Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Alternatives to a password manager?
13 points by jkeesh on Aug 5, 2012 | hide | past | favorite | 7 comments
With the recent post about getting hacked, I was wondering about how everyone on HN manages their passwords. I searched HN history and there have been a few threads on this topic, but with very few comments.

It seems that one of these types of post surfaces every month or so, reminding us of the dangers and security issues surrounding passwords/backups/dependence on cloud sites and what happens when things go wrong.

The classic tradeoff with passwords is one between security and convenience. I used to use a password manager briefly, but it was too inconvenient (mobile access + access on other computers).

Who uses a password manager? If you don't use a password manager how many passwords to you keep? Does anyone use a scheme for keeping passwords?--for example, given the website you can figure out what your password is based on some rule.

I'm thinking of switching to that last one--are there any strong reasons not to, or better ways to keep passwords if I don't want to use a password manager?



I've recently moved to using 1password (prior to that, Lastpass). I was skeptical at first, but have grown to embrace 1password more and more and find myself annoyed when sites will not allow my standard, 1pass generated passwords (50 characters).

That said, two factor for anything of critical importance (in my case, gmail and work email).


Use two factor where possible, but for the password, here's an easy format that I use to generate a strong and (somewhat) unique password per site:

1. Choose you paraphrase - something like "I like long walks on the beach after seven"

2. Take the first letters to give you something like this: iLLwotBa7

3. Throw a symbol on the end: iLLwotBa7?

4. Append a 3 letter site name acroym in a similar way to the phrase (I use 3 for consistency): iLLwotBa7?hkn

5. Throw on another symbol: Append a 3 letter site name acroym in a similar way to the phrase (I use 3 for consistency): iLLwotBa7?hkn!

That's what I do, so I only have to remember the 3 letter for each site. Here's some more: Reddit - rdt, Gmail - gml, etc.


I like the approach but why not use the full site name instead of a 3 letter acronym? It would be easier to remember. Is it just in case of a leak the link between the acronym and the site is not easily spotted?


I suppose because its a dead giveaway to that part of the string of the password and if the point is to make it look random and secure, you don't want to be using the real site name for obvious reasons


Thanks for sharing. I think I am going to switch to a scheme like this.


Apologies for the formatting, I am on my iPhone.


I use hard copy and do not carry them with me- For most non critical site I use a simple algorithm to get the password on the fly. For sites that support openid, I use 2 factor auth enabled two factor I have created-.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: