Hacker News new | ask | show | jobs
by JTxt 4391 days ago
I agree! I've been using passphrases for about 12 years, but in this form:

Ia! Ibupfa1y,bitf:

(It's the first letter of every word in that sentence.)

A sentance relevant to me that also refers to the site is easier for me to remember than random words. But perhaps I could make it longer... Use the kxcd idea too.

The entropy is huge unless/until everyone starts making 3 word passphrases the same way with very common words.

There can also be dictionary attacks on common passphrases, especially after a large site is compromised.

Lately I've been changing it up by offsetting my fingers on the keyboard.

Unfortunately each password/phrase input has different requirements and limits, and there's many different confusing help texts for explaining it. And it's frustrating to find out the limits after committing to memory and submitting.

What's a good, plainly written ux standard that we can advocate?
1 comments
tnorthcutt 4391 days ago
Using a password manager
link
JTxt 4391 days ago
Yes, even better.

Can you recommend a password manager that works on all browsers/devices that you trust?

I have not found that yet, so I use passphrases customized to the site.

Edit: Also fundamentally it means that to access a single site from a compromised device, I'm potentially giving a nice list of all of my credentials.

link
mikestew 4391 days ago
> Can you recommend a password manager that works on all browsers/devices that you trust?

1Password works on iOS, Android, and Mac (as confirmed by me) and they claim Windows, too. Browser-wise, I can confirm Chrome and Safari. That works for me, as it covers all of my use cases. YMMV, and it most certainly will if you're running Linux.

Downside: good $DEITY is it pricey by the time you cover all of your mobile devices and desktops. The amount of hassle it saves me probably pays for it, but covering all platforms at my house is bumping up against $100 (not including a couple of paid upgrades along the way).

link
tombrossman 4391 days ago
I can recommend KeePassX.

It's in the Debian & Ubuntu repositories. It is also in the F-Droid repository for Android mobiles, so you can install and update easily from an AOSP ROM. All of the above are free and open-source which helps quite a bit with establishing trust. If you are among the majority using Windows or Mac it works there, too.

Sync it between devices by storing its (by default encrypted) database in a service like ownCloud or Dropbox.

link
rikkus 4391 days ago
Google Sheets
link