Advice Request Master password idea

Please provide comments and solutions that are helpful to the author of this topic.

Pixelman

Pixelman

Level 4
Thread author
Well-known
Jun 7, 2022
149
Hey, everyone.

I spent some time thinking what is the best way to remember a master password without writing it down.

The thing that works best for me is to find a painting that I like or am familiar with, and remember the name of the painting, the painter and the year (you can add medium, period and place if you wish so to make your password longer/ stronger).

If I think that I might forget my password I can print the painting on a paper and put it where I want, on a wall, in a book, etc. as a reminder.

Now, for demonstration purposes I made an example of what that password would look like, this is done in KeePassXC password manager:

Password: beheading of saint john the baptist caravaggio
Password quality: Excellent
Entropy: 105.58bit

I find it really convenient to use a passphrase, instead to type random characters that would take much longer for me.
Now, you don't have to use a painting, you could use a movie/ tv show dialog that is reasonably long and memorable and print that scene as a reminder (without everyone knowing the context of it).

What do you think, is it a good idea, would you try it? Оr is it not convenient, secure, too much hassle?
What would you add or change?
 
  • Like
Reactions: show-Zi, amirr and rain2reign
rain2reign

rain2reign

Level 8
Verified
Well-known
Jun 21, 2020
363
One of the better password practices is to use passphrases. You can generate one from a list, then only bots or people can guess if they got that same list or words are part of their list(s). Or you can do it the way you do it, which is even better. The key point from passphrases is that they are more memorable then random generation, spaces where accepted (not all services do) just make it that much harder to guess where the space is. Add some odd numbers and either 1 or 2 signs in it and you're golden. Just don't do common tricks like replacing E for a 3, A for an 4 etc.. And avoid adding them at the end (and beginning) of your passphrase.

You can replace one space for such a thing or randomly add them to one of the words in the middle etc... What you described is one of the better practices for any password. However random generation (example between quotes: "AH*Jjs5623!@)4") just make it more convenient for people. As those generators have been around for nearly 2 decades and have no real change in the meantime.

Making it more usable for password managers that either generate them automatically or the user not having to think about it. One other tip is that if or when you turn a moment or a hobby or anything else close to you to a passphrase. Try to avoid everyday things (for you and not in generally everyday object) for both your sanity and your predictability, in the rare off-chance that someone (or a bot alghoritm is programmed) is targeting you in specific. In that event try to keep it at things that can be easily dismissed as "too abstract to be it".

However, in general. You already had the right idea from the start. (y)

Edit: these images in the following links are not obsolete to this very day. [1] Password Reuse || [2] Password Strength
Another one from Schneier well-known in this field as well: Choosing Secure Passwords - Schneier on Security
 
Last edited:
  • Like
  • +Reputation
Reactions: EascapenMatrix, show-Zi, amirr and 2 others
Pixelman

Pixelman

Level 4
Thread author
Well-known
Jun 7, 2022
149
rain2reign said:
One of the better password practices is to use passphrases. You can generate one from a list, then only bots or people can guess if they got that same list or words are part of their list(s). Or you can do it the way you do it, which is even better. The key point from passphrases is that they are more memorable then random generation, spaces where accepted (not all services do) just make it that much harder to guess where the space is. Add some odd numbers and either 1 or 2 signs in it and you're golden. Just don't do common tricks like replacing E for a 3, A for an 4 etc.. And avoid adding them at the end (and beginning) of your passphrase.

You can replace one space for such a thing or randomly add them to one of the words in the middle etc... What you described is one of the better practices for any password. However random generation (example between quotes: "AH*Jjs5623!@)4") just make it more convenient for people. As those generators have been around for nearly 2 decades and have no real change in the meantime.

Making it more usable for password managers that either generate them automatically or the user not having to think about it. One other tip is that if or when you turn a moment or a hobby or anything else close to you to a passphrase. Try to avoid everyday things (for you and not in generally everyday object) for both your sanity and your predictability, in the rare off-chance that someone (or a bot alghoritm is programmed) is targeting you in specific. In that event try to keep it at things that can be easily dismissed as "too abstract to be it".

However, in general. You already had the right idea from the start. (y)

Edit: these images in the following links are not obsolete to this very day. [1] Password Reuse || [2] Password Strength
Another one from Scheier well-known in this field as well: Choosing Secure Passwords - Schneier on Security
Click to expand...
I agree with your statements, and thanks for the links. :)
 
  • Like
Reactions: show-Zi, ColonelMal and amirr
M

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Passphrases are definitely a good idea. I'd still recommend having a password manager generate secure passphrases for you, though. Unfortunately, humans are bad at generating random entropy.

My only concern with this approach is that "themes" can lead to guessable passwords if someone has cracked one or knows your algorithm. The number of famous paintings that a non art geek remembers is probably up in the 1000 range, which makes it vulnerable to a dictionary attack. This is especially deadly if, for example, you use one of these passwords at a website that doesn't hash their passwords and your password leaks online. If I saw a password like this, the first thing I'd do is build a dictionary attack out of Wikipedia lists of paintings :D

Finally, I find that words are more "glanceable" than random passwords. You can try this yourself -- give yourself a half second glimpse of a phrase password versus a half second glimpse of a random alphanumeric password. The human brain seems to read words quicker and remember them better, and that can work against you if you accidentally reveal a password to someone by pressing the wrong button on a web form, for example (Amazon's app is infamous for having a checkbox under the password field that says "Show password", when most people expect "Remember my password")

But yeah, it could be a great password scheme, just keep it to yourself and don't let anyone else know.
 
  • Like
  • Applause
Reactions: amirr, EascapenMatrix, show-Zi and 3 others
Pixelman

Pixelman

Level 4
Thread author
Well-known
Jun 7, 2022
149
MacDefender said:
Passphrases are definitely a good idea. I'd still recommend having a password manager generate secure passphrases for you, though. Unfortunately, humans are bad at generating random entropy.

My only concern with this approach is that "themes" can lead to guessable passwords if someone has cracked one or knows your algorithm. The number of famous paintings that a non art geek remembers is probably up in the 1000 range, which makes it vulnerable to a dictionary attack. This is especially deadly if, for example, you use one of these passwords at a website that doesn't hash their passwords and your password leaks online. If I saw a password like this, the first thing I'd do is build a dictionary attack out of Wikipedia lists of paintings :D

Finally, I find that words are more "glanceable" than random passwords. You can try this yourself -- give yourself a half second glimpse of a phrase password versus a half second glimpse of a random alphanumeric password. The human brain seems to read words quicker and remember them better, and that can work against you if you accidentally reveal a password to someone by pressing the wrong button on a web form, for example (Amazon's app is infamous for having a checkbox under the password field that says "Show password", when most people expect "Remember my password")

But yeah, it could be a great password scheme, just keep it to yourself and don't let anyone else know.
Click to expand...
Yeah, I think I understood everything you said. The thing with this kind of password is that I only use it as my master password for KeePassXC database which is an offline manager. I don't use a sync option or store my master password online, like for example Bitwarden does. So the only way to crack my database is to brake into my house, given that someone targeted me for whatever specific reason at all. And I doubt there is any. :D

As for many sites that I have an account for, I use the integrated generator and don't use less than 25 characters (depends on the site), including all king of character types, using copy-paste method, so I don't have to remember random 30 character passwords for 30+ sites.
 
  • Like
Reactions: silversurfer, amirr and MacDefender

Similar threads

Templar
    • Like
Serious Discussion Passkeys actually useless at this time? Please clarify!!!
Replies
4
Views
474
General Security Discussions
Templar
Templar
Ink
    • Like
    • Love
    • Thanks
Serious Discussion Do longer passwords protect you from compromise? [New research by Specops]
Replies
14
Views
1,002
General Security Discussions
codswollip
codswollip
Xeno1234
    • Wow
    • Like
  • Locked
Solved What should I do here?
Replies
27
Views
1,335
General Security Discussions
Jengo
Jengo

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top