On Sun, 3 Apr 2022 22:45:27 -0700 David Christensen <dpchr...@holgerdanske.com> wrote:
> On 4/3/22 21:07, ghe2001 wrote: > > I kinda thought it probably was. It's pretty obvious. The idea is > > to generate a bunch of gibberish that could be easily remembered. > > It's not gibberish; it has meaning. The meaning is what makes the > password both memorable and weak. I concur with David. The fundamental problem with using clever formulas to come up with memorable passwords is that clever formulas are reproducible. The "dictionary" from which a modern password cracker draws its guesses has nothing to do with what is and isn't "a dictionary word". Rather, it's a purpose-built word list, informed by years of statistical analysis of millions of real-world passwords leaked from previous breaches. Actual randomness is the only reasonably effective way to make a password hard to guess. Trying to come up with unique, sufficiently random passwords for every website, service, and so forth — and *remember* all those passwords — is a real problem at any age. I would strongly suggest using a password manager. Make sure the master password to unlock the password manager is really strong. But then you only have one password to remember, and you can have an effectively unlimited number of unique, random, strong passwords. Personally, I use KeepassXC with a self-hosted Syncthing instance to sync the password file to all my devices. If you're not up for self-hosting, there are some cloud-based password managers with decent security too, eg Bitwarden. For the specific challenge of *generating* passwords that are both genuinely random and reasonably memorable, you might want to take a look at the "diceware" approach, which is to start with a list of several tens of thousands of actual English words and use a high-quality random number generator to pick a few words from the list. As a helpful little bonus, most password managers nowadays come with a password generator built-in, which in many cases can be configured to generate a diceware passphrase instead of a gibberish string of characters. Cheers! -Chris