How to Remember Complex Passwords
Sources
TLDR
Summary
Chat with GigaBrain
What Redditors are SayingHow to Remember Complex Passwords
TL;DR Use memorable passphrases for crucial passwords, and employ a password manager for everything else.
Passphrase Method
One effective way to create complex passwords that are easy to remember is by using passphrases. This involves creating a random long sentence and using the first letter of each word as your password 
[2:1]. For example, "I work for this company as an IT employee since 2018 to earn $" can be shortened to "IwftcaaITes2018te$" [5:8]. This method is particularly useful for master passwords or other important accounts where you cannot use a password manager.
Password Managers
The overwhelming consensus in the discussions is to use a password manager for most accounts. Password managers like Bitwarden, Dashlane, and KeePassXC can generate secure passwords and store them safely [1:5], [2:4], [3:2]. You only need to remember the master password for the manager itself, which can be a complex passphrase [1:1], [2:5].
Length Over Complexity
Several commenters emphasized that password length is often more important than complexity [4:1], [4:6]. A longer password, even if it consists of simple words, can be more secure than a shorter one with special characters. This approach aligns with advice from security experts who suggest using phrases that meet character limits without relying heavily on symbols and numbers [4:2].
Avoid Common Substitutions
While using substitutions like leetspeak (e.g., replacing 'A' with '4' or '@') might seem like a good idea, modern password-cracking tools can easily handle these common patterns [4:7]. Instead, focus on creating unique combinations or use spaces in your passphrases, which can add complexity without making the password harder to remember [5:10].
Considerations Beyond the Discussions
For those who cannot use a password manager due to restrictions (e.g., workplace policies), it's essential to develop a system that allows for both security and memorability. This could involve using mnemonic devices or associating passwords with personal stories or imagery. Additionally, always ensure that your master password is strong and backed up securely, possibly using two-factor authentication for added security.
Listen in on a custom audience.
Unlock the full power of Gigabrain to stay updated on topics that matter to you, or gauge community sentiment around your brand and competitors.Source Threads
POST SUMMARY • [1]Summarize
how to create a complex password which can be remembered?
Posted by rxtech24 · in r/Passwords · 2 years ago
ORIGINAL POSTi see websites password generators with complex passwords. but how is someone supposed to remember the password? i use a prefix-root-suffix format or the first letter of each word in a sentence? (ex: happy birthday to you- hbty or hb2y). but i use at least 11 characters. i NEVER choose a SINGLE word found in a dictionary. i you want to use a word choose one of different foreign language. (spanish, french or whichever)
any suggestions on improving my setup or coming up with something else better?
Without using a password manager (can’t use password manager to log in when not on your personal computer or phone)
forgot to mention i do use dashlane, but still need strong master password
thanks!!
Don’t try to remember any passwords except 2: your mobile phone passcode, your (long) password manager master password.
For all other passwords use the password generator within your password manager, plenty of customisation options. Set length at 20 characters, uppercase, lowercase, a number, a symbol. Set passphrase generators at 6 words. Should be safe for this decade.
Use Apple Keychain (71 bits of entropy, easy to type). Maybe add a hyphen and a fourth set of six characters.
Cease making up your own passwords. First letter selections of familiar phrases, foreign words, leetspeak are now likely out of date techniques.
>(can’t use password manager to log in when not on your personal computer or phone)
You should consider any password you enter on a device you don't own or control to be compromised. If you insist on typing your credentials on untrusted devices, you can easily run a password manager on your phone and use diceware style pasphrases that are easy to look at on the phone and type on the (presumed compromised) third party device.
This isn't entirely fair. What if you are trying to set up a strong password on your work laptop/phone or for some work-related account? It's a password you'll probably have to type a lot (once per workday at least), you can't necessarily rely on a password manager, and depending on your workplace you may not even be allowed to look at your phone. Even if we assume your employer could see everything you do on their devices (a reasonable assumption) you still need a strong, unique password to protect against the company getting hacked.
EDIT: I do agree that a diceware passphrase is a good choice in this case!
I don't think we disagree. If you're on a work machine typing credentials for a work account, that's totally appropriate. If you're typing credentials for a personal account, just be aware that your employer may have access to every keystroke you type, unless you're the one administering that PC.
Ffs. This has been answered a million times. Memorable passphrase for master password. Everything else randomized. People need to stop thinking they have some new secret sauce.
Use a password manager program. Most of them have the ability to generate new passwords for you and remember them.
I'm using Bitwarden now. Free, easy to use, works well across multiple platforms.
First, you should be using a password manager. Every one of your passwords should be unique and random. You cannot remember that many passwords. Start using a password manager.
>how to create a complex password
Just about every password manager has a password generator. Since you (almost) never need to remember any password except the password for the password manager itself (your "master password") you can make it very complex and completely random.
>which can be remembered?
Your master password does need to be memorized. I recommend using a passphrase. Assuming you used Diceware, a passphrase with four or five words is quite sufficient.
>any suggestions on improving my setup
Going down this rabbit hole, write your master password down before you create your password vault. Save that paper with your birth certificate and other important documents. (There are more complex ways to protect your master password, but do at least this much as a beginner.)
Make a copy of your master password on a second piece of paper and carry it with you. For the first two weeks, avoid biometrics, a PIN, a long timeout, or other cheats that eliminate the need to type in your master password. You will learn it by repetition.
Longer term, you want to make backups of your password manager as well as that master password. That is an entire new subject. You don't need to worry about this right away, but don't forget to come back and do that.
Is there a particular reason for making backup of the passwords stored in a password manager? I was actually thinking of that in an unlikely situation where the PM vendor business might fold?
This is particularly important for people who use a local password manager like KeePass. If your file gets deleted or corrupted and you don't have a backup... congratulations, you are locked out of ALL your accounts!
djasonpenney speaks wise words.
>the PM vendor business might fold?
That's one example. Or perhaps you made a update and need an older version of the entry.
Or it's possible the vault software itself could screw up and cause a loss. I saw a story last year where LastPass lost a customer's file attachments.
With Bitwarden and 1Password, you can delete the vault by just having momentary access to the backing email. A special kind of attacker, like a vindictive ex-to-be, could delete your vault while you are in the shower. They won't see the contents of your vault, but they can deny you access, ar least temporarily.
And then there are things that need to be backed up outside the vault. The master password is just one example—your memory is not good enough.
Some people choose to store their 2FA recovery codes outside their vault (and the one for your password manager MUST be saved outside your vault).
And what about your TOTP datastore? Some use a second app outside the password manager for this, especially if they use TOTP as the 2FA for the password manager itself. This too needs to be in your backup.
And you know what? There are probably a couple more things I haven't thought of. Backing up your credential datastore is a simple and prudent mitigation for losing your vault contents.
Bottom line is, there are TWO threats to your vault. The one everyone always thinks of is unauthorized access. But the other one, loss of the vault entirely, is also important. If you take all those precautions like a strong unique master password and effective 2FA (FIDO or TOTP), the chance of this second threat is much greater than the other. Make backups!
r/privacy • [2]Summarize
How do you remember new complex passwords?
Posted by Karmadilla · in r/privacy · 5 years agoBitwarden is my memory.
Bitwarden for sure.
/u/Karmadilla , if you decide pay for Premium Bitwarden, the app (Android, iOS, desktop, browser, etc) can also act as a fully synced 2FA client. If a website says to use Google Authenticator or a similar app, you can simply scan the QR with the Bitwarden app on your phone or copy/paste the Secret into the profile on Bitwarden. Super handy as it will also copy the 2FA key to your clipboard when you use the autofill.
For creating and remembering a secure Bitwarden password, this XKCD comic inspired this website for creating secure, memorable passwords. Once you have a Bitwarden account, it also has a password generator built in!
Note that this weakens the whole multi factor authentication concept when you store the TOTP secrets and your passwords together. But it still protects in cases where only the password is leaked through some other method which is much more common than a full password database compromise of a single user.
I don’t. Use a password manager. Check out BitWarden, DashLane, or 1Password.
IIRC you aren't allowed to promote/recommend proprietary/non FOSS tools on this sub. I agree with Bitwarden, and KeePassXC is the best for maximum security.
You don't.
Just remember the one that goes to your password manager.
KeePassXC
Create random long sentences and remember the first letter of each word. Write that sentence down somewhere safe for the first few months. You'll remember it after that if you use it regularly.
EDIT: This is of course only for the master password of your password manager so you can use secure and unique passwords everywhere.
r/Twitch • [3]Summarize
How complex do u want me to make ??? Its hard to find complex password that can easly remember man
Posted by Leprachaus · in r/Twitch · 3 years ago
Get a password manager. Most of them can generate a secure password for you and save it. And you will only have to remember one master password.
Edit: thanks for the gold!
2nd this. I picked one up years ago. I couldn't tell you what 90% of my passwords are anymore. I;ve gotten into such the habit of "New account? Into the password manager..." that I've had several websites that I've tried to make an account only to realize I already did. Open the password manager and there it is and still works!
I've heard good things about Password Managers, and I'm sure they're perfectly fine in the vast majority of cases...
But I still can't help but feel that it's insanely risky to use one. It's quite literally putting all your eggs in one basket. Any malicious party would just need to crack one account to have cracked all of your accounts.
Now the odds of anyone actually spending the time to target you in such away are near zero, and they probably woulda broken into any of your accounts anyway in such a situation, but still. I feel uneasy about them.
Understandable, and there are arguments for both sides. I'm by no means an expert. But if you're using a reliable password manager with proper security, you create a super strong master password, use 2FA, the odds of anyone getting into your account are so slim it's almost 0. There are even desktop-based managers that you can install on a device that's not connected to the internet and all info is stored locally, so there's really no way for anyone to hack into them.
If it's between reusing passwords on multiple sites, using less than strong passwords that are easy to remember, or using a password manager, the PM is still the more secure option. Especially since almost everything these days wants you to have an account, you could literally have hundreds of account logins/passwords, and most normal people aren't going to remember them all.
>I find that combo-ing words works best. Something like
>
>Ihavegentialwarts
>
>Or
>
>HorseBoxMushroomTape
You can make that more complicated by using leetspeak I think.
For example:
Ih4v3g3nt14lw4rt$
So the numbers and the $ meets the requirements of a special character on your password and the use of numbers. Not sure if that's effective though.
Yes, indeed and its over 14 characters so its harder to crack... Many of my passwords look like that or similar in a sense.
If it's a human doing it, sure. But most good password-cracking programs have auto-replace mechanics to factor these sorts of switches in. A better way would be to create your own system of replication for letters, like if L is 7 or something similar.
dashlane also works. im using the free version
Don’t actually use CorrectHorseBatteryStaple as your password though. It’s widespread enough that brute-force password crackers will try that one first.
It is much more secure than using the same/similar password across multiple sites.
Then if one website gets hacked they don’t have your password for all the others.
I would recommend KeepassXC, it's free, Open source and local on your machine.
That xkcd the reason why I stopped using difficult to remember randomised strings for passwords.
r/lifehacks • [4]Summarize
Create long complex passwords that are easy to remember!
Posted by GreenDad420 · in r/lifehacks · 2 years agoUPDATE: (also added in comments)
I've been using LastPass for almost 10 years now, so I 100% agree that password managers are the way to go to manage the hundreds of different logins that we all have now.
I should have probably clarified this originally, but this suggestion is really for those passwords you can't (or at least shouldn't) store in a password app, like the master password for the password app itself, your network login for work, or the password for your own personal computer. These should also be the passwords that you should probably be changing more frequently as well!
​
Take a line or two from one of your favorite songs and then use the first letter (or corresponding symbol and/or number) of each syllable.
So for example
"Always Look On The Bright Side Of Life" could be represented as
Awlotbsol @W1otbs0l aW10+b$01
etc etc
You may need to write it down at first, especially when you first create or change it and need to enter it twice. But after entering it a few times, all you need to do is remember the line of the song and you'll remember your password!
And for passwords you need to change frequently, just use the next line in the song as your next password!
InfoSec dudes always told me length is just as secure as the special characters, etc. So their advice for people was pick a phrase that uses the whole of the 14-28 character limit.
My VP told me he tends to uses expletives. So for instance for Gmail his password may be:
FuckingGmailBullshit2023.
His favorite was for a program at work he hated with a passion so his former password was:
IFuckingHateYouMuthafucker1
His goal was for something to so screw-up the desktop guys needed to ask for his password lol
I only know this because I've gotten a question incorrect on my yearly security training related to this multiple years in a row. They ask which PW is most secure, and the answer is some boomer looking nonsense like "idontneedapassword" and its the correct answer just because its way longer than everything else.
The issue with that is that it makes it way harder to remember, without actually making it that much harder to crack (because any dictionary attack is also going to include common substitutions). Now you need to know which o you replaced with an @, or was it a 0? Did you swap an i or an l with a 1, or maybe it was an e with a 3.
The is the real life hack! It saves your passwords and you can use a long password with all the variations of password requirements! There’s even mobile version. I’m a huge Keepass fan.
Yeah but you also have to satisfy the requirements of the password which almost always wants a special character. I just use ch@racter5 !nstead of l33ters if necessary to use my easier to remember phrase.
Simple math:
Password 1: mynameisjohnsmith is 17 characters long using plain lowercase letters - has 26^17 combinations.
Password 2: xq7$L9p& is 8 letters long using captials, numbers, and special characters too and has 64^8 combinations.
Password 1 format has about 4 Billion times more combinations than password 2. If a supercomputer could crack password 2 in 1 second, it would take over 120 years to crack the first password.
I think that was the point of the xkcd comic referenced earlier.
Modern password crackers know most people subdtitute A with 4 or @, I with 1, S with 5 etc. Those passwords crack almost as quickly as ones without special characters.
I use 1Password and it's amazing.
Every login I have has a 15-20 unique password!
Especially if crackers start using AI, which knows which words generally follow others. Crap, now I have to change my master password, too!
Haven't multiple password managers been compromised? Kinda defeats the purpose to keep all your eggs in one basket. Memory or physical keys are the only internet proof solutions I'm aware of.
https://www.wired.com/story/lastpass-breach-vaults-password-managers/
> "Security practitioners universally emphasize that the situation with LastPass shouldn't deter people from using password managers in general."
Human memory is incredibly fallible. I'm not going to remember the logins to my nearly 400 accounts. Keeping them all on a piece of paper also leads to creating terrible passwords
Just because some password managers have been hacked doesn't mean they shouldn't be used. Educating yourself on how they function and finding a trustworthy organization is worth everyones time.
I'd recommend checking out /r/Bitwarden. I knew very little about internet security 2 years ago when I switched from LastPass to Bitwarden and had terrible passwords that were repeated. Being involved in that subreddit has greatly helped me learn more about this area of my life and help others.
We had a discussion at work about using a password manager AND adding something unique to the end of the password that you entry manually. Eg password manager stores z0?!aP5 but the password is actually z0?!aP5FukU Makes auto changing passwords etc a bit more tedious but could be a good idea?
r/sysadmin • [5]Summarize
Is there an app that generates a complex, yet easy to remember password?
Posted by This_guy_works · in r/sysadmin · 3 years agoI had quite a time today trying to help a user come up with a good password that she would remember. There are complexity requirements we have in place (minimum 14 characters, one upper and lower case letter, one number, one symbol) and we can't reuse the previous 10 passwords and we can't use common names. I was starting to get fed up when we tried using "2015FordFusion!" as the password and even that failed the check due to Ford being a common name, I suppose.
Anyway I am wondering if there is a tool out there that can help us come up with complex, yet easy to remember passwords so when we need to think up something on the spot for our users, they might benefit from us helping them pick a password.
We also discovered that our password policy allows for setting a password, but Microsoft apps deny a password that isn't complex enough, so staff can change their password but only for the PC login and are denied login to their other apps, so that's been fun.
You could do far worse than the "strong" generator on dinopass.com
Its rare that a strong dinopass.com password does not pass requirements, when that does happen, usually adding 2 symbols that are on the number keys make it both long and complex enough for almost anything. So for example, if the 2 numbers at the end were 38, the symbols would be #*, making the end of the password 38#* (and you dont actually have to remember the symbols, just the numbers, and remember to shift type the numbers again)
+1 you can API call it for injections into scripts as well
Passphrases are more secure. https://www.okta.com/identity-101/password-vs-passphrase/
I agree, but we have a lot of little old ladies and nurses and doctors that can't remember much in the way of passwords. It seems the more complex the password requirements, the more we start seeing them write their passwords down in a notebook or forget and call us to reset them. A long pass phrase would be such a foreign concept to them.
This is exactly why 14 character passwords with complexity is a bad policy. It’s not making anything more secure, and it’s hard for humans to remember.
Read this first. https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/your-pa-word-doesn-t-matter/ba-p/731984
A sensible policy is 8-10 characters, no complexity, no expiry, MFA for external access and block known bad passwords with something like https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-operations
Fot any system I connect to or pretty much any application or webserv8ce, I nowadays use Keepass. I don't have to remember anything. Simplynuse auto-type and have Keepass enter the credentials. Wirks great for RDP sessions also, as they don't alllow copy/paste, but as Keepass pretents to be be a keyboard, it is able enter them (also able to customize the sequence like <username><tab><password><enter>)
The only exception is my work laptop login. That is the only passwors I need to remember or use a pki card.
If setting up 2FA is possible, then it would be even easier for them "old ladies", for example using a Yubikey, that needs to be insertee, then having and also keeping a rather simple password, wouldn't even matter that much anymore.
Bitwarden has a passphrase generator, yes.
Changing password regularly isn't best practice anymore. I setup my end users with mfa and teach them to use long passwords that are easy to remmember.
"IworkforthiscompanyasanITemplyeesince2018toearn$" is a perflecty safe password, easy to remmember... he'll to type in when needed to be done to often.. but hey, that's why we have windows hello with pincodes.
It's easier when people realize you can use spaces.
Yay xkcd 🏆
That's not an ideal scenario, but it's not unheard of.
When I was last under that kind of policy, I used root and extension passphrases. Which, by the way, can be used for the current long+no/low-expiry practices.
For example, you've got your XKCD standard passphrases:
$ genphrase -n 9 | column
RueOutboundStar IstanbulAvengedAngry InchRapHermes
RoyaltyWestWaited ClassicMoonbeamSwifter ProvesIdiocyRig
ClanAutismEnclose ThudsGrubbySeeks EyesOverdressFightsThose are popular, but they're also susceptible to word stacking attacks. If an attacker figures out that you're using this practice, then the cracking effort potentially goes from theoretical millennia to theoretical weeks. ThisIsReallySecure is presented like it's 52^18, when really it could be more like 16842^4. Running those numbers through some rough calculations and you're looking at 25 million centuries vs 9 weeks. Indicative, of course, and different formulas with different assumptions have different results.
So, to improve that a bit, you take the otherwise rational standard and tweak it slightly. One idea is to mix languages e.g. BuenoThisCavaquinhoRocks or GoodDayToDieQapla!. Congratulations, you just mitigated a word stack attack with Klingon.
But this post is about root and extension. It isn't a new idea, but one way that we can apply it to XKCD passphrases looks like this:
$ genphrase -n 9 -s extension | column
[extension]BuddingRebel Money[extension]Meant Bunt[extension]Balmy
Backwash[extension]Director ScholarArrange[extension] Head[extension]Unselect
ForcingHexagram[extension] PlannerDeserves[extension] Facebook[extension]FrisbeeWe can see here that this particular passphrase generator randomises the extension location. So what I used to do is generate a bunch at once and pick one that sounded to me to be more memorable than its peers. So let's say that from this list you choose Backwash[extension]Director. It works like this:
Backwash[extension]Director
^^^^^^^^^ ^^^^^^^^^----root
Backwash[extension]Director
^^^^^^^^^-------------extensionFor each usage, you keep the root and change the extension to something that's relelvant to the passphrase's target i.e.
Backwash[facebook.com]Director
Backwash[reddit.com]Director
Backwash[ThatCustomerIHate]Director
Backwash[prod-ad-01]Director
Backwash[qa-sql-02]DirectorAnd so on. Then you simply apply whatever adjustments you need to meet your password requirements, sometimes this is just a sprinkling of 13375p34k e.g.
Backwash[f4cebook.com]DirectorSo now you just need to remember your root: Backwash Director and the convention for your extension. In the previous example, that convention is: "It's the middle word in the sequence, wrapped with square brackets, is the url of the website and has one 133t5p34k change", which is actually a lot easier and more intuitive to remember than it is to type out verbosely like that.
So let's compare Backwash[f4cebook.com]Director to your standard:
- minimum 14 characters --> we're at 30 chars
- one upper and --> Our passphrase words are capitalised, so that's a bingo
- lower case letter --> Check
- one number --> The 1337 change in the extension matches
- one symbol --> The square brackets in the root matches
- and we can't reuse the previous 10 passwords --> Let's cover that below
- and we can't use common names. --> This needs more detail, but I think we're ok here
For the matter of not re-using passwords, you flip the method upside down: Once you've figured out and memorised an extension convention ^(my rhymes are illin') then you simply swap the root around. Generate a fresh set of phrases:
$ genphrase -n 9 -s extension | column
Slippers[extension]Tugboat GrimyTwiddle[extension] PyramidSauna[extension]
PatienceOdds[extension] [extension]TipPremier PearlsThroat[extension]
Financial[extension]Sedation [extension]BodiedProbiotic [extension]PegPicturesChoose one that grabs you, like Slippers[extension]Tugboat and now instead of remembering Backwash Director, you now remember Slippers Tugboat
Additionally: While it's probably not a great idea, one thing you can do with this is to store your roots somewhere as you cycle them. That way if you come across somewhere where you forgot to update, you can reference your old roots. Ideally these would be in an encrypted vault or password manager. And if someone happens across said store of roots, all they'll see is something that looks like
Darwin Generator
Shortly Alpine
Upfront Stuffing
Fellows Insight
Lives Catty
Ritual Unadvised
Clink Brunt
Beige Entry
Backwash DirectorBecause your extension convention is in your head, them having access to that file/post-it/whatever isn't great, but it's not the end of the world either.
r/Bitwarden • [6]Summarize
How do you guys remember your master password?
Posted by JoshLovesTV · in r/Bitwarden · 3 months agoI have a terrible memory, and my password isn’t very strong. I want to come up with a stronger password, but I have no idea how to do it or how to memorize it. Are there any clever tricks I can use to hide my password in plain sight where people would never think it’s for Bitwarden? I don’t know. I would love your advice!
That's a good memory trick. Create a bizarre image out of your passphrase. The strangeness makes it easier to remember.
Mouse fan car trick
Picture a mouse fanning itself while sitting in a convertible car then doing a magic trick with the fan.
That's what the emergency sheet is for. If for any reason you forget your password, you can look it up from your emergency sheet. Here's the link
Personally I would randomly and automatically say all my passphrases out loud in my mind every few weeks. I guess it's like survival instinct because I know it's something really important
Random, unrelated 3-5 words. Not super hard to remember. Write it down on a paper and put it somewhere not too obvious. Don't write the account name or what it's for.
I don’t even write it down. It’s pretty easy to remember five words split by numbers and/or special characters. Now if something happened to me nobody would ever get into it.
If you have a close relative or someone you trust, I would add them as an emergency access contact in case, as you said, something happens to you. You can set a wait period so the contact only gains access after a period of time where you can deny it, if you were just MIA for a few weeks.
This. Some take this comic too literally, but the idea is that length is orders of magnitude more crack resistant than complexity.
The best functional application of this is a few word sentence that only has meaning to you. Add a single number, symbol or capital letter and suddenly it takes longer than the age of the universe to crack with all the computing power in the world... and you never have to write it down.
Common advice of ultracomplex passwords along with frequent changing of passwords is a security nightmare. Users simply write passwords down, usually on a post it under their keyboard or somewhere else easy to find. It's where something that sounds good fails in practice.
At least NIST is now recommending long passwords and advising against frequent password changes.
You're almost there, but you're still a few moves behind me. I suggest you have it tattooed as you said, but inside the buttholes of your friends. GI doctors are going to charge an enormous amount. By time they look up five buttholes with a scope. And it gets even more expensive the more times you change your master password. But that's the price of modern security.
I don’t know my master password. It’s on an emergency sheet, but I don’t actually know what it is. How do I log in then? Part of it is in my head, the first 6 digits, then the rest is filled with a long press on a yubikey where a long random string is saved. Combine that with biometrics and 2FA and it’s secure AND convenient. Make sure you have backup Yubikey(s).
Okay, I’ll jump into the fray, though there has already been some good advice.
> how to do it
First, as others have said, use the password generator in Bitwarden to create a passphrase. Four words, like UnplantedSurrenderTwiceCaptivate, will be enough for most people.
> how to memorize it
Temporarily TURN OFF biometric or PIN authentication. For the next week, force yourself to use your master password every time you need to use your vault.
Keep the master password (for now) on a piece of paper in your pocket. Refer to it when necessary as you are memorizing it. I expect within a day or four you will have a grasp on it. As others say, there’s no reason to indicate on that piece of paper that it’s for Bitwarden.
> hide my password
As an aside, you MUST NOT rely on your memory alone for your master password (or anything else). An emergency sheet is not optional. Your only choice is HOW to protect that sheet. It could be as simple as storing a copy with your birth certificate and vehicle title, or it can be crazy complex, like encryption and using external resources like a Dead Man’s Switch to help you regain access.
> never think it’s for Bitwarden
Just to be clear, not everyone needs to get crazy complicated about this. I know, for instance, that I don’t have a drug addled ex brother-in-law who is going to break into my house and rummage through things for half an hour looking for my emergency sheet. Someone breaking into my home in inner NE Portland is going to be looking for cash, booze, small electronics, and other items to support their drug habit.
In spite of that, I do actually take precautions. My emergency sheet is enclosed as part of an encrypted full backup. The thumb drives with the backup are in our own fireproof box, along with birth certificates etc. Copies of that thumb drive are at our son’s house, and the encryption key is in his Bitwarden vault. My wife also has a copy in her own vault. And since I need to update that backup periodically, I have a copy of that encryption key in my own vault.
You see? There is no single answer. Like a lot of things in security, you have to decide how much protection you really need. You could simply have a copy of the emergency sheet at your parents’ house, for instance. Only you can decide what’s going to work for you.
I put my master password in my safe. Some of my friends know the safe's password.
Your recommendation for an emergency sheet is something I've been recommending to my friends and family for years!
Bitwarden did somewhat recently create their own version that is called a "security readiness kit" if anyone would like to take a look or use it themselves: https://bitwarden.com/resources/bitwarden-security-readiness-kit/
r/innervoice • [7]Summarize
affirmations, a helpful tip
Posted by MoreRopePlease · in r/innervoice · 8 months agoI work at a computer all day. My company policy is that I need a complex password and it has to change fairly often (every quarter I think). I have found a way to create a easy to remember, complex password, and give myself a little boost every time I type it in: Pick a word or phrase, swap out some of the letters, and boom, there you are.
I write my password down in a google keep note on my phone. Important: If you write this down by hand, have a way to easily distinguish between zero and the letter O, and one and the letter L, and capital and lowercase letters that look similar.
Examples:
cr3at1v1tY!
wr1t3-M0r3
34rly@B1rDz
I love this idea! It never occurred to me to use affirmations as passwords!
Such a fun idea, I love write more!!!
Help, what’s the last one say? I won’t be cracking passwords anytime soon. 😂
Do they egg you on and keep you creative?
That last one is "early birds". A reminder for me to actually get out of bed instead of picking up my phone and getting stuck in depressing news. :D
In the past I've used my password to reinforce my intentions. To get up, to write in my journal, to look for the creative in everyday life, to be bold, to find my muse, get up and walk, and so on.
This past year has been a mountain of changes, so a recent password was simply a reminder that life is change (if nothing is changing that means you're dead!).
Small nudges that keep me from dissociating from things that are meaningful. I think creativity flows from that connection. Keep living, keep engaged, and you allow that internal energy a chance to express itself.
O should be O. Zero should be Ø. Capitals get underlined.
The correction to capitalize when a teacher has the three little lines directly under any one letter
It's quicker when you're just writing down passwords for yourself to only do one line.
I used to do that when I wrote them down in a notebook. :)
Fun story: when my daughter was in high school everyone got Chromebooks. She had a friend who somehow cracked the password that restricted what they could do on their laptops, so he changed it so he could install whatever software he wanted on it. The end of the year approached and he tried to change it back. Except he had written it down and there was some ambiguity in a couple of the characters, so he was unable to put it back.
She came to me on his behalf, to see if I had any suggestions. He was worried he would get in trouble (he was otherwise a very upstanding kid). After a bit of googling, I basically said no he's out of luck. Take it as a lesson and next time write stuff down carefully. I said chances are he would be fine, but I think he decided to report it lost and lose the deposit.
This is genius!!!
I used to love doing that
r/cybersecurity • [8]Summarize
I analyzed 50,000 leaked passwords from recent breaches. The 'strong' passwords were weaker than the 'weak' ones. Here's why.
Posted by Saotao · in r/cybersecurity · 1 month agoI've been deep in password breach databases for the past month (yes, the legally available ones for research), and I need to share something that's been bothering me.
We've all been taught to create passwords like "P@ssw0rd123!" - uppercase, lowercase, numbers, symbols. Checks all the boxes, right?
Here's the problem: hackers know this too.
I analyzed 50,000 real passwords from recent breaches and found:
THE "STRONG" PASSWORD MYTH
Everyone follows the same patterns:
- First letter capitalized: 68% of passwords
- Numbers at the end: 42%
- Year of birth or "123": 38%
- Exclamation point as the special character: 31%
When everyone follows the same "random" pattern, it's not random anymore.
THE PASSWORD THAT BROKE MY BRAIN
I found two passwords in the breach:
"Dragon!2023" - Marked as "very strong" by most checkers
"purplechairfridgecoffee" - Often marked as "weak"
Guess which one appeared 47 times in the database? And which one was unique?
The four random words would take centuries to crack. The "strong" password? 3 days with modern GPUs.
WHAT I LEARNED BUILDING MY OWN GENERATOR
Most password generators suck because they use Math.random() - that's not actually random, it's pseudorandom. If someone knows the seed, they can predict every password.
I built one using window.crypto.getRandomValues() - actual cryptographic randomness. But here's the thing: even with perfect randomness, if you're only generating 8-character passwords, you're still screwed.
THE UNCOMFORTABLE TRUTH
The best password is one that:
You'll never remember (so it's truly random)
Is at least 16 characters
Is unique for every site
Lives in a password manager
Yeah, I know. We built all these password rules to avoid using password managers, and now we need password managers because of all the rules.
MY QUESTIONS FOR YOU:
What's the dumbest password requirement you've encountered? I'll start: a bank that required EXACTLY 8 characters. Not "at least 8" - exactly 8.
And how do you explain password managers to someone who writes passwords on sticky notes? (asking for my mom)
A password manager is a place where all of your sticky notes are encrypted, salted, and hashed preventing most hackers from accessing them, even in event of a breach.
All you need to remember is ONE strong password such as tigglebittys1886Fr33edumb$32$.
Remember that password. You can do it. Everyone can. You have one job. You never need to remember any other passwords again thereafter. If you can’t remember 1 fucking password, you are no longer my mom
Even better than that... make a passphrase! "That dude from my ECON 303 class smells like tacos."
Now that's a strong password AND simple to remember.
When I need to memorize a password, I do full sentences now. Like "My dog is the ruler of the house." Not random, but when you consider that you can't partially crack a hash and the infinite combination of words to make sentences, it's going to be nontrivial to crack.
It really depends. If I can make a bunch of assumptions the problem space might get significantly smaller.
Let's take your example string, you have 8 words. There's a little under 200k normally used English words, your choices fall in that list. 200k^8 is around 2.5^42 possible combinations. Let's assume an 8 bit character with a password length of 10. That's 2^80, an insanely larger number.
But you might point out, 2^8 is 256, and who uses 256 different characters? And you are right!
But 200k words contain a lot no one uses or even knows.
The average English speaker knows between 20k and 30k words. So lets assume 30k. That reduces the complexity of your word string to 6.5^35, and you picked very common words. I bet your words are in a set of say the 5k most commonly used words. If so your complexity just became pretty poor, on the order of 4^29. So let's look at characters. Let's say a 6 bit characters, that's 64, the common letters and symbols (base64). You now have 60 bits, or 2^60, still better than if your words were truly random from the 200k pool.
So, assuming I didn't make any mistakes in my math, you find that properly complex passwords of length are the way to go. Words might be a helpful trick to remember them, but they reduce your problem space by far more than most folks realize or are willing to calculate out.
As to hash cracking, it doesn't really matter. A string of words is a string of characters. It's just a question of how you order your inputs. A savvy attacker would start with what is most common, passwords lists, and words lists, but will then turn to brute force. Folks know about passphrases and dice words. They get checked just like character strings. They might know the complexity and size requirements from the originating site. Their game is about anticipating what you might pick in order to reduce problem spaces.
Dice words are meant to be memorable but randomly generated. I think 1Password calls them memorable(?), but they used a fixed dictionary. They are supposed to be random and remove the human element. Passphrases are good too, but hard to come up with. Different password for each case,right?
I created a python password generator to do just that - while including user-chosen punctuation (dashes, exclamation, comma, period, underscore, asterisk, what have you) and random user-chosen digits number. It needs some work, but it makes some pretty amusing "sentences" that are easy to remember but pretty high entropy. One of the things I want to do is add in an entropy checker, but that part stalled and I got busy. I should maybe get back working on it now that things have slowed down.
Edit: Clarity
It also depends who the threat actor is and what kind of password it is.
Is it something that an attacker can easily try millions of different attempts against (such as a crypto wallet that was stolen by malware), then you want something reasonably complex.
If it's a service such as NetFlix or Gmail, an attacker is only going to get a handful of guesses before their IP is blocked or they start getting served CAPTCHAs or similar. Combine that with less technical users (such as my elderly parents) who might rarely type in their password, and you want something that is easy to remember, such as a group of common words or a sentence.
(Disclosure: I'm the author of a Diceware implementation.)
Yeah!
(Before I reply, you have saved me hours and hours and hours on the phone with people. Upper case L, lower case z, tilde.. what’s a tilde? Sideways squiggle? Didn’t work, let me repeat… so Thank you.)
There’s a reason password managers are wonderful, especially if you use them… lol.
But I think I was focusing more on the definition of what password strength is and what might be a good/bad pass. Even if you do the math on a keyboard when you add the special characters, you don’t get the kick you would think you were getting but adding an extra words worth of regular letters does.
most cracks come from a fault in the implementation (oracle attack comes to mind, struts, bad password storage), no? But like a file you can brute force reasonably inexpensively is kinda screwed anyway nowadays (nation state level fer sure)
Dicewords are rocking, but per word randomness was lowish iirc. Longer passwords get you there faster. Fer sure.
Yeah no one is gonna guess that! What sites do you use that for? 🤣 Remember any comment you make online like this gives a threat actor information to try and crack your passwords. General concepts are ok but anything specific gives them advice on an approach to cracking it.
You nailed it. To remember the password, it’s an easy way to avoid forgetting it.
+1
it’s been known for a while and is so dumb most sites still require the “complex” characters and sometimes even limit which special characters you can use. I’m glad most orgs have gotten rid of having to change your password every 60 days as it’s been shown people will pick really simple passwords to remember or start writing it down.
Way to miss the point
4 words from a dict of 2000 is 2000^4, or about 2^44
A single word from a much larger dict (Randall uses a 64k dict) with common patters is only 24 bits of entropy
Now you could argue that 2^44 isn't enough nowadays. With bcrypt or scrypt you're likely to be limited to aout 2^8 hashes per second, so about 2^36 seconds or 2000 years to run through it.
A truely random 12 character password from a set of say 96 characters would be 2^79, or around the same as a 7 words from a 2000 word dictionary
Good luck getting people to actually choose and remember that type of password
r/Bitwarden • [9]Summarize
How do you make and remember a good master password?
Posted by SpookySquid19 · in r/Bitwarden · 7 months agoMy anxiety crept up regarding security with Bitwarden, particularly with things like identities and cards, and it made me wonder if my master password was good enough or if it was bad.
So I'm wondering, in your experience, how do you choose your master password, and then how do you remember it afterwards?
It doesn't mean numbers and special characters are not important. But it does mean a very long password with only letters is much better than a shorter one (let's say less than 10 characters) with numbers and symbols. Of course, a long password plus numbers and symbols is stronger.
The point is that you don't make it overly complex so it becomes difficult to remember. For example, passphrase (4 to 6 words) + symbol + 4 digits is fine. If you add words separators like dots or hypens that increases strenght in a simple way.
For example, KineticParticleEquallyMotion$23 is preferred than Tr0ub4dor&3 if you want to remember it easily.
As for personal strategy, I want the master password to be simple to type and simple to remember. The fact that Bitwarden supports 2FA makes me worry less about complexity as an attacker would need to obtain both.
For the rest of most of the online accounts I do create overly complex random generated passwords (over 32 characters, including numbers and symbols). With the password generator integrated into Bitwarden. Specially for those services without 2FA.
My router's WiFi password is very long. And I use QR codes if I need to add new devices (IoT devices are a special case). Something like:
673AEHKT#BgpRch*$!kkuGE86chAlqG!^Xl378Y!%d#z3^#WNO3C#dYjeY85gd7q
In summary, longer and simple beats shorter and complex. But long and complex beats long and simple. If ease of recall is the priority, choose long and simple.
I use the "Correct Horse Battery Staple" framework (if I may call it that way 😁). It's based on an XKCD comic. https://xkcd.com/936/
The idea is to that you make a passphrase instead of an overly complex password that you might easily forget. Focus is on length instead of complexity.
Since 2FA is enabled on my account I don't worry too much about the password looking "simple" (dictionary words, no numbers or symbols). Usually I get 20 to 30 characters which is fine for me.
For inspiration:
I use the Correct Horse Battery Staple framework, but instead of using a generator or a random story that's hard to remember, I started with four words from my childhood street address. Then I transform those words by looking at synonyms, and memorable (but also perhaps a bit odd) word associations and homophones.
Imagine part of the address was 13 Mockingbird Lane. So my thought process might be:
13 is unlucky to some. Other unlucky things are opening an umbrella indoors and walking under a ladder.
In National Lampoon's Vacation, the parents sing "Mockingbird" in the car, and it was also sung by James Taylor and Carly Simon.
Lois Lane was played by Teri Hatcher, who was also Desperate Housewives. A hatcher can also be an egg incubator.
So 13 Mockingbird Lane could become "umbrella lampoon housewife", or "brolly tailor desperate", or "ladder vacation incubator", etc.
Easy for me to remember, but difficult for someone to figure out even if I told them my password is derived from where I grew up as a kid.
the use of special characters and symbols are seen as more important than they are.
when a password is cracked their are different ways to approach how to guess or crack the password. many use the a dictionary attack the easiest attack
but password strength can not be measured just on it's strength but in how it is used. for instance if I required every user to have a long complex password some users will write it down close by or any of the other poor password management.
NIST used to recommend companies force their users to have complex passwords that change often. it turns out to be horrible advice, people having to change passwords often causes issues and if you force very specific rules those rules work against you.
take for instance you have guess a password you have no idea length or composition (upper/lower/number/symbol) there is no guaranteed "best approach"
BUT if you have to guess a password and you know they have to have 8-12 characters no "words" and you must have one upper, one lower, one number, one symbol. That is something we could have someone write a script to come up with every combo.
So while symbols and numbers to add complexity their complexity makes it harder to use.
my old master password was 10 characters and LEEET speak inspired numbers/letters/symbols bitwarden says it is 12 days to crack
my new master password is a rare phrase and is 18 characters all letters and would take 3 years to crack
TLDR: phrase or random word passwords are a minor trade off of strength for usability
Pick a random obscure quote you've never shared with anyone that you like and keep the first (or last if you're paranoid) letter of each word and keep the punctuation.
Example:
"He who hates does not know God, but he who loves has the key that unlocks the door to the meaning of ultimate reality." -MLK
password: HwhdnkG,bhwlhtktutdttmour.
This is not random. Only password that is secure, is true random generated. Human is bad at randomness.
Use 4-5 word random passphrase, generated with Bitwarden or throw a dice. You will remember it in no time and this time you can depend on it's entropy.
I don't like this strategy because most people will not pick an obscure quote. There are way too many people with the password, tbontbtitq, for example. If the quote appears online as your example does, it is too guessable in my opinion. If it were obscure enough to not appear online, or it was something said by a non-celebrity (e.g. a parent), it would be better. There is also an argument to be made about the over-abundance of Ts and other common letters - certainly if the quote isn't particularly long.
I'm all for security best practices in theory, but thinking this is not good enough for a personal bitwarden account with a 20+ words citation is bordering on paranoia. Even if you're picking from Shakespeare's best of. Of course, this assumes you're not telling people that this is your strategy in a traceable way.
It also has the benefit of being somewhat 'recoverable' unlike the random words or gibberish randomized passwords people use. Forgetting your Bitwarden password SUCKS.
Compare this to bitwarden policy of telling you to write down your recovery key. That is going to be WAY more likely to lead to a compromised account than using a slightly flawed password generation strategy.
This is less secure and much more difficult to remember.
(This is coming from me, someone who used this method for my master password back when I was on LastPass)
Please just use a passphrase that is randomly generated
I'd recommend picking a quote with numbers in it so something like "one fish, two fish. Red fish, blue fish" would be "1f2f.Rf,bf". Personally my master password is something like this with an additional keyword and symbol, I found it pretty easy to memorize.
The paranoia here is hilarious. What do we have that picks random passwords for you all the time and you trust it to keep it all safe. Maybe just open that (bitwarden obviously) 🫣 and make it pick whatever amount random words you need, write it down and remember.
This Wikipedia article does a good job at explaining the length-vs-complexity tradeoff, but basically these are about equally strong:
- 8 uppper/lower/symbol/digits (7Sm##ndP4)
- 11 lowercase (trvtuovmynt)
- 4 diceware words (correct horse battery staple)
So, the best choice really comes down to if you will be auto-filling, typing, or remembering the password.
r/Productivitycafe • [10]Summarize
To avoid scammers getting your password, but also to remember your password
Posted by Miserable-Ad8764 · in r/Productivitycafe · 3 months agoThere are some passwords you should never ever share with anyone. But scammers are good at talking you around, making it feel urgent to give them what they ask.
Use a dirty sexy secret you would die of embarrasment if somebody knew.
Like "ITakeItUpTheA$$" or "IFu@kedMyBrother" "SpankMy@$$Daddy" "IPi$$edTheBussSeat" etc
It doesn’t have to be true, but it should be something you really don't want to say out loud under any circumstance. If you get an urgent phonecall this will make you pause and think through it one more time before revealing any pw.
This way you will also automatically turn the screen away and make sure not even your partner can see your banking password.
And, we automatically remember something shocking or scandalous more easily.
So, dig up your deepest darkest secret, add some #€@$£¥ signs, and make good passwords you never want to say out loud.
If a password makes you cringe just thinking about saying it out loud, congratulations you’ve probably just created the ultimate scam-proof security.
My password is Donald Trump sucks
Only Remember a few important ones then use a password manager to generate all others. Never have any password overlap between any service.
Also scammers, just remember no one ever needs your PW but you, if it's really your bank or the tax man they have access to see what they need already.
>no one ever needs your PW but you
That's the thing I don't understand how people still fall for it, if a company lets you create an account, YOUR account is on THEIR platform with (usually) THEIR OWN systems running behind it, they provide everything the account does to you, they can reset your password or just force a new password onto any account whenever they feel like it and take the time to dive into the database. How do people not get that the actual genuine support place of any company never needs your password?
Honestly, this might be the most unhinged but genius cybersecurity advice I’ve ever read fear of social shame might just save our bank accounts!
Wtf? Who falls for this?
Top People to Talk to
AI Answer
How to remember complex passwords
Here are some effective strategies to remember complex passwords:
Use a Password Manager: This is the most secure and convenient option. Password managers can generate, store, and autofill complex passwords for you, so you only need to remember one master password.
Create a Passphrase: Instead of a complex password, use a long passphrase made up of random words or a sentence. For example, "BlueSky!Dances@EveryMorning" is easier to remember and still secure.
Mnemonic Devices: Create a memorable phrase or acronym from your password. For example, if your password is "T3aC@tS!n2023", you could remember it as "Three Angry Cats at Sunset in 2023".
Chunking: Break the password into smaller, manageable parts. For example, "G7h@R2p!Q9" can be remembered as "G7h @ R2 p! Q9".
Visual Association: Create a mental image or story that connects the elements of your password. This can help reinforce your memory.
Regular Practice: Regularly typing your password can help reinforce it in your memory.
Recommendation: If you frequently struggle with remembering passwords, I highly recommend using a password manager. It not only enhances security but also simplifies your online experience by managing all your passwords in one place. Popular options include LastPass, 1Password, and Bitwarden.
Still looking for a better answer?
Get more comprehensive results summarized by our most cutting edge AI model. Plus deep Youtube search.