DEV Community

Cover image for Fantastic Passwords and how to generate them

Fantastic Passwords and how to generate them

Franco Traversaro on November 19, 2018

Password strength, password management, password memorization, password bla bla bla. We spend half a day writing (or saving in browser) password fo...
Collapse
 
ondrejs profile image
Ondrej

Hmm, what about password managers? They'll generate passwords with much higher entropy. I'd rather stick to them.

Collapse
 
belinde profile image
Franco Traversaro

Sure, if you always work on the same pc. But if you have to login on a foreign computer, or you don't have your phone at hand, you are lost.
On the other hand, if you have your memory wiped, you have far more problems than logging on GitHub! 😁

Collapse
 
mario_tilli profile image
Mario Tilli

What about LastPass ?
It's an online password manager, also includes plugins for different browsers (so you don't have to "copy & paste" password nor username from your local password manager).
I've been using it for a long time and I'm very satisfied with it

Thread Thread
 
ondrejs profile image
Ondrej

I'd prefer 1Password, but it is not free (i.e. gratis).

Thread Thread
 
belinde profile image
Franco Traversaro

Online password manager need you to trust them. I use Chrome password management, because I think Google is big enough to keep an "evil legal" alignment. Smaller companies... well, I don't trust them. But it's just my opinion :-)

Thread Thread
 
kip13 profile image
kip • Edited

Don't forget the cli

 
ondrejs profile image
Ondrej

Sometimes you need password not only for web pages/services. Chrome won't help you with that.

Collapse
 
ondrejs profile image
Ondrej

Yes, that's why I always have encrypted pw database back-up on USB drive :)
But I understand the issue with mobile devices and foreign computers, that is valid point.

Collapse
 
mrpepian profile image
Felipe Chang • Edited

Remember a friend from college had a similar strategy.

Start with the name of the site (take dev.to), put your finger on the "d" and then do a dance on the keyboard:

  • 2 right (g)
  • 1 up (t)
  • 3 down (5 - goes around)
  • etc..

As long as you remembered the dance, you had a password.
*This was before password managers were a thing.

Collapse
 
bitifet profile image
Joan Miquel Torres

And as long you stay on QWERTY…

With #MessagEase you are lost!! πŸ˜‚

Collapse
 
dwd profile image
Dave Cridland

I would highly recommend using a verified online password provider such as LastPass, 1Password and so on. These offer significant value above and beyond simply remembering your passwords for you, such as knowing which have been compromised, and filling them in (only on the right site, too).

Collapse
 
ajnasz profile image
Lajos Koszti

The best password is what no one knows, not even yourself. Use a password manager and generate long passwords.

If you use a scheme then you weaken your passwords and giving a chance to break them.

I used to have a similar process to create my passwords.
I had issues with these passwords: some site doesn't allow the special character I used, some other site thinks that my password is too long and so on, there are many different ways where my scheme didn't work. So I needed to add exceptions, change the algorithm and after all it was hard to use my own scheme.

Now I only use randomly generated passwords, I adjust it's length and character set to the site if needed.

One more important thing is that with a scheme it's hard to change the password. For one domain you have one password or need to alter your scheme but often it's still won't work. You know there are different checks that my new password should not be similar to the previous.

But worth mentioning that it's still better than using the same password everywhere. It's not tied to birthday or pet name, but there are weaknesses too.

Collapse
 
bgadrian profile image
Adrian B.G.

Last year I wrote a package based on BIP39 that generates private keys based on 12+ easy to remember words, used for crypto wallets, it was fun.

Passphrases are harder to crack and easier to remember (than "regular passwords"), but most websites enforce to stupid arbitrary rules to have special characters that are anti-humans, so I use OpenID providers as much as I can.

And Chrome now recognize register forms and recommend passwords like a manager.

Amazing how security-aware people recommend password managers as a service, that are a single point of failure and a place with all your passwords. For me sounds the opposite of safe, but in the end so is the Chrome password manager or a notebook ...

Collapse
 
bradleyross profile image
Bradley Ross

Has anyone out there seen The Bank Dick with W. C. Fields. In the movie, they had to rehire him because nobody could find anything in his files. The difficulty in finding information in my house is similar. So I have to wonder how much effort it would take to break into my house, go through all my papers, and find the desired information. So what I aim for is a system that will take far more effort to hack than my information is worth. It's not really all that difficult. Everybody talks about the possibility of a reverse dictionary attack, but that is only usable if they can obtain a copy of the hashes of the passwords. That is why UNIX put in the shadow password file. Where the password file was public, the shadow file was not and that is where the sensitive information was placed. Since most systems limit the number of accesses a second, the movies where a hacker tests a billion passwords a second just isn't practical. Also, many systems allow you to change passwords with your email account and phone number. Malicious actors are generally looking for a very low cost per account. So I'm not that worried about the password managers so long as I use reputable ones. If you have really sensitive information, you shouldn't be relying on passwords or two-factor authentication alone.