[umvi]

I use algorithmic passwords. I have an algorithm that takes in several parameters and generates a unique password per service. For example, my algorithm `f` might be:

f(domain, secret_word, secret_sentence, rules)

= UPPER(KEY_TO_RIGHT(domain[0:3])) + secret_word + secret_sentence[LENGTH(domain)] + LENGTH(domain) + PAD_TO_20("X")

So if my secret word were "bottleneck" and my secret sentence were "It is a truth universally acknowledged, that a single man in possession of a good fortune, must be in want of a wife." my algorithm generates the following passwords:

google.com:

f("google", "bottleneck", "It is a truth universally acknowledged, that a single man in possession of a good fortune, must be in want of a wife." , rules)

password = "HPPbottleneckacknowledged,6"

(note that "HPP" are the letters on the keyboard shifted right from "GOO")

microsoft.com:

f("microsoft", "bottleneck", "It is a truth universally acknowledged, that a single man in possession of a good fortune, must be in want of a wife." , rules)

password = "ZOVbottlenecksingle9"

The "rules" parameter is because some sites have length restrictions, symbol restrictions, and you may have to truncate the password or replace symbols. Also in "rules" is how many times you've changed a given password. I store the "rules" in a google doc.

Anyway, the nice thing about this system is that the algorithm is in your brain and you can use it to generate the password for a given service without relying on a password manager. So theoretically if I got stranded in Europe as a tourist and my phone got stolen, I'd still be able to get into my accounts (assuming 2FA isn't enabled...).

Password managers definitely generate more secure passwords, but my goal isn't to be the most secure, it's to strike a balance between the things I care about (and I care about being able to get into my accounts if I somehow lose access to my password manager).

[ufo]

I'm not a big fan of the algorithmic password systems. In practice you need to remember some bits of state for each separate website, because of different password rules or because you had to reset the password. This results in either needing to memorize a lot of information or writing it all down somewhere. The former has the same problems as memorizing passwords without assistance. And if we need to write it down, then we might as well write down a long and totally random password for each website.

If the worry is losing your phone, some of the popular services such as Bitwarden can also be accessed via a web interface, without installing the app.

[umvi]

Writing down website rules (ie which websites have length requirements, etc) is not the same as writing down passwords. The former is already public information. I keep track of website rules in a Google doc for reference and if compromised it does not give an attacker any information that isn't already public.

If BitWarden can be accessed from a browser it means all my passwords are on their servers, whereas with an algorithmic password generator the passwords are in my brain alone

[CapriciousCptl]

Better not sign up for services at ycombinator.xyz.