[aclissold]

But surely you can't remember a different poem for every service that requires a password?

Relegating you to use a password manager anyway, at which point you might as well just generate random passwords that don't rely on dictionaries?

[zeveb]

One of these passwords, if they truly are sufficiently-secure, could be used to secure a password manager's encrypted file at rest on a system outside of one's own control.

Right now, the best guidance is to only use a memorable password on files which never leave one's physical control, and to use truly-random passwords on remote machines. This is a pain, because it means that one cannot (or at least, should not) back up one's data securely: any encrypted backup would require a password under one's physical control, but the whole point of the remote backup is to recover from incidents compromising one's physical control. It's a conundrum.

This development could be of real use in securing a remote backup of one's passwords: high-entropy and memorable.

[eridius]

Encrypt your backup using a secure password that's stored in the backup (in your password manager), and then just have a physical copy of the password stored in a fire safe, or safety deposit box, or something else of that ilk. As long as you haven't suffered catastrophic computer loss, you can recover your password using the password manager. If your house burns down with all your stuff in it, you can use the physical copy to access your backup (or, ya know, some other mobile computing device like a laptop or smartphone that also has access to the password manager).

[rnovak]

Why not? we can remember the lyrics to every single song we like, or the dialog from some stupid show from 20 years ago, but pass-phrases are out of reach?

[foz]

We remember the songs and TV shows because we listen and watch them, repeat them in our heads, talk about them with friends. We dont do that with passphrases.

Just continue to use a password manager, and save the poems for your master password, your ssh key, your unix account, etc. Only then do you need to recall on demand.

[rnovak]

Create a single-point-of-failure for my entire digital-life? Thanks, I'll pass.

People are completely free to use password managers, but that's their individual choice.

Additionally: There are how many songs in existence today? Apparently some tech dude said there are >97 million. [1]

How many of those are lyrical? How many unique excerpts are possible of those lyrics?

You can chose an excerpt of your favorite song as a pass-phrase, and the chance of a computer guessing that is infinitesimal (though this statement is very hand-wavey without any maths to back it up), and it is supremely easy to remember. It's also highly unlikely that you'll ever share it with anyone on the planet, let alone the same site (also hand-wavey).

If you're smart enough to remember more than one song, you can probably build up several pass-phrases that are supremely easy to remember, nearly impossible to guess, and easier to type than some rando-group of characters.

Like I said, you/anyone is free to use a password manager, but I'll continue to prefer other means.

[1]http://www.marsbands.com/2011/10/97-million-and-counting/

[tzs]

> Create a single-point-of-failure for my entire digital-life? Thanks, I'll pass.

A password manager does not have to be a single point of failure. To lose access to my passwords, I'd have to lose my phone, tablet, two computers at home, and one at my office, as well as my offline backups.

> If you're smart enough to remember more than one song, you can probably build up several pass-phrases that are supremely easy to remember, nearly impossible to guess, and easier to type than some rando-group of characters

I have around 400 passwords. That's a lot to remember. Don't forget that not only would I have to remember 400 pass phrases, but I'd also have to remember which goes with which site.

For sites that I have to enter passwords frequently, I could probably keep track, but there aren't actually many sites like that because of cookies.

To make 400 memorized pass phrases work, I'd have to maintain a file with a list of sites and pass phrase hints...and now that file is as much a point of failure as a password manager database would be. Those hints might help an attacker guess my pass phrases, so that hint file needs to be kept secure.

Wait...so now I'd essentially be using an improvised, half-assed pseudo password manager that has all the potential downsides of a password manager, but that doesn't actually remember the passwords for me! That is totally texas [1].

[1] https://news.ycombinator.com/item?id=10439977

[clentaminator]

Isn't the downside of using any information that is personal to you that it massively reduces the scope of potential words and phrases that you would end up using?

There might be >97 million songs, but how many songs does one individual know well enough to decide to use them for a passphrase?

[rnovak]

Possibly, but what are the chances that the attacker trying to crack a salted/derived key from your password knows you well, instead of being someone halfway around the world?

If a lot of your friends are trying to hack you ... maybe stop pissing people off? idk, that's an attempt at humor, but probably not a good one.

[JoshTriplett]

For services, sure, generate a long random password and remember it via a password manager. But this seems like a fine method to generate your disk encryption passphrase, or GPG/SSH key passphrase.

[mangeletti]

I think you meant "Requiring you...", rather than "Relegating you...".