What do you guys do to remember all your passwords?

I'm in the midst of a password refresh cycle. It's occurring to me how frustrating it is to keep track of independent passwords for all my dozens of accounts in a manner that is secure and reasonably convenient. I know a lot of people use KeePass or similar apps (why I put this thread in this category, but not necessarily the right solution), but can those really be secure? Do you guys have a way you can keep track of them mentally? Do you have then physically written somewhere? Seems insecure to me, but who knows. Or do you just use a standard password for everything and then rely on 2-factor or something similar?

Piece of Paper placed in a safe.

Instead of a word make the password a long phrase that relates to said site plus some memorable stuff.

2 Likes

You need a password manager.

3 Likes

I use Keepass. It's got addons for Chrome and Firefox, plus apps to store your database on either Android or IOS. I don't trust the cloud myself, but a solution involving that is Lastpass.

2 Likes

Use a piece of paper, when one computer creates a cloud of smoke you can still use a mobile device to get to your banking, work and hobby website etc...
and like @CrossCarbon said place it in a safe, or safe place

this is a pretty common problem, @Baz has a good method, mine is quite similiar, basically i think of memorable things, not people or places, usually just random words or phrases, and then rework that to include numbers and characters into a common method, i.e. 2 5 character words, first or last characters as caps, some letters replaced with numbers, characters place inside. but alternate. so sometimes the password will start with a number, then the second letter is a capital, or the last letter in that word is a capital..

essentially the goal is to keep a standard method, that produces some what random results.

examples,
C0a1MiN3r$

70p4At$!

f1Gur3$

etc

Use passphrases over passwords, they're easier to remember and can be more secure when you factor in the use of punctuation, Uppercase letters, lowercase, etc.

4 Likes

I feel like a shill for Keepass, but you can factor in all the methods here to make your own "master password" for the database. The client itself has a method to auto generate passwords with any combination ofletters and symbols you need.

I have a few key passwords I don't trust with anyone/thing. Such as bank, lastpass etc. These are generally passphrases of a sort and exist inside my head. The xkcd comic is a good starting point.
The rest I leave to lastpass. Having different strong passwords generated for all the websites that demand them is pretty important. So I have to balance the risk of lastpass being compromised against any of the sites I use being compromised. I put my trust in the former.

The important thing is to ensure you don't use short passwords, passwords you thought up and think are clever, or re-use the same passwords over multiple sites.
Password phrases can be cracked fairly easily as well using dictionary based attacks, just repalce characters with words.
Passwords you thought up might not be unique to you. Some large gaming sites that stored passwords in plaintext have been compromised in the past, and these lists are freely available.
Re-using a password over multiple sites can be an issue. If one is compromised, other sites can also be compromised. This has happened a fair bit lately.

Good video on password cracking:
Video for youtube computerphile password
▶ 20:20

1 Like

I agree that written on paper in a safe is the most secure. Also very inconvenient, often leads to bad passwords as it is a hassle to get them out of the safe. I'm happy with managers like Keepass or Lastpass. Make a phrase as master password. If you're forgetful put that on a paper in a safe. Use the password manager to keep long and unique passwords. Never ever use the same password on multiple online sites.

Local pass. manager...Like keepass...The few most important things like paypal, banks, pins and so on I just remember by using big phrases with some small twist. They are only 4-5 so these i can remember easily. The rest on the manager...

I don't remember more than 4-6 of my passwords. I am more about being mindful on where and when to create an account (on so few sites as possible), and about having a good password recovery option for each one. I am quite happy to just have a randomly created string of characters as a password on most sites I use seldom and to reset/recover the password each time with a new random string so that I can log in.

Of the 4-6 passwords I do remember, three are highly secure pass-phrases (something along the classic xkcd @MonstrousMicrobe mentions), and three are weak. I change them regularly. Since two factor authentication is (warning for a strong and quite possibly irrational opinion) created for crap passwords, I only use crap passwords on sites that enforce two factor authentication - each two factor authentication will demand me to log in using my strong passwords since I never stay logged in, and I never click the "remember me" or "keep me logged in" box.

I do not use any password manager.

(I also remember a few more pass-phrases which I use for my personal hardware, which is different to the online services.)

I use keepass both at home and at work because I can audit the code and sync with devices via cloud etc. Plus I have multiple security measures in place.

I wouldn't be tempted to write down 5k of personal passwords, or the 20+k or so I have at work.

My password policy rules are simple. All passwords have to be 15 characters, case sensitive, alpha-numeric and include special characters. Although with hardware I tend to only use exceptionally long alpha-numeric pass-phrases for obvious reasons.

Lastpass mainly also few I write down and have locked up.

Please for the love of god, uploading passwords to a company's server isn't the best way to go about it.

Who said anything about uploading passwords to a company server?

1 Like

I will not reveal anything related to my passwords.

1 Like

Like others have stated, keepass is nice. I have my database on my nextcloud so I can use it on my Windows, Linux and android. I also installed the keeweb app in nextcloud which let's me access from just the website.

Keypass is only useful when a database gets hacked.
If someone is targeting you then it does not protect to a great enough factor for me to consider it.

The thing i dont like about being comparing password epeen is that people often compare the strongest part of the password scheme. Never the weakest. The LTT hack was because they had a single point of failure even when they boasted 4 pass auth.


As for me i have about 10 passwords that i remember + plus 1 throwaway password for the shit accounts i dont care about