I would say that the search space is not as small as you are suggesting, even though I agree that the transformation of the example is quite simple, allowing a dictionary attack.
There is a famous example of a technique that takes only the first letter from each word of the phrase. edit: "Schneider scheme" https://www.schneier.com/essay-246.html
" My advice is to take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary. Of course, don't use this one, because I've written about it. Choose your own sentence -- something personal."
That is the problem - people trying to break passwords use the exact same techniques. Compiling a list of ten million famous phrases is not hard. Generating a hundred commonly used variants of them is also easy. And checking one billion hashed passwords - MD5, SHA1 or SHA256 for example - takes less than one second on a current GPU.
1. http://www.reddit.com/r/Bitcoin/comments/1ndsxi/a_test_of_br...
(I didn't just leak my Netflix password, btw ;)
(Personally, I use an homegrown script that runs outside the browser, but does something similar)
Yet another reason I love using a password manager[1]. Besides letting you have unique passwords for everything (which is a must), it solves the "What the heck was the password for XZY?" issue when you haven't logged into XYZ in 6 months.
People really should just use a password manager. Yes it's a pain some times (mainly using mobile) but that's just something you live with. The rest of the time though it's way better than trying to remember silly thing like "Capitalize the second letter of each word" or "Replace the last letter with a digit that denotes the number of words in the phrase"[2].
Long passwords are a solved problem and the solution is not reinventing the Caesar cipher, it's to have a single long diceware password and use a password manager for the rest.
Oh and enable two-factor auth everywhere that allows it and vote with your wallet to choose businesses that do. For example, if your bank doesn't support it, find a new bank.
[1]: I suggest KeePassX: https://www.keepassx.org/
[2]: The article suggests things like this to make sure your password unique/dictionary proof. Forget that and just use the password manager directly.
It works as follow, let's assume this is the domain we try to generate the password for:
www.example.com
The hash process:
1 - take first letter, move 2 in alphabet, capitalize - 2 places after e in alphabte is g ("abcdefg"), capitalize - G
2 - calculate number of words in domain, x2 = 7x2=14
3 - use standard salt - eg. tlpWENT2m
4 - take last letter - e
That leads to a password: G14tlpWENT2me
Which is both easy to remember and allows you to have a unique hashed password for every website around.
Have fun with discovering your own hashing method.
What I have been doing for years is remember one single password which would meet the password requirements of most websites.
For e.g. &<asterisk>I87yuU
This is 8 characters long, has upper-case and lower-case letters, numbers and symbols (Also if you try typing on the keyboard, it is actually a pattern).
I can remember one such password. Now, I have a formula for any website or app for which requires me to create credentials. This formula will help me add website specific information to the password.
Say the website is news.ycombinator.com, I will use second and third letters of ycombinator which is 'co' and increment both by 1 to make them 'dp' and add this somewhere in the password, which makes it
&<asterisk>dpI87yuU
Now, obviously unless someone knows my encryption technique, even if they get to know password of one of my accounts, they can never know the others.
P.S. I feel I have gone too far to explain this. Please don't hack my Paypal.
There are no shortcuts to creating genuinely high entropy passwords http://ss64.com/docs/security.html
For example: tree_eating_5surlap_on_bear (with "surlap" as the fictive word)
Somewhere you just (try to) draw a tree with a mouth, which is eating 5 question marks (representing the fictive word), standing on a bear.
However, I personally prefer mixed incoherent characters and numbers.
Based on the site and their password requirements I pick one of the three base passwords. I then algorithmically modify the password based on the site's url. For example, the first and last letter of the main portion of the url. Thus, using the medium password for hackernews and gmail I end up with "yEg4mRk4r" and "gEg4mRk4l", respectively.
use stanzas of it !without spaces! as a password.
Relevant XKCD: https://xkcd.com/936/
[1] https://www.schneier.com/blog/archives/2013/06/a_really_good...
I use passwordchart.com (I am planning to create my own improved version at some point). It requires a generator phrase to create a "password chart", which is simply a mapping from each alphanumeric character to a different 1-3 character alphanumeric string. You then type in an easy to remember password, and it maps that to a far more secure password using the generated chart. I use the same chart (with a backup printed in my wallet), and apply the same methodology for every service I use to create my easy-to-remember password. I read the "how it works" page and it seems pretty secure to me. For all my password needs I only have to remember two things: the generator phrase and the method for making the easy to remember password. There is also little counter party risk (passwordchart.com doesn't know where the passwords are used, it would be hard to change the chart without me noticing, and I have a backup). I love not having to think hard when signing up for something new. In 5 seconds, I have an easy to fetch, secure, unique password for any service. The only real concern is over the shoulder snooping, but I just ask people not too look.
[1] http://arstechnica.com/security/2013/08/thereisnofatebutwhat...
Are you serious?
