And, for even better security, you could use the chart to convert the site name into a password. That way you have a different password for each site.

rlee

On linux you can use mkpasswd.

cbiggins

@sperotium: Nevermind I didn;t bother reading the options right under the iput fields lazy me.

sperotium

Great idea. However, unless I'm missing something, the charts only produce passwords with letters, no numbers or symbols.

sperotium

I like using the diceware word list to make passwords that aren't as complicated, still secure, and a little more memorable. Plus rolling dice to figure out passwords is fun and stress relieving.

[world.std.com]

You can add more entropy with symbols and caps for the passphrases too. Very handy.

random_texan

Now why didn't someone think of this earlier? Passwords that are easy to remember, but tough as nails to crack (without the key, of course).

greatslack

No.

I still use Clifford Stoll's (author of "The Cuckoo's Egg") method and have never had a problem. Pick two or three short words that are unrelated and string them together. Longer words increase the security.

Examples: dogletfor , whispermetaphor

It makes a password that is hard to crack yet easy to remember.

KJones

I've thought about using shapes on the keyboard as passwords.

IE

R pyramid => meaning, start at the letter R and type a pyramid shape (RFVCXD)

5 hex => start at 5, type a hexagram (56YGFR)

lordargent

@greatslack: Because its a false sense of security, any brute force password cracker can just implement the logic behind this thing and churn out the "complex" version of a simple password.

Meekrobe

@Meekrobe: Password Chart uses a two-step password generation technique which requires the user to seed the "encryption" algorithm. This increases the number of permutations exponentially. Thus it is not vulnerable to conventional brute force approach. Of course, this assumes the user uses a complex string for the seed and the password, and not his name and girlfriend's name respectively.

ICEBreaker

I advise EVERYONE to print out the card! If this site goes down, say adios to your accounts. By way is there a way to get an offline version of this, i.e. have access to the Java script offline?

ICEBreaker

I just use the Password Hasher plugin for Firefox. (Passwords generated by PH are then copied and stored in my USB Keepass, just in case).

Al Iguana

@ICEBreaker: You're touching upon why this table thing does not in actuality improve security. What you need to log in is the output of a transformation function (which I will call 't'):

apw = t(seed, epw)

where apw is the actual password you present to the application you want to log into. seed is the ("easy to remember") phrase used to generate the table which is used to convert epw to apw and epw is the "easy to remember" password. Function t can be broken down two functions so that we have:

apw = map(gen(seed), epw)

where gen is a function which creates the table used to convert epw to apw and map is a simple mapping function. So to be able to login you need to know one of:

1. map, gen, seed and epw
2. map, gen(seed) and epw
3. apw

(By "gen(seed)" in 2 I mean the output of applying the function gen to seed. Once gen is applied to seed, then both gen and seed can be forgotten as long as the output of the application of gen to seed is remembered. In effect, this means "remember the conversion table" because the output of "gen(seed)" is the table.)

I think it is reasonable to argue that the mapping function "map" is not hard to know: just take every character of epw in order, look them up in the table produced by gen(seed) and concatenate the strings you get. So knowing map is a non-issue and it boils down to these choices; i.e. you need to know:

1. gen, seed and epw
2. gen(seed) and epw
3. apw

You basically suggested 2 by saying "print out the card". But I'm concerned about practical management issues in 1 and 2. You get additional pieces of information which you need to record somewhere. You need to keep them secure just like any password and you need to use them whenever you want to log in. As of know, I don't know of any software makes producing apw from gen, seed and epw a trivial matter. AFAIK, a user using this table system would have to manually generate apw.

If the solution is to say "ah, but I will save apw in a password management system", then how is this any different than simply having this password management system generate random passwords in the first place? In both cases you are dependent on the password management system to remember your passwords for you. Any advantage provided by only having to remember easy passphrases or passwords is, in effect, nullified because if you use a password management system, you are responsible only for knowing one master key.

(BTW, I use revelation as my password management system. I've briefly tried a few others available for Linux. Most of them had facilities to generate random passwords of arbitrary length, etc. So generating random passwords seems well supported. I know it is also supported in Windows.)

One could could say "but I will generate my master key with this table-based password generator". Again, I ask how practical is this? The master key which unlocks the password management system needs to be entered on a frequent basis: how practical is it to have to recreate the master key from gen, seed and epw each time the master key is needed?

lemur

I use CoffeeCup lock box now, but I used to think of a song, then make the password from the first letter of every word in the first line of the song:

ex. Mary had a little lamb, it's fleece was white as snow -> mhallifwwas

Easy to remember but difficult to dictionary hack or look over my should and remember!

Paul

pcull

@KJones: two words for you: dictionary attack

mrmuskrat

@lordargent: I do the same thing! Actually, almost all my passwords are like that.

I also do things like shift my fingers off the home keys by one (up or right) and then type the name of the site or something else related.

So lifehacker could be ;ogrjsvlrt or o8r3yqdi34

CWW

So let me get this straight:

I'm going to a website (which by default logs my IP address) and use a password they give me.

Does anybody else care that this is placing a lot of trust in the maintainers of the site?

Generate locally.

ThatTallGuy

This sounds like a lot to remember and would be very slow to reference. I am partial to the Firefox extension Pwdhash, which creates a unique password for every site you visit using a master password and the URL. An offline version was also created recently so you can use the power of Pwdhash even when you aren't on Firefox.

You can find the offline version here: Pwdhash Sharp

For more info on the Pwdhash Firefox extension: [ automaticable ]

Kyle Wegner

@ThatTallGuy: Well, they don't know where you're using it. And if you just save the table, you can use it gen a password for any site yourself using whatever string you want, and they won't know what or where. And, if you're really paranoid, you could do something like create a new table from the old via RotN for some value of N you select.

rlee

@Kyle Wegner: there is a similar app (javascript version, firefox extention, online version) called PasswordMaker.

I just perform a secret algorithm in my mind on website domain names and take the result as passwords. No need to depend on password managers and password hashing applications.

yoo

PC Tools provides a random password generator which I use for everything (or you could easily code one yourself). Produce a randomly generated alphanumeric password of any length, store it locally in an encrypted table with a master password, and voila. Aside from the master, each password is independent of the others and has no relation to what it is unlocking.

Petah

@lordargent: that's a great idea!

OX4

I like using Password Hasher, which lets you hash a master password against the domain name for unique passwords to every website. Very handy! The firefox extension makes it extremely simple to use: [wijjo.com]

Blaine Moore

You can also get long, complicated alphanumeric strings at: www.random.org for free. You can get a long string that doesn't change by using a pre-generated persistent keyword. Enter 'cat' and get: iycVcTVD40zpDvO5WmbD every time

john85710

Or, just use 1password.

ff1959

I use pwdhash, you can generate a password on their website, on use the firefox addon.

srouquette