Using Password Hints

[Bunghole]

I don't see much discussion about using password hints, to ensure that you never forget your password.

With every encrypted wallet file, I include an unencrypted plaintext password hint.  I use hints that I would never forget, like the nickname of a childhood friend.  Yes, there will be a few people who would know the answer to one hint, but if you use hints from many areas and times of you life, then no one person would be able to answer all of them.  And probably none of those people are hackers anyway.

Here's an example:
- Password: Raiders5355RedburgEunice
- Hint: HSMascot+My First Bank PIN+Tommy's Hometown+Lana's Mom's First Name

If Tommy and Lana are from different walks of life (e.g. one is a childhood friend and one is a college girlfriend), that helps increase the security.

Yes, there is a tiny risk involved, but it seems that that risk is lower than the risk of forgetting your passwords or creating simple passwords that are easy to remember and thus also easy to hack.

Any comments?

[Auspician]

That's somewhat effective, but I prefer this method:

Pick a phrase that you are very familiar with (either the line from a joke, movie, or book).  Make the password the first letters of every word in that phrase, and include punctuation and capitalization when appropriate.  For added security, change certain letters into numbers, for example e's into 3's.  This makes a neigh-unhackable password (assuming the phrase is long enough) that is relatively easy to remember.

[Bunghole]

Can anyone find any holes in my technique of using password hints?

[dontListen2me]

I use randomly generated keys.

KeePass seems pretty solid.

[Auspician]

@Bunghole: Yes.  A bruteforce attacker could with some difficulty break your password because it contains dictionary words, proper names and numbers.  You're much better of scattering your numbers, special characters and capitals throughout the password, and finding a convenient trick to remember it.

[Bunghole]

Does a brute-force dictionary attack have any realistic chance of breaking a 24-character password like Raiders5355RedburgEunice, when the payoff is relatively small (e.g. my modest bank account or one of my modest bitcoin wallets)?

I do agree that adding in some special characters would help - maybe from now on I put a dash between each word, e.g. Raiders-5355-Redburg-Eunice.  A dash seems to be allowable by most password systems.

[maykelmoya]

Some hints and metrics in http://www.baekdal.com/tips/password-security-usability.

[willphase]

I use passwordchart.com for all my passwords to make them all unique and I can access the site from anywhere even when offline if needed. Really glad I found it.

Will

[BitCoinBarter]

Does a brute-force dictionary attack have any realistic chance of breaking a 24-character password like Raiders5355RedburgEunice, when the payoff is relatively small (e.g. my modest bank account or one of my modest bitcoin wallets)?

I do agree that adding in some special characters would help - maybe from now on I put a dash between each word, e.g. Raiders-5355-Redburg-Eunice.  A dash seems to be allowable by most password systems.

BH,

I agree with you, your password seems very strong. Adding a dash (or other things) should be done to make it even stronger.

(1) I suggest you devise a strong password such as that. Then get LastPass (www.lastpass.com) or Keepass (http://www.keepass.info). Keepass is FLOSS (i.e., free) and LastPass has a free version that will do do what you need (plus more).
I use LastPass myself, however KeePass is equally good (as in protection).

LastPass is easier to use it you want to use it to login to sites.  If you don't want to do that, then KeePass would be good.

You will need to keep a backup of KeePass somewhere (in case your computers crashes).
You will not have to do that with LastPass (An encrypted copy will be stored on a LastPass server).
LassPass does not have a copy of your LastPass key.

In both cases, if you forget your password then you are done.

!!Warning!! You could reset your password with LastPass, however I suggest you to turn that option off.
If you decided LastPass, then post again and I will instruct you how to turn that option off.

(2) Then use your password (the one you devised earlier) as your main password for Lastpass or KeePass. Then within LastPass or KeePass, you could store your other passwords.

Here is an example of what one of those stored passwords could look like: 2v&u&@wutxazC3%s&C@vhq^tykqa%WN8YAc!nh69JT6pTc2bSyqzgd$4GnKaaFK2cG4T3@vaHFWT3J*6QP4s*pTVcu*CaKtaf8uj

I used LastPass's Password Generator to come up with that. KeePass also has a Password Generator.

I also advise you to check out: https://www.grc.com/haystack.htm to get an ideal how long it could take to bruteforce your password.
Assuming you use Raiders5355RedburgEunice : 33.64 million trillion centuries

Please read the whole page, it will open up your eyes. From that site:
"...The #1 most commonly used password is “123456”, and the 4th most common is “Password.” So any password attacker and cracker would try those two passwords immediately. Yet the Search Space Calculator above shows the time to search for those two passwords online (assuming a very fast online rate of 1,000 guesses per second) as 18.52 minutes and 17.33 centuries respectively! If “123456” is the first password that's guessed, that wouldn't take 18.52 minutes. And no password cracker would wait 17.33 centuries before checking to see whether “Password” is the magic phrase..."

The generated password I provided could take: 1.90 million trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries

[iBTC]

Can anyone find any holes in my technique of using password hints?

HSMascot+My First Bank PIN+Tommy's Hometown+Lana's Mom's First Name
^^ if a person knows you enough then yes that's a risk.

So yeah in some sense d@a2$sF2W9 can be more secure than Raiders5355RedburgEunice with that hint.

[theymos]

Hint: HSMascot+My First Bank PIN+Tommy's Hometown+Lana's Mom's First Name

It would probably take less than a day to gather all of that information. The only "hard" part is the PIN, but four numbers can be brute-forced in no time.

Good passwords aren't hard to remember if you type them often enough.

[Bunghole]

It would probably take less than a day to gather all of that information.

Possibly, but remember that I use a different group of passwords and hints for each different site and/or wallet; although, there is some overlap.  It just doesn't seem realistic that someone would do all of that meatspace investigation just to get at one or two 50-bitcoin wallets.

If you're just an average person, aren't 99% of the threats in cyberspace where the hacker's effort is cheap, as opposed to meatspace, which involves social engineering and is relatively expensive, considering the low payoff?

[AntiVigilante]

I have an awful memory.

I walk the keyboard in a particular shape and that's the password.