Hacker News new | past | comments | ask | show | jobs | submit login

i think the point is that increased password length can make easy to remember passwords that are more secure than shorter, hard to remember passwords.

even though "this is fun" isn't secure in your scenario, its still more secure than the "j63<2a" password in the same scenario.




That's true, but the construction of the argument gives a false sense of security. "j63<2a" is more secure than "password" as well, but since they are both effectively useless (as is "this is fun"), we probably shouldn't waste time comparing their relative terribleness.

The proper solution to passwords isn't to come up with a slightly longer phrase that can still be cracked in a reasonable amount of time, it's to use a 30-character randomly generated password for each login, and keep them in a privately encrypted password safe of some sort.


Except that's a usability nightmare, and the majority of password field (annoyingly) won't accept a 30 char password.

I aim to use a short phrase that includes punctuation and a number if required, and to have the sentence be thematically linked slightly to the system I'm logging in to. This produces a long string that meets the criteria and is memorable by following the original train of thought from that led me to form the sentence. This I believe is "good enough" in all scenarios, since I should be able to type it quickly, and never write it down or share it.

The only remaining issues are max-length password fields and keyloggers (apparently a parabolic microphone can be used as a keylogger!)


You run the risk of making it a lot easier to figure out your password for other sites once one of them is known though, right?

Say you create an account at fakecompany.com where they happily and naively save their passwords in plain text in their database. Wouldn't it be easy for that site admin to then figure out your facebook.com, for example, password?


I do this too. You just have to make sure your passwords have sufficient complexity, yet have an algorithm that is easy for you to remember. Just start off a base, let's say oUb$r8!A. Now let's use a simple algorithm of taking the first letter and last letter and injecting it somewhere into the base. So your new password for amazon.com is oUAb$r8!nA. For facebook.com it's oUFb$r8!kA. To the casual observer it looks just like any other password and it beats using the same password over and over again. You can of course make it even more obscure by changing the algorithm, just as long as it's easy to hash out in your head.


Yep, that makes sense. Thanks for clarifying.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: