Hacker News new | ask | show | jobs
by simontabor 4635 days ago
Sounds like you've misunderstood the purpose of this.

I usually just use a single password across most services, so they all know your password, even if you trust them not to store it in plain text. It's infinitely more secure to use something like PW, never entering your main/master password into any other services and then have a generated hash that really means nothing to anyone (can't be decoded or anything stupid). The length factor here makes very little difference, and only you need to know that you use 40 character password (yes, 40, which I bet is longer and more secure than your current password(s))
2 comments
simontabor 4635 days ago
Yes, but it's by far the lesser of two evils. You can easily take a substring of the generated password.

How would you randomise the length of the password in a repeatable + secure manner?

link
ugexe 4635 days ago
There is nothing inherently secure with you hashing the password to be used as a password. It uses a non dictionary string and has a long (but static) length, ok, but a random number of anything (characters, words, whatever) has variable length.

There is a reason passwords like 'the old lemon man jumped high as a pokemon' are getting more popular.

link
simontabor 4635 days ago
I still don't think you get the idea. Using 'the old lemon man jumped high as a pokemon' across multiple services may be secure from someone trying to hack just you, but it's much more likely that one of those services will leak your password (security flaw of some kind) and will therefore compromise your password across every service.

You could easily just use 'servicename||this is my secure password' as your password, but it's still obvious what the pattern is to anyone who obtains that password, rather than getting 404fC7C426Cb6cD694E6C2Ee828c133fA771AcC8. You should be able to leave your password and email address in public places without anyone being able to have any significant effect on your security (they might gain access to one service).

link
ugexe 4635 days ago
I understand how password managers work. Do you understand why a constant length password is bad?
link