How best to manage strong passwords?

[superFoolish]

Here's a tip for creating passwords that you must remember (as opposed to random passwords that are stored):

Use a quote from a book: “If everybody minded their own business, the world would go around a great deal faster than it does"
or a line from a poem: “I have the measles and the mumps, A gash, a rash and purple bumps"
Or lyrics from a song: "Burn like a slave, Churn like a cog, We are caged in simulations"

Take the initial letters and punctuation if you wish (I'll use the book quote): Iemtob,twwgaagdft1d
You could then replace some of the letters with digits / symbols: 1emt0b,twwg@@gdft1d
Maybe add a couple of symbols: %1emt0b,twwg@@gdft1d*

That's as secure and as memorable as is practical.

Do not pick a favourite book / poem / song. I picked the above examples by typing (e.g. ) "quote from book" into Google. I picked the first one for this example, but I'd pick a 'random' result in practice.

Whilst the above example may look ludicrously difficult to remember, I have a couple of passwords along those lines and, after week of use, they take no longer to type than a memorable word / combination.

The key issue here is longer passwords are more secure. I understand that in theory, using several 'real' words joined together would be as secure in terms of brute-force hacking, but this method makes it virtually impossible for someone looking over your shoulder to remember what you typed, because there is no discernible pattern.

[UncleEbenezer]

That's as secure and as memorable as is practical.

And does absolutely nothing for the real problem of remembering a great multitude of passwords.

It's the same principle and flaw as Correct Horse Battery Staple (which was thought-provoking in its time).

[gbjbaanb]

A local database has a similar risk to an online one. A burglar gets it; an online attack while you're online might get it; a person getting an opportunistic moment at your laptop might copy it. An online database is likely to be inherently more secure on account of being professionally managed

Tell that to users of Experian, or TalkTalk or ebay or ... even OneLogin online password manager
https://www.bbc.co.uk/news/technology-40118699

[UncleEbenezer]

A local database has a similar risk to an online one. A burglar gets it; an online attack while you're online might get it; a person getting an opportunistic moment at your laptop might copy it. An online database is likely to be inherently more secure on account of being professionally managed

Tell that to users of Experian, or TalkTalk or ebay or ... even OneLogin online password manager
https://www.bbc.co.uk/news/technology-40118699

I wouldn't try to tell anyone that.

It's very easy, but also dishonest, to give a false impression by quoting half a sentence out of context. Why do you do it?

[superFoolish]

That's as secure and as memorable as is practical.

And does absolutely nothing for the real problem of remembering a great multitude of passwords.

It's the same principle and flaw as Correct Horse Battery Staple (which was thought-provoking in its time).

I didn’t suggest that it was a useful method for remembering a multitude of passwords, and that was not the problem for which I was suggesting a solution. I explicitly stated it was a method useful for when passwords must be remembered rather than stored.

Of course it has flaws; every mnemonic method has flaws.

For storing a multitude of passwords, I suggested Keepass, for which a single password is required, hence my suggested method for remembering a strong password.

Better suggestions are, of course, welcome.

[Infrasonic]

More grist for the mill here... https://www.grc.com/haystack.htm

[vrdiver]

More grist for the mill here... https://www.grc.com/haystack.htm

I just put a Keepass generated password into the above url and got the following analysis (20 char password):

Count of all possible passwords with this alphabet size and up to this password's length) 715,971,350,555,965,203,672,729,121,413,359,850
Search Space Size (as a power of 10): 7.16 x 1035

Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario: (Assuming one thousand guesses per second) 2.28 hundred billion trillion centuries
Offline Fast Attack Scenario: (Assuming one hundred billion guesses per second) 2.28 thousand trillion centuries
Massive Cracking Array Scenario: (Assuming one hundred trillion guesses per second) 2.28 trillion centuries

I guess that will be OK for my needs!

VRD

[Infrasonic]

I guess that will be OK for my needs!

Until quantum computing becomes viable anyway...

[vrdiver]

I guess that will be OK for my needs!

Until quantum computing becomes viable anyway...

Fair enough. Mind you, just stretching to 256 characters (any symbol allowed) gave:
Massive Cracking Array Scenario: (Assuming one hundred trillion guesses per second):

11.33 million trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries

Which might be a problem to the would-be hacker until quantum computing becomes affordable, by which time quantum passwords should be on offer in Keepass v692.1

[RececaDron]

I just put a Keepass generated password into the above url and got the following analysis (20 char password)

Time Required to Exhaustively Search this Password's Space:
Massive Cracking Array Scenario: (Assuming one hundred trillion guesses per second) 2.28 trillion centuries

Vulnerable! Additionally allowing symbols within your 20 character password gives:


Massive Cracking Array Scenario: (Assuming one hundred trillion guesses per second) 11.52 thousand trillion centuries

[Infrasonic]

More seriously the ramifications of quantum computing negating current cryptography and rendering brute force attacks trivial does make me suspicious about what the various intelligence agencies around the world are up to.
You can bet they are all over the research.
I wonder how much behind the scenes pressure is being brought to bear on various Govts. to give their agencies first bite of the cherry at all of it...

[RececaDron]

More seriously the ramifications of quantum computing negating current cryptography and rendering brute force attacks trivial does make me suspicious about what the various intelligence agencies around the world are up to.
You can bet they are all over the research.
I wonder how much behind the scenes pressure is being brought to bear on various Govts. to give their agencies first bite of the cherry at all of it...

Yup.