[foz]

We remember the songs and TV shows because we listen and watch them, repeat them in our heads, talk about them with friends. We dont do that with passphrases.

Just continue to use a password manager, and save the poems for your master password, your ssh key, your unix account, etc. Only then do you need to recall on demand.

[rnovak]

Create a single-point-of-failure for my entire digital-life? Thanks, I'll pass.

People are completely free to use password managers, but that's their individual choice.

Additionally: There are how many songs in existence today? Apparently some tech dude said there are >97 million. [1]

How many of those are lyrical? How many unique excerpts are possible of those lyrics?

You can chose an excerpt of your favorite song as a pass-phrase, and the chance of a computer guessing that is infinitesimal (though this statement is very hand-wavey without any maths to back it up), and it is supremely easy to remember. It's also highly unlikely that you'll ever share it with anyone on the planet, let alone the same site (also hand-wavey).

If you're smart enough to remember more than one song, you can probably build up several pass-phrases that are supremely easy to remember, nearly impossible to guess, and easier to type than some rando-group of characters.

Like I said, you/anyone is free to use a password manager, but I'll continue to prefer other means.

[1]http://www.marsbands.com/2011/10/97-million-and-counting/

[tzs]

> Create a single-point-of-failure for my entire digital-life? Thanks, I'll pass.

A password manager does not have to be a single point of failure. To lose access to my passwords, I'd have to lose my phone, tablet, two computers at home, and one at my office, as well as my offline backups.

> If you're smart enough to remember more than one song, you can probably build up several pass-phrases that are supremely easy to remember, nearly impossible to guess, and easier to type than some rando-group of characters

I have around 400 passwords. That's a lot to remember. Don't forget that not only would I have to remember 400 pass phrases, but I'd also have to remember which goes with which site.

For sites that I have to enter passwords frequently, I could probably keep track, but there aren't actually many sites like that because of cookies.

To make 400 memorized pass phrases work, I'd have to maintain a file with a list of sites and pass phrase hints...and now that file is as much a point of failure as a password manager database would be. Those hints might help an attacker guess my pass phrases, so that hint file needs to be kept secure.

Wait...so now I'd essentially be using an improvised, half-assed pseudo password manager that has all the potential downsides of a password manager, but that doesn't actually remember the passwords for me! That is totally texas [1].

[1] https://news.ycombinator.com/item?id=10439977

[clentaminator]

Isn't the downside of using any information that is personal to you that it massively reduces the scope of potential words and phrases that you would end up using?

There might be >97 million songs, but how many songs does one individual know well enough to decide to use them for a passphrase?

[rnovak]

Possibly, but what are the chances that the attacker trying to crack a salted/derived key from your password knows you well, instead of being someone halfway around the world?

If a lot of your friends are trying to hack you ... maybe stop pissing people off? idk, that's an attempt at humor, but probably not a good one.