D
D
DVoropaev2017-09-17 22:34:02
Passwords
DVoropaev, 2017-09-17 22:34:02

How to develop a password policy for yourself?

I, like each of you, have many accounts.
Each requires a separate password, and some passwords need to be changed periodically.
I don't want to use password managers (not convenient\difficult\paranoia,). I prefer to keep passwords in my head. But I want to organize it somehow.
Example:
I have several accounts in games, but I'm not a gamer, and losing an account is not critical for me, so passwords can not be updated. Sometimes I register on various unpopular sites in order to download something and forget it. I register for some mailbox that I do not use, and which does not have personal / important data. Here you can set a simple password everywhere.
But with cloud storage passwords, everything is different: passwords should not be simple, and should be changed every two months.
Roughly speaking, passwords can be divided into levels of criticality:
1) Workers: complex, and change every month
2)
.
.
.
n) For games, and one-time registrations: Simple, and can not be changed.
Are there any generally accepted recommendations in this case?

Answer the question

In order to leave comments, you need to log in

7 answer(s)
L
longclaps, 2017-09-17
@longclaps

The common practice is to use password managers.
"not convenient\difficult\paranoia" - now everyone will rush to dissuade you, yeah, they fled.

M
Michael, 2017-09-18
@Sing303

Use password managers, of course, no more.
What is your paranoia? For some reason, I can’t believe that it can be difficult / inconvenient compared to storing in my head.

M
Maxim Moseychuk, 2017-09-17
@fshp

should be changed every two months

It is necessary to give preference to services with two-factor authorization.

A
Andrey Fedoseev, 2017-09-18
@itlen

Once I decided for myself:
login = domain + salt (or your)
password = domain + login + salt2
salt, salt2 something that you will not forget: index, date, cat's name.

X
xmoonlight, 2017-09-17
@xmoonlight

Good and advanced services have many account protections.
1. Check that the password is sent ONLY in encrypted form or via SSL!
2. Password (any and can not be changed) + E-MAIL + SMS + Google Authenticator + filter by IP address / subnet + OAuth / SSH tokens are still available, etc.
In general, the question is good: you need to scribble the article: "Accounting in the safe"))
Let's create a function (formula):
Function: login, hash: sha1(domain+"salt"), current date of creation/change of password, alphabet of all possible characters in the password, the requirements for the formation of the password and its own "salt".
On an input: only the domain.
Then we calculate the hash and by hash'u - we find the login and after: we calculate the password.
At the output: we get a login and a ready-made password
. That is, without knowing the domain and the formula, you cannot find out the exact login and password.
The password is not stored anywhere.

T
Trotilla, 2017-09-18
@Trotilla

Take your favorite book...
https://en.wikipedia.org/wiki/%D0%9A%D0%BD%D0%B8%D...

F
fdroid, 2017-09-18
@fdroid

If the service is equipped with 2-factor authentication, the complexity of the password does not play a role at all, you can at least use vasya123. And all serious and important services are already equipped with a 2-factor, incl. and cloud storage. Somewhere authorization confirmation comes via SMS, somewhere OTP applications are used. OTP all work on the same principle, you can use any. For example, I use Yandex Key for Android, which works great with both Yandex and Mail, Dropbox, Google, OneDrive, and even my own Nextcloud accounts. Before the widespread use of 2-factor, my accounts were still stolen from time to time , and the complexity of the password did not play any role. I restored access, of course, but that's all nervously. After the introduction of 2-factor - never. For all kinds of garbage sites and one-time registrations, you can use one-time e-mail, there are many such services. The purpose of creating such mail is to get a link to confirm registration, click on it and forget. They will hijack the account of such a site - and figs with it.
PS When I ran into difficult passwords, I used the most difficult combination that I knew from memory, namely - J3QQ4-H7H2V-2HCH4-M3HK8-6M8VW =) Naturally, not in this form, but there was a certain algorithm. For example, for sites of one group, I used this principle - before each block, special. character, the first letter after the first digit in the block is capital, the rest are lowercase, dashes are skipped. It turned out something like this - ?j3Qq4?h7H2v?2Hch4?m3Hk8?6M8vW. For sites of another group, a different special character and all capital letters were used, lowercase only the first after the first digit in the block. For junk sites, I used only the first two blocks and a simplified principle of formation. Etc. That is, only a supercomputer could crack such passwords in a couple of centuries, and still they stole accounts. Xs (who knows) where I slammed this moment, because I follow the system carefully, I don’t have malware, trojans and everything else.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question