I use modified “HorseBatteryStaple” style passwords. I have a couple base phrases that I always remember, with special characters and numbers inserted. I modify them bit by bit for different sites, and keep a list of the changes - only the changes. Anyone who looks at the list would see random words, numbers, or symbols without context; only I know how it all fits together.
For example, let’s pretend HorseBatteryStaple1! Is my default password. I may have “cell phone, machine 5” on the list. That would mean the password for my cell phone’s payment website modifies the default password by changing one of the words in HorseBatteryStaple to “machine” and the number 1 to 5.
I know password managers exist, but I like to try to remember my own passwords. Especially since I may need them across different devices, including my work laptop that I can’t download new programs onto.
So using a combination of this comment and an existing leaked DB (trust me, your credentials have leaked somewhere at some point), all your accounts could be trivially cracked.
Caution, reusing parts of your passwords like that significantly reduces the effective entropy.
If someone fin HorseBatteryStaple1! in a plaintext leak, then they only need to guess one word and one number to get you phone password (assuming they know your format or use a matching heuristic).
I use modified “HorseBatteryStaple” style passwords. I have a couple base phrases that I always remember, with special characters and numbers inserted. I modify them bit by bit for different sites, and keep a list of the changes - only the changes. Anyone who looks at the list would see random words, numbers, or symbols without context; only I know how it all fits together.
For example, let’s pretend HorseBatteryStaple1! Is my default password. I may have “cell phone, machine 5” on the list. That would mean the password for my cell phone’s payment website modifies the default password by changing one of the words in HorseBatteryStaple to “machine” and the number 1 to 5.
I know password managers exist, but I like to try to remember my own passwords. Especially since I may need them across different devices, including my work laptop that I can’t download new programs onto.
So using a combination of this comment and an existing leaked DB (trust me, your credentials have leaked somewhere at some point), all your accounts could be trivially cracked.
Caution, reusing parts of your passwords like that significantly reduces the effective entropy.
If someone fin HorseBatteryStaple1! in a plaintext leak, then they only need to guess one word and one number to get you phone password (assuming they know your format or use a matching heuristic).