Hello everyone.
I'm considering using one how these "password reminders" like Last Pass. I historically preferred to avoid a software for this, because you constantly run into situations like "no access to your machine", "no battery on the phone", "what if no internet", "inconvenient", "place your data in the hand of a party that can go bust", etc. But I'm starting to considering it.
My present password strategy is: use a high entropy password (estimated 98 bits on
http://rumkin.com/tools/password/passchk.php) with a part that is always the same (the high entropy part) and a part that can hinted by contextual information (and has low entropy). For instance, "!?.op." plus the three last letters of the domain name (excluding the tld).
I see three problems here:
1.
Password-reuse. There is still a pattern. If I happen to enter my password on a site that gets hacked or is just malicious, the pattern can be identified. Of course, chances are low that the hacker bothers when he has so much other simpler password at its disposal.
2.
No change of password. It is nigh impossible to periodically cycle through all the websites to change the password (a database would make it less difficult because I would not have to remember all the websites but it would still be very tedious, to the point it would simply not be done). And if I don't spend days changing the password on all the websites in a row, I would then have to remember three or four different patterns.
3.
Exceptions handling. You will always find a website that doesn't allow one of your character (same issue with the space in passphrases) or places an upper limit in characters (particularly annoying for passphrases). Those exceptions must be handled by hand. On the opposite, with dedicated software, there is basically no exception, since there is no rule.
As you can see, both approaches (pattern-based and dedicated software) have their limits. All in all, which strategy would your suggest:
pattern-based passwords or
dedicated software?
Thank you