Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's easy. Just come up with a secret rule and derive the passwords from that rule such that the password is different for each website/service.


I used to do this. It fell apart fast. Some websites require special characters and numbers and upper and lower case letters. Others actually prohibit certain special characters (weak SQL injection "prevention"). Some limit the length to 8 or 16 characters, others don't.

Then a random breach happens, and the website will force you to choose a new password.

I couldn't remember which variant of my rule I used at a particular website. This is aside from how easy my rule was to reverse engineer (which was made really clear to me once when I saw a couple of my PWs on haveibeenpwned


You can have different variants so you try one and if that's not it then you try the backup/alternative. In my case, this was only a problem with a couple of websites which I rarely used. I just did a password reset every time I wanted to log into these websites.


Then the passwords are not secret, the rule is. And figuring out a rule with a couple of examples is much easier than breaking into an encrypted, properly secured password vault.

In case I'm losing you, here's a parallel: if I ask you to pick and remember a random number between 1 and 1 billion, the odds of me figuring it out are low. But if I ask you to pick and remember 200 numbers between 1 and 1 billion, you will likely come up with "a rule", and then if I get a couple of example numbers (in a "password leak"), i can probably figure it out. The numbers are no longer secret, it's the rule that is.


That depends on the type of threat being protected against. If the threat is a mass exfiltration of passwords, this method will probably work fine since nobody will bother trying to figure out that one weird trick to get this one person's passwords when there are a few million others to work on. If the threat is someone targeting you specifically, then you might need a better system.


For somebody to guess your rule they would have to have an access to a number of your passwords.

Also, what the rules is is completely up to you. Be inventive.

If it comes to reverse engineering your rule it means you are facing a targeted attack. Believe me, you can't prevent a targeted attack by a good password.

It is better to have one rule to generate a lot of passwords that are good on their own and independent enough than have small number of passwords shared between many services.


Generally the rule would be hash(master password ++ key).


Then you're just reimplementing a password manager... Badly.


Well it could be your own secret hashing or concatenation algorithm which you can do in your head. For example, you could use parts of the domain name to map to a specific word from a list that you've memorized. But there is an infinite number of rules you can choose from so you don't lose any security.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: