Bitcoin Forum

Hi All,


Considering all the recent cases where people's usage of passwords turned out to be less than optimal (and sometimes just negligent), allow me to recommend a free, user friendly, secure password manager: passpack.com.

It can create random passwords for you at many lengths, so you can have very secure passwords, and most important - a different one for each service you use, for each encrypted wallet file you create, for exchanges and whatever...

I am not related to passpack in any way, I just wanted to take this opportunity and help in case a few of you feel overwhelmed by the need to manage many secure passwords at once.

If anyone else has a different tool they prefer please share it as well.


Lets take security up a notch, for everyone's sake...

My "Password Manager" is in my brain, where nobody else can see them.

I keep about 50 passwords, each one with 12-16 random chars... my brain is just not up to that...

Or, you can generate them yourself on your own trusted hardware.
Take a linux netbook with no internet connection and run uuidgen a few times, memorise some of the results and store them in your brain.
If you MUST store passwords outside your brain, make sure that whatever you use to store the passwords remains on your person 24/7 even while sleeping.

DO NOT use a third-party website to generate passwords - it'd be trivial for that site to log all passwords it generates, and considering how easy it is to generate passwords yourself that stinks of a scam.

Go to relentlessimprovement.com, order ortho-mind, alpha-GPC and piracetam. Next, get some pregnolone from healthmonthly.co.uk.
Take the above daily and avoid alcohol and bumps to the head while practicing neurofeedback and meditation.

Long term memory is EASY to enhance.

You can re-arrange the letters of a website to make passwords. For example, bitcoin.org could turn into n41iR32Rr22141R32Rr221.

The n is from the last letter of the domain.
The i is from the 2nd letter of the domain.
41R32Rr221 is what you memorize, and repeat it twice (with the i inserted into it). This is similarly done for every password. You could also have a number at the end for whether it's an even or odd number of characters in the domain.

keepassx.org has simplified my life immensely :)

Personally, i prefer to have my codes with me on my stick in an encrypted database rather than through an online interface-

Open Source Password Safe has the same features and more.

PassPack encrypts your passwords using a key set by you, it has an online interface and an offline one (desktop application), and you can save a dump of the encrypted passwords. But KeePassX looks great as well, I checked it out before making my decision, but in my case I preferred an online interface...

A password I no longer use was once made up of the following (and this was years ago, so it's of no use to any potential attackers now):
6 random digits generated by a 386 (see, years ago)
another 6 letters+digits from the combination to the door lock for a hotel room somewhere in london

I mixed the 2 together to get a 12-digit password

But a website? That's silly

Another thing people commonly do is to take a dictionary word and add 2-3 digits, such as Flower29 - that's downright dumb, it only multiplies the number of words to try by 100 and that's not a lot.
You should try to avoid reducing the search space for a potential attacker - anything which has a yes/no answer you should consider as 1 bit of the key, if you answer yes or no, you've given away 1 bit of the key to the attacker on average.

People also do silly things like make their password a swearword when they're known for not swearing on the theory people won't try it - the common 4 letter swears are amongst the first tried (fuck, shit, cunt etc).

Generate random numbers, do whatever you must to memorise them, and if you really can't then store them on a completely disconnected device OR in paper form with something that stays on your person even while sleeping.

Passwords are very important to remember. I disagree with handing them off to another authority.

The purpose of my suggestion was to have a unique and effective password for every site that you can remember.

If you are using the same password for multiple websites, then you've already lost.

https://www.grc.com/%5Chaystack.htm

useful!  From this I should be secure!

And that's good advice, but you should use true entropy and THEN add associations to help remember it, doing the reverse makes an attacker's job easier.
Here's a random password i've just generated (not used on any accounts of course):
77adc009ea6d
Totally random entropy, but I can find patterns to help me remember it.

adc? the band AC/DC with a bit missing
77 - 2 digits, easy to remember as it's duplicated
009 - 900 backwards, or 9/11 backwards -11

and so on


Basically, you use the same techniques schizophrenics use to find messages in the bible, but to find messages in your random password - it then sticks in your head better.

Yup, never really liked the idea of 1 central location for all my passwords, having only 1 password to 'crack' to access them all, and keeping them all up to date etc but tried a free one last night and its works superbly. Picked up a stack of passwords on install and saved them to a central website. The 'auto-fill' is quite nice too (even better than chrome auto-fill). Quite like the software. :)

My password for mtgox is something like this:
Yh&*(&$#hihJE83#*91@()$#G
and still when mtgox got hacked, just some hours before it got shutdown, I couldn't log in anymore, someone changed it and deleted my email from my account  ???

that's scary, I changed my password a couple of hours before mtgox went down.

How do you know your email got deleted ? It is possible logging in was disabled/difficult at that time no?
My password was very similar to the one displayed above and I hope it will be fine in a few days too- if trades are rolled back, at worst, is a bitcoin withdraw worth 1KUSD which cannot be more than 200BTC (and I expect these to be compensated for...) however, if someone has my password, I am counting on using the same IP to authenticate myself and will not be travelling to Latvia soon- I was wanting to withdraw my coins last week but was slow on that.

For passwords I need to remember on a daily basis, I will usually generate passes I can remember phonetically. One way I tend to do this is to look around wherever I am when I'm making the password, see what words come up in my mind at the moment, apply some free association until I come up with something you won't find in any dictionary, nor could even associate with the words I used. Then add capitalizations and special characters, typing out the password to see what kind of combination seems haptically natural to me.

So for example I'm looking at a plastic model of a space invader now. Invader > Vader >walsdorf>wassroed>W8SsR?3D

After a while of using this pass, I wouldn't need to remember the sequence I used to "derive" it, but before I get that accustomed to it, it can be useful to have a kind of memory trace I can refer to if I forget what it was.

For more important things I'll use longer passwords stored in a text file in an encrypted container secured with a long passphrase.

I know because everytime I try to recover my password, it says that there's no email for my account :(. Hope it's just temporary disable of my account  ???.

There seems no easy solution.

Strong passwords are forgotten easily if you don't often use them.

Password managers have a single source of failure. Crack the database password and you're in. Your life is fucked.


I sometimes use obscurity. For example, leave a complex password somewhere but without a username or the site concerned. Someone who might find it knows its a password but has use for it, it could be the password to absolutely anything.