• SkunkWorkz@lemmy.world
    4·
    4 hours ago

    If you don’t want to use a password manager it’s not that hard to create long passwords. Just create a nonsense sentence with a misspelling with a character between each word and add some obscure personal info that isn’t directly linked to you, like a phone number of an old childhood friend or pizza place you used to call often when you were young so it’s easy to remember but not info another person can find about you. Then add a special character.

    Like:

    Wideo1Pasta1Is1The1Grawy1555-22334!!!

  • 5too@lemmy.worldEnglish
    31·
    5 hours ago

    And in six weeks… It’s time to change your password! No repeats.

  • AceFuzzLord@lemmy.zip
    10·
    9 hours ago

    Has to be 16 characters

    So long as I can use more than that, I won’t complain. I don’t remember the service, but I definitely remember one where they wouldn’t allow over a certain amount of characters and that was annoying because that was when I was still using repeat passwords back in highschool. My preferred password at the time was roughly 20 characters, but apparently that was too much because who cares about security, am I right?

    • Higgs boson@dubvee.orgEnglish
      2·
      4 hours ago

      It used to be a thing more often, but for a long time even when youre logging in via a website, there were (and probably still are) legacy backend systems that have limits on the password length.

    • Whats_your_reasoning@lemmy.world
      3·
      6 hours ago

      I use modified “HorseBatteryStaple” style passwords. I have a couple base phrases that I always remember, with special characters and numbers inserted. I modify them bit by bit for different sites, and keep a list of the changes - only the changes. Anyone who looks at the list would see random words, numbers, or symbols without context; only I know how it all fits together.

      For example, let’s pretend HorseBatteryStaple1! Is my default password. I may have “cell phone, machine 5” on the list. That would mean the password for my cell phone’s payment website modifies the default password by changing one of the words in HorseBatteryStaple to “machine” and the number 1 to 5.

      I know password managers exist, but I like to try to remember my own passwords. Especially since I may need them across different devices, including my work laptop that I can’t download new programs onto.

    • UncleGrandPa@lemmy.worldEnglish
      21·
      4 hours ago

      Because they seem to fall into two categories. Those that have been compromised

      And those who haven’t… Yet

      • trxxruraxvr@lemmy.world
        5·
        6 hours ago

        My employer, a 12 people big company, nowhere near any fortune list, mandates the use of 1password for all company related accounts.

        • oppy1984@lemdro.idEnglish
          4·
          5 hours ago

          Ah but you see there’s the problem, you don’t have a committee to launch a working group that puts together investigative teams to research and write reports on the benefit of the solution, the ROI of the solution, the training costs of the solution, stakeholder buy in of the solution, and potential alternatives to the solution. You need at least a 10 month process before one jackass says they don’t want the solution so the committee can recommend to management that the solution be abandoned.

    • Booboofinger@lemmy.world
      2·
      9 hours ago

      I basically use a childhood limerick in leetspeak. Easy to remember, tough to Crack. Like for example, Peter Piper pickedna peck of pickled peppers becomes “P3t3rP1p3rP1ck3d4P3ck0fP1ckl3dP3pp3rz!” Of course I never used that particular one, but you get the idea.

    • jawa21@piefed.blahaj.zoneEnglish
      11·
      7 hours ago

      I function by only having 2 accounts I actually care about. Bank and e-mail. The rest get the same password over and over because I legitimately don’t care about them and never give them real personal data.

      • naticus@lemmy.worldEnglish
        20·
        14 hours ago

        Yeah idk about that. I’ve worked in state govt for a very long time and our cybersecurity controls essentially mandates we use one. I’m also in our security audit team and have to talk to state offices about our NIST controls regularly. And the NIST DOD controls are even more stringent than ours. Something sounds off.

          • DaGeek247@fedia.io
            11·
            4 hours ago

            Not gonna get specific, but, I have access to a shitload of sensitive personal data. It’s more likely you ran into an agency policy rather than a federal policy.

      • bdonvr@thelemmy.club
        4·
        14 hours ago

        Okay so remember the one or two ones you need there (try a passphrase!)

        For everything else - password manager.

    • theneverfox@pawb.socialEnglish
      513·
      15 hours ago

      Those are hackable too through

      I have passwords I don’t care about, passwords I keep on the manager, and then important ones I enter manually every time

  • cymbal_king@lemmy.world
    711·
    16 hours ago

    Get a password manager. It’s a lot more secure and easier to only have to remember one strong main password and have the rest randomly generated

        • AtariDump@lemmy.world
          21·
          6 hours ago

          If it’s something of vital importance, my mantra is to pay for someone else to host it.

          They can have the responsibility of security / updates / etc. because a company full of people can do that better than I ever can.

          • trxxruraxvr@lemmy.world
            1·
            6 hours ago

            That’s my reasoning as well. The only drawback I currently see for bitwarden is that it’s US based and I have zero trust in their current government not going to cut off the rest of the world at some point. I’m still using it, but I make sure to make regular encrypted backups of my vaults.

    • Øπ3ŕ@lemmy.dbzer0.comEnglish
      10·
      16 hours ago

      FWIW, LastPass is bullshit. DYOR, and stay safe, citizens!

      Also, it could be taken as a positive that BitWarden is the example Wikipedia uses to define password strength. 🤌🏼

    • LostXOR@fedia.io
      21·
      14 hours ago

      Randomly generate your master password too. It takes a bit to memorize, but becomes muscle memory pretty quickly. And since random passwords have the highest possible entropy per character you can use a shortish one, which allows for fast typing while still being impossible to brute force (I use 16 chars).

      • trxxruraxvr@lemmy.world
        1·
        6 hours ago

        Both Bitwarden and 1Password can also generate passphrases with high entropy that are much easier to memorize and enter. I use that for my master password.

        • LostXOR@fedia.io
          11·
          9 hours ago

          The xkcd-suggested passwords have 44 bits of entropy. Assuming a weak hash like SHA1, a single 4090 could crack such a password in under 10 minutes (source).

          My 16 character password, with 70 symbols per character, has log₂70 * 16 ≈ 98 bits of entropy. That corresponds to a cracking time of over 200 billion years with the same parameters.

          xkcd’s password system is quite terrible for security. Its only advantage is that it’s relatively secure for how easy it is to remember. If you’re someone who really struggles to remember passwords and would otherwise use something even weaker, go for it, but if you want security then random characters are the way to go.

          • Scipitie@lemmy.dbzer0.com
            3·
            9 hours ago

            Take a sentence with 200 characters then.

            And your opinion is exactly that and doesnt match security research:

            For the following you’re not the target group but others reading this who might want to make their lifes easier. Just from your way of writing I at least don’t expect that minor sources like okta or the NCSC will change your mind.

            ( article links with high level descriptions and links to their primary sources)

            https://www.okta.com/identity-101/password-vs-passphrase/

            https://www.4bis.com/passphrase-vs-complicated-passwords-passphrases-are-best/

            https://specopssoft.com/blog/passphrase-best-practice-guide/

            • LostXOR@fedia.io
              1·
              8 hours ago

              I’m not arguing that random passwords are better for everyone, just that they’re most secure for their length. A 9 word passphrase is just as secure as a 16 character random password, but is far longer.

              A 4 word xkcd passphrase is more or less equivalent to a 7 character random password, and is secure with xkcd’s threat model (online brute force attack) but not with other threat models, like a brute force of a weak hash, which is many orders of magnitude faster.

              If you’d like to verify the math:
              4 word xkcd passphrase: 2048 (possible words) ^ 4 (number of words) = 44 bits of entropy ≈ 17.6 trillion possibilities.
              7 word password: 70 (possible characters) ^ 7 (number of characters) ≈ 42.9 bits of entropy ≈ 8.2 trillion possibilities.
              (Adding an eighth character raises the number to 576 trillion).

        • LostXOR@fedia.io
          2·
          9 hours ago

          I’m not prone to forgetting things, but if you are, it’s easy enough to write down and store somewhere secure like a safe deposit box. If you have people you trust, you should have a backup copy anyways so they can access your password manager if you die suddenly.

  • ExLisper@lemmy.curiana.net
    64·
    10 hours ago

    Here’s what you do: Generate long random string, for example: P5edM5Ce0SGE0rOr9k&#T*wG@d$ogqyBTk2@%dmO@2akbm!b5p!bH8w7Ei7gPSIR1Er&hab3ae@0odk3h76Ka48kYtXrsburM$7rf^vPRwXz1s5guO&$PZz3@w

    Memorize it.

    For each site just choose a number and select 16 characters starting at this number.

    Remember which page uses what number. E.g. google = 32 -> &#T*wG@d$og^qyBTk2

    Done. You don’t have to remember any more passwords for the rest of your life.