Hello

I'm curious how people normally save passwords or what tricks do you use to remember them or to create easy-to-remember ones.
I'm asking that because:
1) I have a lot (10+) of various password-protected accounts.
2) All these accounts use different passwords.
3) Passwords are 8+ symbols long, containing letters from upper and lower register, numbers and "!@#$%^&*()-+"-like symbols, some are generated by scripts like this:
4) And normal security recommendation is to change every password once in a month. (Most people (including me) rarely do that)

So if I should modify every password once in a month, and every password should be "strong", this means that remembering all this will be problematic:
1) Writing passwords on the paper isn't good - you can lose paper.
2) Writing it into a text file isn't good either - if HDD breaks for some reason, I'll lose access to every password-protected account I have.
3) Using something like KWallet (storing passwords), browser "magic wand" mechanisms (Opera/Firefox) isn't good, either.
4) Using something like "KWallet" isn't always possible, because you might need to use passwords from another machine, and KWallet requires one master password which will unlock everything.
5) Using one password for everything also isn't good idea.

So what "tricks" do you use to remember/make passwords?

When I need to create strong passwords I run the md5sum command on some file, then cut the first 12 characters with the cut command and use that as a password.

Sometimes I use the first letter of each word from a simple sentence to make a password.

I store my passwords in mysql and a text file which is encryted and a copy of both off my computer in a small safe. Just have copies of copies and you'll be safe.

Hopefully...

I used to have a list of my passwords in an encrypted file in my mailbox and/or a list on an encrypted partition of my computer.

- Yes, it's true you might forget the password of the mailbox and/or the pass phrase of the encrypted file, but in that case your scr*wed anyway.

- It might be so that you can access your mailbox but there is no decryption programme on that computer. That's too bad, but it can't be helped.

Well, I guess, remembering all passwords is not optimal either, because there are always ways to make you talk, even if you don't want to...

By the way, in the old days I even had a file on my computer which was 'encrypted' with a book cipher, where the book I used was a special edition of a very old book so that a brute force attack by someone with a large library wouldn't be helpful. Looking through my personal library wouldn't have helped, since it was not very organized. Although nice at first, deciphering is a hell of a task if you don't automate it (in which case the cipher might be compromised easily).

Something in the category one-password-for-all I recently heard from a colleague: you can always take a good (long) password and permute the letters and numbers systematically:

Password 1: hello123
Password 2: 3hello12
Password 3: 23hello1

etc.

Personally, I think it's rubbish if you want good security. Once one is compromised, I guess, all would quickly be, if the attacker would not be too stupid.

See this thread too.

Some people have good memory and they remember their passwords (and change them), some have less good memory and they cheat somewhere (don't change passwords or circulate them for example) and some simply rely on a keyring manager or such, or a piece of paper. I think it's clear which method is best and which is the easiest..

Shrug... I confess. I use the KDE Wallet.

On Windows, and on Macintosh, I use similar "encrypted keychain" facilities.

I back-up the keychains to a thumb drive.

First, I make the password by holding down and letting up on shift while rolling my face on the keyboard for a couple of seconds. Then I take the first 10 characters and stare at them until I remember the password. Then I use the password. Yup.

I probably should not tell you this, because it may help you log in with my accounts, but really it won't because I don't use H_TeXMeX_H anymore for any of my newer accounts where this applies.

I use some type of stable algorithm to make passwords for the site I am on. Let's say I'm at www.inbox.com as an example. My password would be m0cx0bn1www, can you guess how I derived it ? you can do more complicated algorithms, but make sure you use the same one for every password or you will forget the password. There is a vulnerability in this method in that if they figure out your algorithm they will know it for all your accounts, assuming you use the same name for all of them. You can also use an md5hash of it, or some other word in the site, something constant. But then you don't always have access to md5sum.

To generate password, I sometimes use mkpasswd. Otherwise, I think of a line in a song I like, take the first letters of each word in that line, replace a's with @'s, b's with 6's, t's with 7's, l's with !'s etc. It's easy to remember, as long as you want it to be, and I think reasonably strong. Also, it'd be tough for someone to guess which are your favourite songs, let alone which lines from those you've bothered/managed to remember!

Interesting.

I also know a good method for making long passwords that a difficult to forget. Your password (when read letter-by letter) should read as a verse. Numbers can be also part of the verse. You can actually remember very long passwords that way (22 characters or more), but inventing new "verse" for every password once in a month can be problematic.

It was inspired by this joke (should be read in russian):
In russian it reads as:
Which clearly sounds as verse - has rhytm and rhyme.

Address is written backwards, dots removed, several letters are replaced by similar-looking numbers. Reminds me this and this.

Whoah, that's weird, I didn't know about those

Writing it in 1337 speak will definitely help against dictionary attacks as they will be looking for words, maybe they even have dictionaries that encompass 1337 speak, even tho it can be written in many different ways, but to have it forwards and backwards, and be the name of the website or something on the website (maybe the title or a keyword) and backwards, that is not going to be in any dictionary.

EDIT: Oh, and I forgot about my computer login password, to make those I run my fingers along the keyboard in different directions. They're not likely to guess something like:
1'a;;o.e44pukkiif77ghmmtr00lsz-=
',.paoeu;qjk
'a;qo,.ejkupyixbdf
and so on
Note that I use the dvorak keyboard layout, so that makes it even harder.

For me i have a perl script that does something similar to that bash script and i can generate alphanumeric passwords that rangs from 10 characters to 50 chars...ok thats abit of a stretch i guess. But the tricky part is always remembering them cuz they end up sounding like modem noise

I keep a list of my passwords on a small notepad, which is then kept in a secure location, away from my computer. If I ever forget my password, I just get my notepad.

This phrase gave me another (crazy, but useful) idea about generating passwords. You can take music tune (or chord), encode it's notation in letters/numbers and use result as password. The result might be pretty strong, depending on how exactly you encode data - if you want to make it more difficult, put dynamics and stacatto/legato notation into password as well - even knowing original tune you used, possible attacker might go nuts while trying to guess how you wrote it into password and which part of tune you used (example: "g1g1g1es4.5b.5g4", "^g-^g-^g-es.-b-^g" or "ttt39t39tppp-o539u". Made from the same tune.). Actually, it might be very useful for me and maybe it'll even solve password problem (I'm former musician).

Hmmm thats interesting. I never thought that would actually generate into a novel idea. Quick, when are the nobel prizes due. I oughtta get one for that

You know i always thought music was a keen to programming only that i have never really understood the concept of 5 bars(the staff i guess) and all the minims, semi-breves and quivers. I think anyone who is has a programming bone in them should understand music much easier but alas! I still dont know what tafa-tefe-ta-ta-aa means.