Any password system complex enough to be secure for the 100 logins people have these days will require some way to keep track of them all, and then you’re right back to a password manager minus the convenience.
Comments
Log in with your Bluesky account to leave a comment
You don’t need to keep track of any passwords when you use a mnemonic. You just derive a part of the password from the name of the service according to rules only you know. You only need to remember the rules you use for constructing your passwords.
I moved away from this approach 15 or so years ago. No sharing with family members, hard to accommodate password rules (e.g. length, characters), broke with changes (M&A, service renames), no autofill, too guessable vs. too hard tradeoff. And now, doesn't support passkeys. I have 600+ passwords.
Right, so if the system is complex enough that it isn’t immediately obvious, you’ve still got a problem of keeping track of it. If it’s not, a data leak at one site potentially comprises every other site because someone could reverse engineer your system. Salt needs tracking, no salt is crackable.
How would they reverse engineer my system when the end result is a string of unrelated characters? It only takes a couple of simple mental steps. And who is going to take the time to do that? Whereas if outsource it to a third party I might end up like our mutual friend Ed! I’d rather rely on me!
Who is going to take the time to work out the password to your bank? A whole lot of people! Again, if your system is complex enough that it’s unlikely to be reverse engineered even with several samples, it’s also probably extremely cumbersome to actually use without a tracker, else it’s insecure.
Look obviously I’m not going to discuss any specifics of my system in public, but trust me, there are loads of simple methods you can use to do this, it’s easy to remember and create complex passwords based on personal rules that only you understand.
If it’s simple it’s easy to reverse engineer with a couple examples, if it’s not, it will be cumbersome to execute every time you enter a password instead of just having a manager do it automatically in a millisecond. If you’re okay with that, great, but it’s not a good broad standard for security.
You’re missing my point here, man. Obviously phone numbers don’t have to be secure. I’m just using them as an example that society used to think it normal for people to remember several long unrelated strings of numbers.
There was never a time where people were expected to remember 100 different 12 character alphanumeric sequences, actually. Most people remembered maybe a dozen or so 7 digit numbers, which is quite different.
Comments