Umbra

Level 15
Verified
I observed that people worries a lot about storing their passwords, so they opt for password managers, which is logical step but even those managers can be compromised.
the only thing that can't be hacked (yet lol) is your brain, unless your name is "stupid" (which i can't help you for that).

so there is my tip for a memory-saving single password for all your sites wheter you have 10 or 1 000 000 passwords.

1- decide about a simple to remember passphrase, example: "umbra is the best".

2-encrypt it yourself with whatever method you like: for example you can use "hacker" style which make my passphrase like "umbr4 15 th3 b35t" (i put spaces so you can see the changes clearly, of course you dont use spaces in yours) and/or add symbols between them. example: $umbra$is$the$best$

3- Now that you have the basis, how to remember for each sites? simple add at the end of the passsword 2+ first letters in capital (will explain while at the end) referring the site name, i will use Malwaretips.com as an example (dont use the full name ever)
umbr415th3b35$MALW

As you see for every site; use its name at the end:
Netflix? umbr415th3b35$NETF
Google? umbr415th3b35$GOOG
Microsoft? umbr415th3b35$MICR

there you go, a strong password with all the usual requirement from websites (one capital letter, one number, one special character and 8+ characters). even if one of your sites has been compromised and the password database leaked, the hacker cant use it to access your other accounts since they have all different passwords, your personal "encryption master key" is only in your brain.

i used this methods since a decade, im so used to it that i can type it easily and quickly.

note: dont be stupid, dont type it in front of observers LOL

Easy, no?
 
Last edited:

CMLew

Level 23
Verified
I observed that people worries a lot about storing their passwords, so they opt for password managers, which is logical step but even those managers can be compromised.
the only thing that can't be hacked (yet lol) is your brain, unless your name is "stupid" (which i can't help you for that).

so there is my tip for a memory-saving single password for all your sites wheter you have 10 or 1 000 000 passwords.

1- decide about a simple to remember passphrase, example: "umbra is the best".

2-encrypt it yourself with whatever method you like: for example you can use "hacker" style which make my passphrase like "umbr4 15 th3 b35t" (i put spaces so you can see the changes clearly, of course you dont use spaces in yours) and/or add symbols between them. example: $umbra$is$the$best$

3- Now that you have the basis, how to remember for each sites? simple add at the end of the passsword 2+ first letters in capital (will explain while at the end) referring the site name, i will use Malwaretips.com as an example (dont use the full name ever)
umbr415th3b35$MALW

As you see for every site; use its name at the end:
Netflix? umbr415th3b35$NETF
Google? umbr415th3b35$GOOG
Microsoft? umbr415th3b35$MICR

there you go, a strong password with all the usual requirement from websites (one capital letter, one number, one special character and 8+ characters). even if one of your sites has been compromised and the password database leaked, the hacker cant use it to access your other accounts since they have all different passwords, your personal "encryption master key" is only in your brain.

i used this methods since a decade, im so used to it that i can type it easily and quickly.

note: dont be stupid, dont type it in front of observers LOL

Easy, no?
I agreed. In feact I'm using one of this method. My only concern is the MO of the PW we create. Cuz if the hacker kinda knew how our MO, then they can just brute force it. :(
 

sirius777

Level 1
I use KeePass portable stored on my PC, USB flash drive, external hard drive, and phone. And it's protected with a very strong master password.
Another + is that the European Commission sponsors bounties for finding security vulnerabilities in KeePass (same as 7-zip, VLC, Notepad++, and others).
 
Last edited:

Umbra

Level 15
Verified
I agreed. In feact I'm using one of this method. My only concern is the MO of the PW we create. Cuz if the hacker kinda knew how our MO, then they can just brute force it. :(
only way for him to know the MO, is by being very close to you, and i gave the simplest way to do it.
Personally i have 3 passphrases: one for critical sites (banking or containing my IRL datas), average (shopping or having my real name) and non-important sites (forums and other leisure sites where i use my nickname), obviously the useless one is simple and fast, the critical is so long and complicated that hackers would have hard time guessing it.
 

Bill K

Level 3
While I appreciate this idea and sharing it, I have to question the security it actually provides. If somehow any one of your secure passwords is discovered it would seem pretty obvious to recognize that the last several characters represent the site being accessed, and then all of your other passwords can be very easily derived. Doesn't seem very secure at all... think I'll stick with a password manager encrypted via a master password with the database only stored locally.
 

Slyguy

Level 43
I observed that people worries a lot about storing their passwords, so they opt for password managers, which is logical step but even those managers can be compromised.
the only thing that can't be hacked (yet lol) is your brain, unless your name is "stupid" (which i can't help you for that).

so there is my tip for a memory-saving single password for all your sites wheter you have 10 or 1 000 000 passwords.

1- decide about a simple to remember passphrase, example: "umbra is the best".

2-encrypt it yourself with whatever method you like: for example you can use "hacker" style which make my passphrase like "umbr4 15 th3 b35t" (i put spaces so you can see the changes clearly, of course you dont use spaces in yours) and/or add symbols between them. example: $umbra$is$the$best$

3- Now that you have the basis, how to remember for each sites? simple add at the end of the passsword 2+ first letters in capital (will explain while at the end) referring the site name, i will use Malwaretips.com as an example (dont use the full name ever)
umbr415th3b35$MALW

As you see for every site; use its name at the end:
Netflix? umbr415th3b35$NETF
Google? umbr415th3b35$GOOG
Microsoft? umbr415th3b35$MICR

there you go, a strong password with all the usual requirement from websites (one capital letter, one number, one special character and 8+ characters). even if one of your sites has been compromised and the password database leaked, the hacker cant use it to access your other accounts since they have all different passwords, your personal "encryption master key" is only in your brain.

i used this methods since a decade, im so used to it that i can type it easily and quickly.

note: dont be stupid, dont type it in front of observers LOL

Easy, no?
This looks like it was ripped from my post on Wilders about 12 years ago, and more recently a repost of it on VoodooForums. Using numbers or letters works. It's called 'Decoration' method. Also you can use this in combination with a password manager for vastly greater security by decorating the stored PW manager passwords with pins (or letters) at the end after the auto-fill.

Another method for high password security is to use a stateless password manager. You create a master password, which is ethereal, that it doesn't exist anywhere. That MP generates a hashed password based on the site you are on. There is nothing that can be compromised as nothing exists anywhere but in your mind. So each time you visit the site it is input in and hashed from your unique MP to generate the password for the site. A single change in the MP changes the hash on every site, hence, requires a password change at the site.


Hashpass is another example. However there downsides to doing it this way that should be factored. Not security rated, convenience related.
 
Last edited:

Umbra

Level 15
Verified
This looks like it was ripped from my post on Wilders about 12 years ago, and more recently a repost of it on VoodooForums.
But it wasn't, however i would be interested to see yours to see the difference with mine, a link would be appreciated.
Anyway, anyone that studied a bit about the basics of encryption could find a similar way, the only difference is i used my own "sauce" to make it easy to remember.

Using numbers or letters works. It's called 'Decoration' method. Also you can use this in combination with a password manager for vastly greater security by decorating the stored PW manager passwords with pins (or letters) at the end after the auto-fill.
Sure but my point was to make it independent of any password managers.

Another method for high password security is to use a stateless password manager. You create a master password, which is ethereal, that it doesn't exist anywhere. That MP generates a hashed password based on the site you are on. There is nothing that can be compromised as nothing exists anywhere but in your mind. So each time you visit the site it is input in and hashed from your unique MP to generate the password for the site. A single change in the MP changes the hash on every site, hence, requires a password change at the site.


Hashpass is another example. However there downsides to doing it this way that should be factored. Not security rated, convenience related.
But from what i read, you still need a tool for that , my method doesn't.
And honestly even if someone is really dedicated to break your password, it wont be easy, because unless he knows which sites you registered with which user account and password each, he won't have any means to compare and deduce a pattern.
Not saying my method can be improved by adding more "easy-to-remember" variables in the passphrase.
 
Last edited:

Umbra

Level 15
Verified
While I appreciate this idea and sharing it, I have to question the security it actually provides. If somehow any one of your secure passwords is discovered it would seem pretty obvious to recognize that the last several characters represent the site being accessed, and then all of your other passwords can be very easily derived. Doesn't seem very secure at all... think I'll stick with a password manager encrypted via a master password with the database only stored locally.
indeed, reason why i mention not doing it in front of observers LOL.
The example i gave is the basics of my method, you can add more complexity by adding variables that are still easy to remember, like putting the sites letters also at the beginning of the passphrase, etc...You are limited only by your imagination and own laziness to type, more you add, more you will type.
I created my method because sometimes i have to access some sites on machines i don't own and i will never install my password manager on them.
 

Cortex

Level 13
I use & really can't change now are text passwords, zipped together with a strong password I can only know, a combination of words we used some time ago in coal mining. The ones I may need for others are on a stick so the critical ones aren't in it. It works really well for me & may though be not un-vulnerable the zipped file is also called a very unexciting name - Some critical passwords do require the use of another password added to the original much like Umbras idea.
 

notabot

Level 15
I observed that people worries a lot about storing their passwords, so they opt for password managers, which is logical step but even those managers can be compromised.
the only thing that can't be hacked (yet lol) is your brain, unless your name is "stupid" (which i can't help you for that).

so there is my tip for a memory-saving single password for all your sites wheter you have 10 or 1 000 000 passwords.

1- decide about a simple to remember passphrase, example: "umbra is the best".

2-encrypt it yourself with whatever method you like: for example you can use "hacker" style which make my passphrase like "umbr4 15 th3 b35t" (i put spaces so you can see the changes clearly, of course you dont use spaces in yours) and/or add symbols between them. example: $umbra$is$the$best$

3- Now that you have the basis, how to remember for each sites? simple add at the end of the passsword 2+ first letters in capital (will explain while at the end) referring the site name, i will use Malwaretips.com as an example (dont use the full name ever)
umbr415th3b35$MALW

As you see for every site; use its name at the end:
Netflix? umbr415th3b35$NETF
Google? umbr415th3b35$GOOG
Microsoft? umbr415th3b35$MICR

there you go, a strong password with all the usual requirement from websites (one capital letter, one number, one special character and 8+ characters). even if one of your sites has been compromised and the password database leaked, the hacker cant use it to access your other accounts since they have all different passwords, your personal "encryption master key" is only in your brain.

i used this methods since a decade, im so used to it that i can type it easily and quickly.

note: dont be stupid, dont type it in front of observers LOL

Easy, no?
I used an almost identical system till 2012 or so, the downside is some breaches have revealed cos sometimes store passwords in plaintext (hi Sony) or with extremely weak encryption. After a breach from a site like this, your password for that site will be leaked and someone could infer the password for the other sites?

Ofc the chance of someone manually doing this effort for a non high risk individual is tiny but the above attack vector imo is far more significant to cover than 0day malware and the effort to do so is tiny.
 

Umbra

Level 15
Verified
I used an almost identical system till 2012 or so, the downside is some breaches have revealed cos sometimes store passwords in plaintext (hi Sony) or with extremely weak encryption. After a breach from a site like this, your password for that site will be leaked and someone could infer the password for the other sites?
with my method or similar you wont have the same password, so the risks of being guessed is insignificant. not saying, you obviously use 2FA via phone as much as you can.
 

Robbie

Level 29
Verified
Content Creator
Malware Tester
But, what if - a server is compromised and your password for Facebook umbr415th3b35$FACE is leaked? The very first thing I would try to do as a cybercriminal is try this password at your e-mail, and if it fails, try umbr415th3b35$GMAI to access Gmail.

I strongly believe passwords should not have identifiable patterns. I've tried it hundreds of times with my friends. My best friend shared his Facebook password for me in order to help him with something. Let's supposse his password was catnip01 (don't wanna throw his real password), first thing I tried was catnip01 on his Gmail and failed. I tried catnip02 and immediately gained access. Identifiable patterns always become trouble.
 

Umbra

Level 15
Verified
But, what if - a server is compromised and your password for Facebook umbr415th3b35$FACE is leaked? The very first thing I would try to do as a cybercriminal is try this password at your e-mail, and if it fails, try umbr415th3b35$GMAI to access Gmail.
personally i have several passphrases each for a different level of sensitive-level site:
My facebook one uses the simplest , my gmail the 2nd one, my MS account another, etc...
In my article, i gave the simplest way to do it, then people can adapt it to their needs and paranoia level.
the GMAI part can be changed by using the letter before GMAI ---> FLZH.
the umbr4 can be replaced by the username of the account, i guess you use "robbie" at malwaretips but not on other sites? right?
let say i use Shadow as another gmail username : 5h4d0w15th3b35tFLZH

I strongly believe passwords should not have identifiable patterns. I've tried it hundreds of times with my friends. My best friend shared his Facebook password for me in order to help him with something. Let's supposse his password was catnip01 (don't wanna throw his real password), first thing I tried was catnip01 on his Gmail and failed. I tried catnip02 and immediately gained access. Identifiable patterns always become trouble.
that is not the fault of the pattern, but the stupidity of the user selecting such simple method.
Would you find it if it was "catnip£01$ and catnip££002$$ (the second because being a second account named catnip02, i added 2 zeros, and 2 times the special characters).
3rd catnip account? "catnip£££0003$$$", good luck finding the 2nd and 3rd account just by possessing the 1st, and i didn't even put anything between cat and nip...i win, you failed lamentably and waste time while i laugh at you watching you trying to guess it :p

:)
 
Last edited: