How to choose the "best" passwords and not forget them

[irneb]

The question is where to store all those passwords in a safe place?

Ouch! That's a problem! Write it down and lock it in a safe I guess.

The point I'm trying to make about this entire thread: You don't want to "store" your passwords somewhere, that's just making for one more weakpoint. And if your passwords are so complex that you have to write them down, it means chances are that you are going to request password resets quite often - which on their own is already not too secure.

Rather choose a long(ish) phrase / set of ideas which you can more easily remember (especially relevant to each site where you log in). Then you might want to mutate that using some of the methods described here to try and obfuscate it so it's not as easily guessable as simply running a program trying out various word combinations. That way you should be able to remember the phrase / ideas for that site, and be able to work-out the actual password from the methods you chose. No more need to write anything down.

[irneb]

An update on this: http://boingboing.net/2014/02/25/cho...-password.html

Exactly as I thought originally. Simple letter substitutions and/or keyboard patterns (even like those in the cartoon) are simply too easy to crack into. Even he suggests using a sentence and some random method of your choosing to extract portions from that and modify some to come up with a more garble-like password.

Something I didn't think about which is mentioned there: needing to change passwords periodically might actually be a weak point. If it's known that a particular site requires its users to change their passwords on a particular date, then crackers can target the site's connection to try and "read" the data sent through that day. Or even much easier, use phising emails to impersonate the site so users send the cracker their new passwords in addition to the old.

As for storing passwords ... he mentions Password Safe, though I am a bit sceptical about this.