| If you take the process they outline and memorize it, you're rid of having to carry around something physical. You can still store the formula somewhere safe in case you forget it or something happens to you. You might be surprised how little effort it takes to memorize. Half an hour a day for a few days can do it for a lot of people, followed by putting it in to practice. The password creation process: [~8 characters including lowercase, uppercase, and special characters] + [a secret word or set of characters ~8 characters long] + [a simple encryption method for the alphabet which you use to write the service's name down] eg. [qWeRtY4$] + [bananas] + [ibdlfsofxt] Which comes out to: qWeRtY4$bananasibdlfsofxt Decrypter for the last section ('ibdlfsofxt' is 'hackernews'): a = b b = c c = d d = e e = f f = h h = i i = j j = k k = l l = m m = n n = o o = p p = q q = r r = s s = t t = u u = v v = w w = x x = y y = z z = a Take those three steps and randomize them or make them something unique to you and you're good to go. Probably the most important part of your password is the length. The longer a password is, the longer it will take for software to break it with brute force. If the service you're using has a three character name, you'll be relying on the first two parts of your passwords to reach a good length. It's good to keep those two at a combined length of around 14+ characters. eg. [1234567]+[1234567]+[aws] = 17 characters Some problems with this method: A: If your password requires changing. - To solve this, you could choose a character in the first sequence that you can increment every time you have to change your password. You could also choose a different word for the second section. Plan ahead for this scenario. B: The service you are using doesn't allow a password with one of your special characters. - You could try using special characters that are very commonly accepted when you create your password, such as the exclamation mark. Though, this _does_ take away from the security. - You could also have a secondary password; one that is simplified and doesn't rely on special characters. You can have this as a backup for services that have limiting password requirements. eg. [qwerty]+[bananas]+[ibdlfsofxt] C: The service you're using doesn't allow a password of that length. - As with problem B, you could have a secondary password ready ahead of time, . eg [tY4$] + [ibdlfsofxt] |
For example you have:
[qWeRtY4$] + [bananas] + [ibdlfsofxt]
If your password is exposed:
[qWeRtY4$] = remains the same for all passwords
[bananas] = remains the same for all passwords
[ibdlfsofxt] = changes for all passwords
Cracking the part that "changes" is probably not going to be difficult for a machine since you are associating the place name (hackernews or aws) with the part that changes (same number of characters). Then it won't take long for a machine to guess that you are replacing with the next alphabet letter or something else that is easy for a human to remember.
In that sense, I believe QWERTY cards are a bit more secure in this sense since it's just random characters assigned to each key, and each card is unique. It takes away the "easy to remember" part since you will have to look at the card, but it will be some orders of magnitude harder for a machine to guess it.
After multiple breaches, however, your encryption table might be exposed too. At this point you will have to change your passwords and get a new card. Probably do it every 3 months?
I don't know, sounds like a lot of work and maybe too paranoid, but I'm hopeless when thinking about password creation and making it easy to remember.