Dropbox is about the only service I use a memorable password for, as it has my 1Password file in it, which has my Google one-time-auth codes in it. If I lose my phone while on the road, only remembering my Dropbox password is going to get me out of the mess. Any sensible other solutions here? It's still ~14 characters, but other than making it more random, what are my options?
All of my passwords are based on the website name that I'm logging in to. I have a small algorithm in my head about how to generate a password from the site name that looks at stuff like first and last letter, number of letters, some kind of prefix/suffix, etc. And I end up with a unique password around 20 characters that I don't need to remember for every website.
This way I don't ever remember a password, I just remember the system.
In order to determine the algo have_faith is using, an attacker would probably need a sample size of at least 4 passwords from different sites (at least, my algo definitely would).
If an attacker has access to 4 of your passwords in plaintext, you have bigger fish to fry.
This is true. I don't think the system is obvious unless you had multiple passwords, on top of that it's not immediately obvious that there is a system in the first place from looking at the plaintext password.
What can be better alternative? IMO using something like 1Password/Lastpass is less secure because it then only takes someone to get my master password to get all my other passwords.
Your master password shouldn't really be something that's going to be in either a dictionary, or brute forcible. Nobody is going to "get" it unless you make it insecure. If you're using their sync services, however (especially LastPass), you're more vulnerable to phishing attacks, and the vault can potentially be stolen and crack attempts run offline. However, both services use a heavy level of encryption that requires the passphrase to unlock, so as long as that's not dictionary based or brute forcible, you're totally fine.
How do you deal with websites that won't let you use >8char or certain characters?
I use this same method, but my method will often generate special characters, and AWS as an example, and several others (apparently following AWS' lead) won't let you use those. (Any punctuation not on the shift-numbers row of USA keyboards are not considered legit for password use)
I still mostly use this system, and given my lucky memory I can memorise the exceptions, but I doubt a vast majority of the population could follow my example.
I basically just have a system for altering the generated passwords based on the specific site requirements. For instance if it requires a max num of chars then I will just chop off the password at that amount. And similar systems for other requirements.
When one of the sites you use gets breached, you'll want/need to change your password and won't be able to use the same single algorithm. This will throw things of as you won't be able to use a single algorithm. Sure you could not use two. But you'll need to remember what sites use which one.
Are 1Password's files not encrypted? Store it publicly on your web site, email it to your friends, print it out in base64 in a machine-readable font and keep copies pinned on the wall of your cube. You still have to remember one password but at least you're depending on crypto instead of Dropbox's security.
Use 2 factor authentication and rotate both passwords. I have the opposite setup - Dropbox password is random and the password manager (stored inside) is memorized. It would be harsh to lose access, but not unrecoverable.
You can keep 1pass on an iOS device, and auth using fingerprint. Ultimately you're still going to need/want to know the actual underlying passwords to both iOS and 1pass, however.
Though by now, I find this a little tedious. I'm thinking of using an encrypted password database, protected with a diceware generated password. That way I will be able to copy&paste my passwords instead of typing them by hand.
or a few extra characters you need to add. As much as people say this is a bad idea, most of the people you would be trying to keep out, don't have access to your wallet.
I did this for a few months for a master password and set everything to forget the password so I used it several times a day. After a little while I can get rid of the paper and have a LONG random password that is committed to memory.
And the average mugger most likely wouldn't know what to do with a long random string (or multiple). The bank notes next to them are much more interesting.
