and such intact. That could be fun.

I could easily write the former myself if it does not exist, but I don't know how to write a proxy server...

--
grappler

Dead Mathameticians

[Lour]

Very simple, find a dead mathametician and what formula he came up with.
Here is an example:

Gassian did work on matrix's (many dimentions and how to inverse them)
So we have "Gassian and Matrix and Inverse)
so we get:
3xGassian3!
or in english: !3x3 Gassian
get it 3x3 matrix (! inversed) and the name.
tada, a password that is quite secure.

Pragmatic idealism

[Jules]

The homunculous inside my head likes the idea of open source -- especially when crypto's involved. However, Strip wasn't around when I needed to put all of my passwords in one place and of what was available, CryptInfo was the way to go. It was either this, weak passwords or -- shudder -- PostIt notes.

<just kidding>And what are you doing using a Pilot anyway? The OS isn't GPL'd!</just kidding>

not necessarily

[Siva]

if the system allows an unlimited number of authentication requests to be made without imposing a delay between requests, or if you have the hashed/encrypted string to match against, then yes.

--Siva

Keyboard not found.

strcmp(username, password)?

Yes, most of the time my user name and password are the same when it isn't anything I mind losing control of. So that's alright.. however, I'll be posting anonymously ;)

As for me

I have this super complex password that has all kinds of weird numbers and characters in it. I can never remember it, so I've written it down on my monitor in pen.

Howbout this?

[Dast]

Just make it a cgi script that takes an url as a parameter, as in:

http://yourbox.com/cgi-bin/make-leet.pl?target=h ttp://slashdot.org

or something similar. Just have the script grab the page in question, leet'ize it, and print it back out. Not too hard. A while back I wrote something like that to remove relocate urls from places like excite.

Pronounceable gibberish

[Deliverator]

If I must use a password, my favorite way to make one up is to use a generator which produces pronounceable nonsense. The one I currently use can be found at:

http://www.multicians.org/thvv/tvvtools.html#gpw

Its output looks like:
rdervent
agissoak
irogabra
crungled
tranderf
sonapoki
cildebum
nareamew
pheateek
sitorack

It reads in /usr/dict/words, produces a tree of trigram probabilities, and does a number of random walks of that tree. The only thing you sortof have to watch out for is the tendency to alternate vowels and consonants.

As is, the generated words are fair (only about 30 bits of entropy). Spice with numbers and punctuation, and that's about as secure as you can get using human-memorable passwords.

--

Since when is ash nazg gimbatul a common...

[guardian-ct]

...household phrase?

It'd probably work well as a password without all the excess hash-functions :-)

It looks like a reference to Tolkien, so, without further adieu...

Here's my not current password suggestion... Use the Vax password setting program that chooses from random phonemes, such as co-di-th-me-ow-roh. Run it several times, since the default is to provide only three phonemes. You now have a pronouncable, pseudorandom, fairly random password, with a little more randomness than random text from a book.

Ignore that, and go to the lava-lamp random bits website. grab some hexadecimal bits, toss the high-order(eighth) bit, toss illegal characters, convert to ascii, and use them for your password. Choose bits from somewhere in the middle, as anyone can see the current random bits.

There you go... One of the world's most expensive password generation routines. (6 lava-lamps, digital camera, SGI O2 as server, world-wide network reccomended.)

Forget Passwords - Try Biometrics

[rlowe69]

You know what? People of the future will look back on Sysadmins and other people that use a billion passwords and wrack their brains at how much thought and energy went into security.

It's obvious that once biometrics becomes mainstream, passwords will be out the window. Soon the definition of a "secure" password will be a combination fingerprint, voice and retinal scan. The benefits will be so great, that mass production will bring the prices down to reasonable levels. Who knows, we may even be able to open our front door or start our car just by saying a single word. Sweet, if you ask me.

So forget passwords! They'll be gone in 10 years max. I'm just surprised more people aren't pumping money into this ...