My password strategy

1. Create a strong yet unforgettable main seed (“Master Key”) from a personal pass phrase:

Frag­ment­ed Suite for Piano and Bass Duke Elling­ton and Ray Brown 1972 → FSfPaBDEaRB1972 (this is just an ex­am­ple of course, not my own pass phrase; an ex­cel­lent choice any­way. According to howse­cureis­my­pass­word.net, It would take a com­put­er about 609 mil­lion years to crack it. However, a pass­word like “goofy2014” would take on­ly 42 min­utes.)

The per­son­al pass phrase and the derived seed will nev­er be stored any­where ex­cept in your brain.

2. Generate a unique password for each protected resource:

• Download and install (for example) the Firefox extension “Password hasher” available at https://dev.csync.org/passhash.html [1] (you may of course use any other hash utility instead, but this one is very simple and convenient. A similar solution is “Password Maker”).

• Save the “portable page” locally as passhash.html, open it with any web browser [2]:

  

• Assuming your ID is “thepianoplayer” for the domain “orches.tra”, enter Site Tag = orches.tra+thepianoplayer, Master Key = FSfPaBDEaRB1972,
• → Strong generated password = sqG&Xaj0 (digit, punctuation and mixed case ticked, size 8)
• → Stronger generated password = sqGGcaj-FjR2 (digit, punctuation and mixed case ticked, size 12)

The very in­ter­est­ing fea­ture of this tool is this: no pass­word is saved any­where, even in an en­crypt­ed form. They are re-cal­cu­lat­ed ev­ery time you need them, then van­ish after use. Unstoppable: no­body can steal some­thing that sim­ply doesn’t ex­ist.

At the same time, re­place your old “qw­er­ty” or “123456” so-called pass­words with re­al ones.

(You may now shoot the pi­anist, he is ar­moured)

You may copy/paste the gen­er­at­ed pass­words; the pass­word man­ager of your browser/mail client will gen­er­al­ly re­mem­ber them on­ce you have used them for the 1^st time. However, this is not safe if you didn’t set up a Master pass­word to pro­tect saved pass­words (you may use your main seed “FSfPaBDEaRB1972” for this) plus a per­son­al pro­file [3]. Even if you did, it is still not safe if you are us­ing an old-fash­ioned browser/mail client, as those ob­so­lete prod­ucts (some are still avail­able from their pub­lish­ers, un­for­tu­nate­ly) store pass­word in an un­safe way. Anybody us­ing a sim­ple, free util­i­ty like SIW might dis­cov­er them in sec­onds. So, do not al­low an old browser/mail client to re­mem­ber your pass­words, or even bet­ter: do not use old browsers or mail clients. Never.

You may use this strat­e­gy not on­ly for com­put­er-re­lat­ed mat­ters, but for many other things, for in­stance:

• Your bicycle: Site Tag = bicycle+thepianoplayer, Master key = FSfPaBDEaRB1972 → lock code = 267470 (digits only, size 6)
• Your suitcase: Site Tag = suitcase+thepianoplayer, Master key = FSfPaBDEaRB1972 → lock code = 579736 (digits only, size 6)
• Your garage: Site Tag = garagedoor+thepianoplayer, Master key = FSfPaBDEaRB1972 → lock code = 510303 (digits only, size 6)
• Your credit card: Site Tag = creditcard+thepianoplayer, Master key = FSfPaBDEaRB1972 → PIN code = 297672 (digits only, size 6)
• Your phone: Site Tag = telephone+thepianoplayer, Master key = FSfPaBDEaRB1972 → PIN code = 470939 (digits only, size 6)

(use on­ly the first 4 dig­its here, as passhash ig­nores the size set­ting if less than 6, which makes sense to avoid weak pass­words.)

So, my pass­words are com­pli­ant with the fol­low­ing 5 re­quire­ments:

1. They are unique (one distinct password for each protected resource, so if one password is compromised, only one access would be struck) [4]
2. They are strong (i.e. reasonably resistant to brute force or dictionary attacks) [5]
3. Almost impossible to steal, as they aren’t stored anywhere.
4. I can’t forget them, as I don’t need to remember them — I am able to restore them in case of need.
5. I do not need a sophisticated, possibly expensive and protected piece of software to keep my secrets, as I have no multiple and sophisticated secrets to keep, just my pass phrase.