Topic: Password strategy: pattern-based or dedicated software? (Read 357 times)
You can find password generators which are considered quite safe, just have a look online and you'll find a ton of providers
Hello everyone.
I'm considering using one how these "password reminders" like Last Pass. I historically preferred to avoid a software for this, because you constantly run into situations like "no access to your machine", "no battery on the phone", "what if no internet", "inconvenient", "place your data in the hand of a party that can go bust", etc. But I'm starting to considering it.
My present password strategy is: use a high entropy password (estimated 98 bits on http://rumkin.com/tools/password/passchk.php) with a part that is always the same (the high entropy part) and a part that can hinted by contextual information (and has low entropy). For instance, "!?.op." plus the three last letters of the domain name (excluding the tld).
I see three problems here:
1. Password-reuse. There is still a pattern. If I happen to enter my password on a site that gets hacked or is just malicious, the pattern can be identified. Of course, chances are low that the hacker bothers when he has so much other simpler password at its disposal.
2. No change of password. It is nigh impossible to periodically cycle through all the websites to change the password (a database would make it less difficult because I would not have to remember all the websites but it would still be very tedious, to the point it would simply not be done). And if I don't spend days changing the password on all the websites in a row, I would then have to remember three or four different patterns.
3. Exceptions handling. You will always find a website that doesn't allow one of your character (same issue with the space in passphrases) or places an upper limit in characters (particularly annoying for passphrases). Those exceptions must be handled by hand. On the opposite, with dedicated software, there is basically no exception, since there is no rule.
As you can see, both approaches (pattern-based and dedicated software) have their limits. All in all, which strategy would your suggest: pattern-based passwords or dedicated software?
Thank you
I'm considering using one how these "password reminders" like Last Pass. I historically preferred to avoid a software for this, because you constantly run into situations like "no access to your machine", "no battery on the phone", "what if no internet", "inconvenient", "place your data in the hand of a party that can go bust", etc. But I'm starting to considering it.
My present password strategy is: use a high entropy password (estimated 98 bits on http://rumkin.com/tools/password/passchk.php) with a part that is always the same (the high entropy part) and a part that can hinted by contextual information (and has low entropy). For instance, "!?.op." plus the three last letters of the domain name (excluding the tld).
I see three problems here:
1. Password-reuse. There is still a pattern. If I happen to enter my password on a site that gets hacked or is just malicious, the pattern can be identified. Of course, chances are low that the hacker bothers when he has so much other simpler password at its disposal.
2. No change of password. It is nigh impossible to periodically cycle through all the websites to change the password (a database would make it less difficult because I would not have to remember all the websites but it would still be very tedious, to the point it would simply not be done). And if I don't spend days changing the password on all the websites in a row, I would then have to remember three or four different patterns.
3. Exceptions handling. You will always find a website that doesn't allow one of your character (same issue with the space in passphrases) or places an upper limit in characters (particularly annoying for passphrases). Those exceptions must be handled by hand. On the opposite, with dedicated software, there is basically no exception, since there is no rule.
As you can see, both approaches (pattern-based and dedicated software) have their limits. All in all, which strategy would your suggest: pattern-based passwords or dedicated software?
Thank you
I use LastPass with different pw for each site, 40+ char. Works perfectly.
Already tried http://masterpasswordapp.com/ ?
It's a really good concept, easy to use and safe.
It's a really good concept, easy to use and safe.
hero member
Activity: 560
Merit: 506
I prefer Zakir over Muhammed when mentioning me!
And we don't know if the software send the password somewhere
There are open source and offline password managers.
-MZ
It's better to use pattern-based than dedicated software 
Since you don't have to keep open that software & remembering pattern is easier
And we don't know if the software send the password somewhere
Since you don't have to keep open that software & remembering pattern is easier
And we don't know if the software send the password somewhere
hero member
Activity: 560
Merit: 506
I prefer Zakir over Muhammed when mentioning me!
I would suggest pattern-based passwords. I use it more than the software. I use software like 1Passe to create a strong password and use it. It's not that hard to store some passwords in the brain. I do save some passwords in password manager(s) but I create my own passwords because it is just harder to break than what password manager usually creates. 
You can wven create your own words and styles. For example, G@rA# for garage.
-MZ
You can wven create your own words and styles. For example, G@rA# for garage.-MZ
Hello everyone.
I'm considering using one how these "password reminders" like Last Pass. I historically preferred to avoid a software for this, because you constantly run into situations like "no access to your machine", "no battery on the phone", "what if no internet", "inconvenient", "place your data in the hand of a party that can go bust", etc. But I'm starting to considering it.
My present password strategy is: use a high entropy password (estimated 98 bits on http://rumkin.com/tools/password/passchk.php) with a part that is always the same (the high entropy part) and a part that can hinted by contextual information (and has low entropy). For instance, "!?.op." plus the three last letters of the domain name (excluding the tld).
I see three problems here:
1. Password-reuse. There is still a pattern. If I happen to enter my password on a site that gets hacked or is just malicious, the pattern can be identified. Of course, chances are low that the hacker bothers when he has so much other simpler password at its disposal.
2. No change of password. It is nigh impossible to periodically cycle through all the websites to change the password (a database would make it less difficult because I would not have to remember all the websites but it would still be very tedious, to the point it would simply not be done). And if I don't spend days changing the password on all the websites in a row, I would then have to remember three or four different patterns.
3. Exceptions handling. You will always find a website that doesn't allow one of your character (same issue with the space in passphrases) or places an upper limit in characters (particularly annoying for passphrases). Those exceptions must be handled by hand. On the opposite, with dedicated software, there is basically no exception, since there is no rule.
As you can see, both approaches (pattern-based and dedicated software) have their limits. All in all, which strategy would your suggest: pattern-based passwords or dedicated software?
Thank you
I'm considering using one how these "password reminders" like Last Pass. I historically preferred to avoid a software for this, because you constantly run into situations like "no access to your machine", "no battery on the phone", "what if no internet", "inconvenient", "place your data in the hand of a party that can go bust", etc. But I'm starting to considering it.
My present password strategy is: use a high entropy password (estimated 98 bits on http://rumkin.com/tools/password/passchk.php) with a part that is always the same (the high entropy part) and a part that can hinted by contextual information (and has low entropy). For instance, "!?.op." plus the three last letters of the domain name (excluding the tld).
I see three problems here:
1. Password-reuse. There is still a pattern. If I happen to enter my password on a site that gets hacked or is just malicious, the pattern can be identified. Of course, chances are low that the hacker bothers when he has so much other simpler password at its disposal.
2. No change of password. It is nigh impossible to periodically cycle through all the websites to change the password (a database would make it less difficult because I would not have to remember all the websites but it would still be very tedious, to the point it would simply not be done). And if I don't spend days changing the password on all the websites in a row, I would then have to remember three or four different patterns.
3. Exceptions handling. You will always find a website that doesn't allow one of your character (same issue with the space in passphrases) or places an upper limit in characters (particularly annoying for passphrases). Those exceptions must be handled by hand. On the opposite, with dedicated software, there is basically no exception, since there is no rule.
As you can see, both approaches (pattern-based and dedicated software) have their limits. All in all, which strategy would your suggest: pattern-based passwords or dedicated software?
Thank you
Jump to: