If anyone gets even one of my important passwords, they can do so much damage it really won’t matter if they get more than one. If you are on fire and you can’t put it out, does it matter if you have an extra ounce of parafin in your pocket?

I’m really fond of the passfaces  idea (realuser.com) – the human brain is hardwired to recognize faces.

This prevents keyloggers stealing my full login credentials (the most likely way of losing them) but it means the bank’s backend system must be able to read my password in plain text.

Of course if I were designing a system I would have an initial password and encrypt a 2nd password with the first to use for random character logins.

… so, use something like the Daily-Mail-o-matic to generate passphrases?

http://www.qwghlm.co.uk/toys/dailymail/

In the latter case, you just need an appropriate generator to circumvent the problem.  Just because people don’t naturally come up with “young table” when asked to think up a passphrase, that doesn’t mean they won’t be able to use it if it’s assigned to them.

The xkcd version falls down because it’s ungrammatical and so the user can’t easily remember the order the four words go in.  It’ll take up to 24 tries to get right, which is more than anyone will put up with.

However, if you use randomly-generated phrases of the form “noun verbs adjective noun”, that should have the desired combination of high entropy and high memorability, since the order of the words is specified by the natural grammar of the phrase.

Cheesecake paints blue hairnet

Downside: Passphrases suck.
Upside: Researchers discover awesome new compression algorithm for ebooks.

More importantly, your password scheme is NOT easy for humans to remember. Given the multitudes of passwords each of us has, how do you remember what phrase corresponds to each? Does Ziggy Stardust get me into my bank? Or is it Aladdin Sane? Or Lady Stardust? Hunky Dory?

Finally, even if you do correctly associate your bank with Ziggy Stardust, and remember the appropriate line, L33T speak is hardly a one-to-one transformation. Is your password:

zpg,jgww&g&t5fm

 -or-

zpgjgwwagatsfm

 -or-

zpg,jgww4g4t$fm

 -or-

zpgjgww&g&75fm

…or any of the other countless variations?

Somebody had to.

Surely though using a password manager (strictly offline) with a diceware generated random passphrase of 6 or so words with spaces is the way to go. Until i read something else which throws all that right in the shitter.

If the one you can remember is for a password manager and the ones stored in the password manager are long, random, and unique, then you’re doing well.

If you’re using the same ultra-memorable password on every site, one breach exposes everything.

The intersection of security and human factors is a series of trade-offs.

Passphrases certainly have apparent advantages in memorability and resistance to brute force attacks, but they’re hamstrung by many of the same problems that all password systems share:

- good security practice means you’ll need to remember a completely different string for each system or site that you have an account on

- if your string is compromised, you’ll have to get a new one and associate it with the same account, meaning competing and conflicting recall (old password, new password, 24th password, etc.)

- strings must be generated randomly to be truly useful from a security standpoint, which usually means their memorability is impaired

- there is no natural association between the string and the account, so nothing about the actual password/phrase will tell you anything about the account, nor will the account or site give you any help recalling the password/phrase (was “monkey light pants aloe potato” for Facebook or Gmail?)

- etc etc

All of that notwithstanding, just about anything will be better than using the same password at every site.