Comments on: How to Remember Secure Passwords Without Writing Them Down

By: Computer Video Tutorials

Computer Video Tutorials — Mon, 21 Dec 2009 16:40:34 +0000

You can use PasswordHash insteal MD5 Hash for more security.

By: bad kitty

bad kitty — Sun, 20 Dec 2009 03:51:05 +0000

;/ just remember a phrase that you can remember (avoiding friend, pet, family member names) and leetspeak it; it’ll take a week or so to remember it but it incorporates letters, numbers and characters.

By: Satya

Satya — Sat, 19 Dec 2009 15:06:04 +0000

Method 1 is scary.. I think it make password insecure rather.

By: Sridhar Katakam

Sridhar Katakam — Thu, 03 Dec 2009 16:22:15 +0000

All that or just use LastPass Firefox add-on.

By: Heyudude

Heyudude — Thu, 03 Dec 2009 12:51:06 +0000

This is already available as Stanford PwdHash. See [pwdhash.com]

And is also available as Firefox plugin

By: Pieter

Pieter — Thu, 03 Dec 2009 12:31:18 +0000

You’re right, it reduces the amount of possible combinations to 16^(password length). However… there’s the security through obscurity argument. md5 hashes hold up better against dictionary-based brute force attacks with either words or common passwords because most people (including crackers) don’t go the extra mile with md5. Of course I wouldn’t recommend it for businesses, but it’ll keep crackers busy for a while and it’s safe enough for the average person.

By: Pieter

Pieter — Thu, 03 Dec 2009 12:08:16 +0000

Aww man, I was gonna write a Firefox extension that does just that…

Thanks for the tip though. That bookmarklet saves me a lot of work.

By: jarmod

jarmod — Wed, 02 Dec 2009 15:53:33 +0000

I think I’d want a site-unique phrase so that I’d have a different password hash for each site that I use. And something easy to remember. For example if ‘zulu’ is may favorite memorable word then make a hash of citibank.zulu for my Citibank a/c, a hash of amazon.zulu for Amazon, and so on.

By: robokev

robokev — Wed, 02 Dec 2009 15:20:27 +0000

Method 1 can be automated with a bookmark JavaScript utility like [supergenpass.com] which creates an MD5 hash based on both the domain name and a master password. Very easy to use since you only have to remember one master password but get unique generated passwords for each site.

By: M1ke

M1ke — Wed, 02 Dec 2009 08:59:56 +0000

For the first hash remember that an attacker could just as easily stick the name of the site into an MD5 algorithm. Also you don’t explain why using the full URI is bad, it will still hash the same, though obviously is harder to type.

With MP3s certain libraries may alter your files without telling you (replacing metadata, adding tags for the library, copying it pointlessly) so be careful with that.

Finally do remember that by using a string from an MD5 hash you’re actually reducing the number of possible combinations of letters and numbers, as there are only 16 different characters that can appear in a hash. Obviously an attacker wouldn’t know this, but from a security standpoint its relevant.