DEV Community

loading...

Discussion on: Do password rules impact security?

Collapse
sharpdog profile image
SharpDog

I think Anton Frattaroli and Michiel Hendriks have it covered well. But I'll add my two cents anyways. I don't use a PW manager because I don't trust them ... eggs in one basket and maybe the basket, etc.

My technique is modelled after the security ring system. I have several levels of password from easy / non secure to hard (hopefully very secure). The one or two easy rings never change and they are used for things like newsletter / website subscriptions and blog posts. From there I use a system. I change the system every 3-6 mos. The most secure ring is email and the next secure is banking and credit cards.

For example, a system could be based on flowers:

step 1: choose a number of flowers or flower phrases from easy to hard, use camel case for phrases:

Rose
Daisy
Orchid
Marigolds
Dandelions
Chrysanthemums
StopToSmellTheRoses

Step2 Leet the vowels and special character some letters

R0$e
D41$y
0r(h1d
M4r1g0ld$
D4nd3l10n$
Chry$4nth3mum$
$t0pT0$m3llTh3R0$3$

Step3 - append or prepend the name or abbreviation of each website:

So, for Amazon which would be a banking / credit card site:

Chry$4nth3mum$-Amazon becomes Chry$4nth3mum$-4m4z0n

Then every so often change the formula ... cars, animals, mineral names, state capitals, cities in Europe, etc.