this post was submitted on 03 Nov 2023
303 points (87.0% liked)
Technology
59340 readers
5274 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
For petty services where you don't want to have to break out the password manager, try making your own mental salted hash.
Pick four long words at random. Assign each of these to the four quadrants of the alphabet.
A-F - Equipment
G-M - Triumphant
N-S - Sampling
U-Z - Fatigued
Pick one number:
4
Now, take the first letter of the service that the password is for, and that selects your quadrant word. Take the number of letters in the service and multiply it against your number. Take the last letter of the service, and on your querty keyboard, move all the way to the right of thst line to select the first symbol there. Thats your unique password thats salted with yo ur personal words and number.
Facebook = Equipment32:
Lemmy = Triumphant20{
Pizza Hut = Sampling36{
If you want more security for these petty services, use longer words, bigger number, or use some other metric, Tweak the algorithm to make it unique to you. Maybe capitalize a middle letter in your salt word based on the length of the service name. Maybe add the first letter of the colour of the service logo to the password, EG
Facebook = Equipment32:B
Lemmy = Triumphant20{T
Pizza Hut = Sampling36{R
Petty services I would consider to be anything that's not super critical, and is at a higher likelyhood of breaching my shit.
For banks, primary emails, or government services, use a more complex algorithm or a random string of chars from your password manager.
Just come up with one strong password (see https://xkcd.com/936/) for your password manager and use randomly generated passwords for everything else. There's no reason to manually compute a hash every time you sign up for a service.
Also, for a non-remembering solution, use a security key with your password manager, the kind that plugs into USB and you have to tap a button to authenticate. Then you can generate a true random password and store it somewhere safe as a backup, and mainly use the key for day to day.
what about when you're on your phone?
Authentication app is another option. I believe some password managers can be set up to take the master password once per device and then accept authenticator codes to unlock for each subsequent time.
Or, since your phone is probably a lot more locked down than your computer, almost every modern phone since like the days of the iPhone 5S has a cryptographic TPM/secure enclave in the processor while the fact that not every computer has one was a major sore spot in Windows 11 compatibility, it might also be acceptable to just leave the password manager unlocked on your phone all the time, depending on your threat model. Assuming your phone is both encrypted and password protected and you trust the OS to implement both securely, the pin on your phone works more like the pin on your credit card than a traditional password login on a non-encrypted non-TPM computer, so even if a bad actor physically had your phone, it would be very hard to actually extract data out of it without the passcode (assuming it's just your garden variety cybercriminal and not the CIA or something), which would serve as your master password in that case. Hardware security features can also resist brute force attacks where someone clones your hard drive and hooks it up to their own computer to try and guess the encryption password without the wrong entry time delays slowing them down, a secure enclave will actually enforce the time delays with no easy bypass and can also be set to wipe the phone if you get the passcode wrong too many times.
Phone apps are also almost entirely sandboxed from each other and can't directly access other apps' data, so the risk of a malicious program reading the password manager's cache or database is also far lower than most desktop operating systems.
Many security keys have NFC, or if you're on a modern phone, you can use USB type C (Yubikey 5C)
too short, for all that effort just use a sentence with a symbol and a number.
FacebookCanGoToHell!123 is more secure and easy to remember
Youre going to memorize a unique sentence for each service?
A method like this allows you to memorize only 4 words of arbitrary length, a number, and a simple algorthm to yield unique passwords for each service.
You can also add a standard phrase to all of them that is shared between them all just to make them more complex
Equipment32:thisismypassword
Also you can't really "forget" a password, because it's connected to the name of the site. Very clever
yes, it is what I do now. there was a time when people memorized 10, 15 phone numbers.
Yeah putting the name of the service in the passphrase is actually pretty secure, unless the rest of the password is like "thisisapasswordforFACEBOOK" cause then one password gets leaked and the rest can be inferred.
The problem with using hash schemes like this is that when your password is leaked you can't easily rotate the password.
Not to mention if you suddenly developed amnesia or dementia
This is what got me using a password manager. I didn't want to trust a password manager because it felt like they would be highly targeted and one vulnerability would reveal everything. And let's be honest they still are the same.
So I had my own scheme for generating passwords. I made myself a script that I could use on my phone and PC. It worked beautifully and effortlessly until occasionally a service would force me to choose a new password. When this started happening I made a new scheme for generating passwords and made a new script. When it first happened it was still reasonably easy because there was only one service I had to use the alternative. It started to become more difficult the more services asked for a new password.
I used my own system for several years until I had enough with trying to remember which services used the alternative scheme and wondered when I'd have to make a third scheme. And if I did then the mental complexity would significantly increase.
Interestingly only a couple of services publicly announced they had been hacked and none of my passwords have ever appeared on haveibeenpwned. So I wonder why these services asked for a new password and if they had been attacked why they chose not to announce it.