Slightly off-topic: am I naive to believe that my personal system of password management is just about as good something like 1Password or LastPass? Hear me out. My passwords are generated as follows:
[Low|Med|Hi] + [Key] + [Initials] + [Number]
Low|Med|High = One of three keys based on how sensitive the site is. High: banking / work / email, Low: I don't trust the site, Med: other.
Key = Random string that only I know, with the most important accounts having a unique string
Initials = Initials of site name based on domain name + TLD, with the initials moved up x letters (for example, capitalone.com -> COC -> DPD)
Number = One of three random sets of numbers I use. Sometimes I forget which number I use for each site, but I can figure it out after a few incorrect attempts.
This means a unique password for every site generated by a system that only I know with no central storage except my brain.
What is wrong with this? What would be the advantage to using 1Password / LastPass over this?
> What is wrong with this? What would be the advantage to using 1Password / LastPass over this?
My Keepass database currently has 221 entries in it. Some of these I only use once per year. There's no possible way for me to manage that without a program to help me record them.
1) Your scheme is open for all sites where you use it. So they can analyze it and get all of your passwords to other sites by this scheme.
2) You can forget "Key", especially unique keys for important sites. I have few hundreds records in KeePass, I can't imagine how to remember all of them or "keys" to them.
3) TLD can be changed and some secrets doesn't have TLD (databases, for example).
4) You can't remember all digits of all your credit cards. If you can - or you don't have credit cards or you kidding.
5) Sometimes you need to store very long license keys. No, license.txt is not the most safe way :)
Honestly the only problem with your scheme has been sharing it. If your hackernews account can be used to find other accounts of yours online, you've just made writing a custom brute force script for your accounts much easier.
I imagine you've done more than most people who customize passwords based on the site/domain name, but you should never share the specifics of your algorithm. It reduces brute force effort against you from nearly infinite to possibly hackable.
I tried a system like this for a while, but it became too complicated to keep track of. How to classify a website? What happens when one site gets hacked? Etc...
[Low|Med|Hi] + [Key] + [Initials] + [Number]
Low|Med|High = One of three keys based on how sensitive the site is. High: banking / work / email, Low: I don't trust the site, Med: other.
Key = Random string that only I know, with the most important accounts having a unique string
Initials = Initials of site name based on domain name + TLD, with the initials moved up x letters (for example, capitalone.com -> COC -> DPD)
Number = One of three random sets of numbers I use. Sometimes I forget which number I use for each site, but I can figure it out after a few incorrect attempts.
This means a unique password for every site generated by a system that only I know with no central storage except my brain.
What is wrong with this? What would be the advantage to using 1Password / LastPass over this?