I felt like they could bridge the gap between a regular person who is weary of having to look up every password using a password manager (although a lot of them make it easier with browser plugins and phone apps, but it's still an extra step).
However, in light of the recent Gentoo vandalism, it seems like a user had their password formula figured out. Algorithms do guard against credential stuffing; that particular person was most likely specifically attacked. If you have a strong formula, it should take at least 7 or 8 passwords to begin to figure it out.
At a minimum, if you have non-tech friends who use a single password for everything, start them off easy: You should use a manager. It's the only way to guard everything. But if they don't want to go that route, at a bare minimum, recommend that they need three passwords. One that's highly secure for banks, employment and government. One insecure for everything else. And finally one for your e-mail which should be shared with nothing!
Password algorithms are a step up. It's a trade off of course: you are protected against credential stuffing and you don't need a manager; you can have a different password for every site without having to memorize a hundred password; only the exceptions to stupid password rules. The trade off: your algorithm probably sucks and if you're targeted specifically, someone can get to everything.
Every aspect of security involves trade offs. The various password management choices, along with their advantages and disadvantages, should be taught in high school.
A variation on the password algorithm: Generate half of your password by using the algorithm. Create the other half, one per site, using a random algorithm, and write it on a piece of paper (if the site has stupid "security" requirements for the password, you can usually fit these into your random string).
To regenerate your passwords, an adversary would need both to figure out your algorithm and obtain your piece of paper.
I use LP, I also used 1Password professionally and I found it cumbersome but your mileage might vary. I disliked Dashlane and never used Keeper. They all do roughly the same thing, the difference is in UI mostly, just test it out and see what you like best.
Password algorithms, aka deterministic password managers, are usually pretty strong, specifically as strong as the master password(s) you use. Meaning that it’s usually easier to guess the mp than to reverse the algorithm.
Personally, I have different mp for different “security domains” (google/fb, banks, other socials, ...), and I’m using just a sha256 plus encoding — a trade off between requiring a stronger mp, and being able to easily remember everything, including the algorithm.
Diceware: http://world.std.com/%7Ereinhold/diceware.html "This page offers a better way to create a strong, yet easy to remember passphrase for use with encryption and security programs. Weak passwords and passphrases are one of the most common flaws in computer security. Take a few minutes and learn how to do it right."
As someone technically literate but doesn't use a password manager: I sign up for a lot of services on one device (home laptop) and then need to use them on another device (work laptop, phone). How does a password manager work for this?
I currently have about ~15 different passwords I use. I know which to use based on how long I've been using the service. Why is this strategy ineffective?? At most a hacker could get 3-4 of the services I use, and even then they'd need to find each of those services out of the hundreds I use. I also have 4 different emails I use for logins.
Most password managers provide apps and syncing, and are often integrated into your browser, so everything is a click away. Having to juggle 4 emails, remember which of 5 passwords a site uses, and figure out your exposure in case of a breach seems a lot harder than the above.
I happen to use the open source password manager from Keepass.info. It works on a local password file protected by strong crypto. Then, I use Dropbox to sync that file from device to device.
The problem with using the same password on multiple sites is this: if any one site gets pwnd, it gets a lot easier for the cybercreeps to pwn your account on other sites (says Obvious Man).
It doesn't take much technical skill to credential-stuff--to hammer a lot of sites with a list of credentials. So, keeping the list of sites you actually use a secret is not effective.
Personally, I use LastPass across browsers in multiple desktop accounts and my mobile browser, with no issue. You create a LastPass account, presumably with a very secure password, that you can log into elsewhere.
As for the password strategy, I imagine you could be vulnerable if any two important accounts - say, email and bank - both used the same password. Are you confident this is not the case?
I assume certain emails associate with certain types of accounts, which could flaw your strategy. If you're able to remember ~15 different passwords with random emails, congrats on your stellar memory!
I use Google Smartlock, and it functions across all my (android) devices quite well. It does sort of rely on your being all-in on the Google ecosystem. At work we use LastPass, but since I only use it on the desktop in a browser I can't speak to how it works across devices.
Does smartlock work with native mobile apps (which may or may not use magic webviee for auth), or is there a way to manually transfer password to log into an app?
https://penguindreams.org/blog/password-algorithms/
I felt like they could bridge the gap between a regular person who is weary of having to look up every password using a password manager (although a lot of them make it easier with browser plugins and phone apps, but it's still an extra step).
However, in light of the recent Gentoo vandalism, it seems like a user had their password formula figured out. Algorithms do guard against credential stuffing; that particular person was most likely specifically attacked. If you have a strong formula, it should take at least 7 or 8 passwords to begin to figure it out.
At a minimum, if you have non-tech friends who use a single password for everything, start them off easy: You should use a manager. It's the only way to guard everything. But if they don't want to go that route, at a bare minimum, recommend that they need three passwords. One that's highly secure for banks, employment and government. One insecure for everything else. And finally one for your e-mail which should be shared with nothing!
Password algorithms are a step up. It's a trade off of course: you are protected against credential stuffing and you don't need a manager; you can have a different password for every site without having to memorize a hundred password; only the exceptions to stupid password rules. The trade off: your algorithm probably sucks and if you're targeted specifically, someone can get to everything.
Every aspect of security involves trade offs. The various password management choices, along with their advantages and disadvantages, should be taught in high school.