Excellent advice for generating and maintaining your passwords

Much obliged.

I generally just hit the ‘forgot password’ link and reset it every time.

okay, but how can I manage the throw-away mail addresses for each service?

I sort of disagree with that. If you’re on dozens of sites similar to BoingBoing, why bother making a unique password for each one. If somebody hacks your password they get what, the ability to comment as you? Who cares. Use the same crap password for inconsequential sites and use good unique passwords for email, banking etc.

I agree. I have a next-to-crap way of generating passwords from site names that, if you could ever crack, you could use to access my accounts on all kinds of things that I don’t really care about. For things I have to really worry about I generally use my ability to remember randomly generated strings of characters (not the most useful tip).

KeePass2Android is able to open the file directly from cloud services (I use google drive). That significantly improves the experience. I wonder if there is something similar on iOS. It has some other standout features like a custom keyboard and a form-fill service that improve the experience.

That said, password managers are not convenient, so will likely not become mainstream until someone fixes that.

I keep toying with the idea of getting an InputStick, but it seems both a bit expensive and also remarkably large for what it does.

Get back to work!

I use LastPass. Done.
I also check passwords with GRC’s password checker
https://www.grc.com/haystack.htm

Fuckyourpasswordrules1! as mentioned above would take 9.88 billion trillion centuries to crack (Assuming one hundred trillion guesses per second).

I favor movie and book titles written in AOL l33t 5p34k for passwords - like 7h3F0rc34w4k3n5 or 0fM1c34ndM3n
It satisfies both my need for a good password and my desire for whimsy in my life.

modern password crackers don’t only use dumb brute-force methods but rather sophisticated dictionary attacks. “Fuckyourpasswordrules1!” consists of known words with a simple suffix, it is unlikely that is has to be cracked via brute-forcing (the number of years grc quotes).

+1 for LastPass. Been using it for about a year and it works almost perfectly across all devices. Totally worth $1/month. only downside is that it puts an awful lot of faith in lastpass being secure/nice.

Against certain threats, actually a pretty decent idea. Worthless against your roomate or the office’s contract cleaning service; but hackers aren’t going to access a written list(unless you leave it in webcam view) and you’ll be able to use less dismal passwords since you don’t have to remember them. If your problem is attackers brute forcing your accounts from offsite, you could do a lot worse.

For local access control; just don’t. IT hates having to have ‘the talk’ when we find your collection of passwords under your keyboard.

If you’re using OSX along with your iPhone, Keychain Access will synchronize your password db across iCloud. I believe Chrome will sync your passwords across devices too, but only web passwords.

There are 1.5 million password managers out there. I use pwsafe, which I like. On windows, it automatically syncs using dropbox (I think…I don’t use windows). On mac, it seamlessly syncs over icloud.

Those few times that I have to use a public computer, I just type in my password directly while looking at the app on my phone.

I don’t know how this would scale if I had to use public machines for the majority of my work. But if I did, I would be extremely careful about not accessing my sensitive information on a shared machine (any more than I have to).

I use Keepass. There are probably friendlier ones out there, but this one is free and it works for me on PC and Android.

I keep its password database in the cloud, and I have it set up to require both a local keyfile (which I have a copy of on my home desktop, work desktop, laptop, and phone – I don’t keep it in the cloud) and a Diceware passphrase that is memorable if nonsensical.

Setup is kind of a pain, but in practical use, no matter what website I’m at, I hit a hotkey to login, and depending on how long it’s been, I have to retype my long passphrase. On the phone it’s a little less smooth, but rarer that I have to do it.

Even more frustratingly most sites restrict you to using only the minuscule English Alphabet–not allowing usual letters which those of us speaking a variety of languages could easily use to spice up our passwords. e.g. Apple’s anglocentric attitude especially annoys me, given that it’s the biggest global company. Why does it not allow me to use letters from the 32 letter Polish alphabet, just because I am based in the UK? with an English key-board.

Be careful, password crackers evolve too - not only password-generating schemes.

This is why the oft-cited XKCD scheme for generating passwords -- string together individual words like "correcthorsebatterystaple" -- is no longer good advice. The password crackers are on to this trick.

But that’s based on the ability to know information about how people choose words (and the fact that probably a million people are using correcthorsebatterystaple as a password, ). If you use diceware to make the words genuinely random then it’s just pure entropy, the words are just a mnemonic trick to remember that your password is 1436254635342562341562341243562452342562362.

I don’t understand your point - for clever dictionary-based crackers the randomness of the selection process is not important as the software uses strings instead of characters to cobble together a password guess; I thought the description in the Ars Technica article (linked in Schneier’s post) was a very readable one.

I remember a quote of some security researcher (?) along the line “finally an answer to the staplehorse-thingy”, but don’t find it anymore.