Password management?

[BlackEleven]

I create unique passwords for every site by having a base password and then I modify it base on a simple algorithm derived from the URL. Password managers are useful, but if you don't have access to one for one reason or another this trick works pretty well.

For an example, take the base password passw0rd and the site gmail.com, and use an algorithm that replaces the first letter and last letter of the password with the first and last letter of the URL and you end up with gassw0rl. It's an easy way to have a unique password to a site that doesn't require a ton of memorization.

[kermitology]

Quote:

Originally Posted by BlackEleven

I create unique passwords for every site by having a base password and then I modify it base on a simple algorithm derived from the URL. Password managers are useful, but if you don't have access to one for one reason or another this trick works pretty well.

For an example, take the base password passw0rd and the site gmail.com, and use an algorithm that replaces the first letter and last letter of the password with the first and last letter of the URL and you end up with gassw0rl. It's an easy way to have a unique password to a site that doesn't require a ton of memorization.

So does that mean that your password for for CP is cassw0rk?

[BlackEleven]

Quote:

Originally Posted by kermitology

So does that mean that your password for for CP is cassw0rk?

Ummmm.... was cass0rk?

[Rathji]

Quote:

Originally Posted by BlackEleven

I create unique passwords for every site by having a base password and then I modify it base on a simple algorithm derived from the URL. Password managers are useful, but if you don't have access to one for one reason or another this trick works pretty well.

For an example, take the base password passw0rd and the site gmail.com, and use an algorithm that replaces the first letter and last letter of the password with the first and last letter of the URL and you end up with gassw0rl. It's an easy way to have a unique password to a site that doesn't require a ton of memorization.

I have a similar system, but I use about a 8 base passwords and a few different algorithms, depending on the category of the thing I am signing into. So anything to do with my computers might use one algorithm, porn websites another, and my hidden scat archives another but the base password depends on a few factors that are easy to remember, typically some arbitrary ordering within those categories.

The hardest thing to do is remember the ordering for each 'type' of account, so for some accounts I keep a listing of the order someplace that is always accessible. With the ordering of all my 'accounts' written down somewhere, all I need to remember is my base passwords, which is pretty easy because I just tack a new one on the end and remember them chronologically.

edit:

Now that there are more and more password apps that sync across computers and platforms, I might have to look into them and see if it is worth it.

[Russic]

Quote:

Originally Posted by BlackEleven

I create unique passwords for every site by having a base password and then I modify it base on a simple algorithm derived from the URL. Password managers are useful, but if you don't have access to one for one reason or another this trick works pretty well.

For an example, take the base password passw0rd and the site gmail.com, and use an algorithm that replaces the first letter and last letter of the password with the first and last letter of the URL and you end up with gassw0rl. It's an easy way to have a unique password to a site that doesn't require a ton of memorization.

I've thought about doing this, but if somebody were to get a hold of one of my passwords and figure it out, all my other passwords (as kermitology pointed out) might as well be the same. Of course that would require somebody to manually get my password and work with it ... I get the impression most password breakers are just bots.

[old-fart]

Quote:

Originally Posted by Jimmy Stang

Agreed. Needing to log into, for example, my banking from my iPhone is virtually impossible as the password is non-memorable.

So.... there is a version of Keepass for Android, iPhone, Windows Phone 7, Blackberry, PalmOS, ...

http://keepass.info/download.html

I've used the Blackberry and Android ones. Works peachy.

[Rathji]

Quote:

Originally Posted by Russic

I've thought about doing this, but if somebody were to get a hold of one of my passwords and figure it out, all my other passwords (as kermitology pointed out) might as well be the same. Of course that would require somebody to manually get my password and work with it ... I get the impression most password breakers are just bots.

Thats why you add in more than 1 base password and use a few algorithms. Then you only use the same algorithms on similar "levels of importance". For example, if www.bobshouseofabortionphotos.com uses the same algorithm but a different base than www.poopingfetish.org, which both use a different algorithm than your online banking etc, there really is a much reduced chance of it happening.

[BlackEleven]

Quote:

Originally Posted by Russic

I've thought about doing this, but if somebody were to get a hold of one of my passwords and figure it out, all my other passwords (as kermitology pointed out) might as well be the same. Of course that would require somebody to manually get my password and work with it ... I get the impression most password breakers are just bots.

Well it'd probably be impossible to figure out the alrgorithm from just one password, they'd need to or three, and they'd need to realize they're all from the same person and, like you pointed one, they'd have to realize there was a link between them. The chances of that happening are much smaller than someone just getting one of your passwords and trying it everywhere.

[Titan]

Quote:

Originally Posted by Rathji

Thats why you add in more than 1 base password and use a few algorithms. Then you only use the same algorithms on similar "levels of importance". For example, if www.bobshouseofabortionphotos.com uses the same algorithm but a different base than www.poopingfetish.org, which both use a different algorithm than your online banking etc, there really is a much reduced chance of it happening.

Those are some truly disturbing examples you came up with. Please, please tell me they are just made up examples!

[Rathji]

Quote:

Originally Posted by Titan

Those are some truly disturbing examples you came up with. Please, please tell me they are just made up examples!

haha, of course I made them up. Although after I posted and I saw they were turned into links, I did double check the links to ensure they didn't actually go anywhere.

[sclitheroe]

I see very little value in spending money on products to protect passwords.

1. Most websites will lock out accounts after sequential failed login attempts. This defeats brute force attacks.

2. Most high value sites, such as banks, use unique account names, ensuring there is no linkage between them. For example, I don't log into CIBC and Scotiabank using the same username. For other sites, choosing unique login names ensures the same thing.

3. The vast majority of high value breaches occur because the servers were compromised. You can lock up your passwords all you like, but it makes no difference when the bad guy dumps the DB table on the other end, or subverts the authentication process.

I dunno, I just fail to see substantial value. Like in real life, most breakins are inside jobs, or smash and grab (ie. exploit the server by kicking the front door in). Nobody picks locks anymore.

Fundamentally, what the web needs is some form of mutal certification. It's fine and dandy that a website can cryptographically prove it's who it claims it is - why can't the bank's server do the same when accepting a transaction from me. It's BS that the locus of control for verification of my identity must reside with systems that aren't under my control.

Imagine handing someone your passport and asking them, is this me? That's what providing a password to gain access to a website is like. It needs to be the other way around - my passport is how the other side knows I'm genuinely who I claim to be, and is the basis for accepting my transactions.

[photon]

I have 143 passwords right now in my password file, and there's very few generic site type passwords, almost all are for clients or servers and that kind of stuff.. there's no possible way I can remember them all, and no way I can use an algorithm or anything like that, so I need something that I can record them in.

But I agree I wouldn't pay for it.

[zarrell]

I can't be the only one that just uses one or two passwords for everything....

Banking being the exception.

[Russic]

Quote:

Originally Posted by zarrell

I can't be the only one that just uses one or two passwords for everything....

Banking being the exception.

I have one base password that I use for things that are of little importance.

[Iceman90]

I love LastPass. I've used a lot of passwords, and this is the best one I've used.

[Mike F]

How do any of these work for multiple computers?

I log into many sites both at home and at work

[silentsim]

Quote:

Originally Posted by Mike F

How do any of these work for multiple computers?

I log into many sites both at home and at work

I can only speak to 1Password but it syncs over DropBox. You can open the file in a HTML browser as well so you dont need to install the program at work.

[Pinner]

I just started using LastPass and am still fumbling around. What is the method for a secure website like on line banking ? The way I have it set now I can log into this site just by clicking the log in button. My password for banking is not memorable, thats why I would like to use LastPass.

[Jimmy Stang]

Quote:

Originally Posted by Mike F

How do any of these work for multiple computers?

I log into many sites both at home and at work

I have a USB drive on my keychain and I keep my KeePass file on there. It is encrypted, so if I lose it, I doubt that anyone would be able to/be motivated enough to figure it out.

As long as I'm on a trusted computer (home and work both quality), I open up the file and I'm all set.

[Jimmy Stang]

Quote:

Originally Posted by old-fart

So.... there is a version of Keepass for Android, iPhone, Windows Phone 7, Blackberry, PalmOS, ...

http://keepass.info/download.html

I've used the Blackberry and Android ones. Works peachy.

This looks interesting. I think that I'll try out the iPhone versions and see how they work. I see that they have support for Dropbox, which I don't use, but how else would you go about synchronizing your passwords on your device? I'd like to keep my main file "off of the cloud" so to speak, but it would be great to sync it with my iPhone somehow so changes on one would be reflected in the other.

Edit: It looks like MyKeePass lets you host your file on a web server or Dropbox (not ideal), but also lets you import it from your PC using a web interface over your local network. Very cool. I'm going to give this a shot tonight.