I just started merging 3 common passwords I use through my life in chronological order. It’s a 32 letter behemoth with lowercase, uppercase, numbers, and symbols. All in random patterns.
The middle password is one that I started using 2 years ago when I wanted a new password for my new OS installation called FreeBSD at the time. It had numbers and symbols but also “Frbsd” to stand for that name.
Now when I am signing up to a new service I change that portion in the middle of the 32 letter password so “…Frbsd…” becomes “…Gthb…” or “…Dscrd…” etc.
This way even if someone finds my password for gml it won’t work for others either.
Finally can’t take it anymore
Downloads a Password Manager
Password Manager: “Please create a unique master password to begin”
That’s one password, and then use 2FA or a passkey or a yubinkey or anything to secure it so the security of the password isn’t a big deal
Then go to every single thing you have a password for, and have the password manager set it to something random. I personally like pass phrases get it up in the teens of characters multiple words multiple numbers multiple special characters. 99.9% of the time you shouldn’t be typing any of this in. It should be injected for you. If per chance you should need to type one of them in typing in four or five words some numbers and some special characters is not really a horrible grievance.
!!! PASSWORD TOO WEAK !!! - your password must contains upper and lowercase characters, digits and symbols except not a hyphen for some fucking reason, and no characters you’ve ever used in past passwords and no digits that are in your postal code, data of birth, or shoe size. Zalgo text is acceptable.
What is the best move?
Like WOPR said:
i just use hunter2 for everything
I use 12345
God, the tears rolling down my face laughing the first time I read that.
I miss bash.org
Why would your password be *******? That seems terribly insecure.
nobody else can see it when I type it.
I’ll always upvote Brent Rambo 👍
Just use KeepAssXC.
AssKeep
I just checked my password manager vault and I currently have 311 passwords stored there.
I have 401 entries, but only 384 unique passwords.
Hmm. Most of these are junk from job applications that I really should put in a trash category. I’m so glad all those places don’t share a password with something important. I think.
594 for me
I have nearly 800. I think I need to do some cleaning.
If you don’t want to use a password manager it’s not that hard to create long passwords. Just create a nonsense sentence with a misspelling with a character between each word and add some obscure personal info that isn’t directly linked to you, like a phone number of an old childhood friend or pizza place you used to call often when you were young so it’s easy to remember but not info another person can find about you. Then add a special character.
Like:
Wideo1Pasta1Is1The1Grawy1555-22334!!!
I like pass phrases… if you can’t think of anything, grab a random book, open to a random page, and find a memorable phrase that catches your eye. Change some letters to numbers and/or add symbols if you think you need to.
Just add one to the number each time.
I’m on “[passwordiveusedforyears]22!” at work.
For otherwebsites I’m on things like “[passwordIveusedforyears][websitename]!”
Proper 2FA is secure enough for most people to keep using the same password so long as it hasn’t been compromised. And a few things, like work passwords, email passwords, and bank passwords should be unique to thaspecific account.
Really, the biggest security hole is requiring logins for fucking everything. That’s why there’s a million password leaks. Why does a news website need me to sign in? Why do I need an account and password to order a pizza that I’m gonna pay for in-person?
I do like using a good passphrase that includes the website name
Eventually, I’d like to switch to all generated through bitwarden or keypass, but I’d prefer to self-host when going that route
It’s not so bad once you develop a system.
And as a bonus, when a few of them leak, hackers will have a little puzzle to solve. Hackers love puzzles.
That’s why I let Firefox make the passwords for me. It’s nice because they sync with my phone, so I don’t have to run to my PC to look up a password.
Who TF isn’t using a password manager in 2025? Like how would you even function?
EDIT: Y’all need to stop replying with your password generation strategies. JFC it’s like you’re asking someone to pwn your shit.
I use modified “HorseBatteryStaple” style passwords. I have a couple base phrases that I always remember, with special characters and numbers inserted. I modify them bit by bit for different sites, and keep a list of the changes - only the changes. Anyone who looks at the list would see random words, numbers, or symbols without context; only I know how it all fits together.
For example, let’s pretend HorseBatteryStaple1! Is my default password. I may have “cell phone, machine 5” on the list. That would mean the password for my cell phone’s payment website modifies the default password by changing one of the words in HorseBatteryStaple to “machine” and the number 1 to 5.
I know password managers exist, but I like to try to remember my own passwords. Especially since I may need them across different devices, including my work laptop that I can’t download new programs onto.
Caution, reusing parts of your passwords like that significantly reduces the effective entropy.
If someone finds HorseBatteryStaple1! in a plaintext leak, then they only need to guess one word and one number to get your phone password (assuming they know your format or use a matching heuristic).
So using a combination of this comment and an existing leaked DB (trust me, your credentials have leaked somewhere at some point), all your accounts could be trivially cracked.
deleted by creator
A password manager would be the same amount of effort, but way more secure.
My employer, a fortune 500, blocks password managers and all other add-ons.
My employer, a 12 people big company, nowhere near any fortune list, mandates the use of 1password for all company related accounts.
Ah but you see there’s the problem, you don’t have a committee to launch a working group that puts together investigative teams to research and write reports on the benefit of the solution, the ROI of the solution, the training costs of the solution, stakeholder buy in of the solution, and potential alternatives to the solution. You need at least a 10 month process before one jackass says they don’t want the solution so the committee can recommend to management that the solution be abandoned.
God damn, you sure you’re not a politician?
Insinuating that I may be a politician is the most insulting thing someone has said to me in a while, well done. And no I’m not, I’m just a guy who spent over a decade self-employed then went into the corporate world and tried to bring my innovate quickly mindset with me and very quickly found out that even a simple change requires that only affects my department required 5 different people from outside our department to sign off on the change and each one of them assigned 1 or more people to research and report on the change. Losg story short, after a while I found out what was going on and why nothing ever got adopted and I being a snarky asshole learned there corporate buzzwords and started stringing them into the proposals.
Wasn’t intended as an insult, just a joke at your sarcasm reminding me of how politicians talk
I was also joking, I assumed you were joking.
When will he be hacked… Let’s place bets everyone!
- On a thursday. It may or may not be raining. I want to say… May? And the day is a prime number.
Can I register your bet for 27 dollars or euros?
Sure, I’ll bet in Dollars and take the number equivalent payout in Euros
I basically use a childhood limerick in leetspeak. Easy to remember, tough to Crack. Like for example, Peter Piper pickedna peck of pickled peppers becomes “P3t3rP1p3rP1ck3d4P3ck0fP1ckl3dP3pp3rz!” Of course I never used that particular one, but you get the idea.
Brah
So you have the same password for everything? Which would mean a single password leak would compromise all of your accounts?
Federal and State jobs you can’t use password managers.
My federal job came with one pre-installed.
Depends on your clearance level/what you have access to.
Not gonna get specific, but, I have access to a shitload of sensitive personal data. It’s more likely you ran into an agency policy rather than a federal policy.
No it is literally determined by clearance level. It is mandated.
Yeah. My agency doesn’t use clearance level to determine security requirements. It’s likely your password manager policy is agency-specific.
This is how you get in my block list.
are you trolling or do you not realize this is massive liability?
Okay so remember the one or two ones you need there (try a passphrase!)
For everything else - password manager.
Federal I had about 15 passwords. The State job I had about half that.
Yep.
I use pass phrases filtered through a mess of cyber chef.
I literally work for a state government and I use password managers for both work and personal.
EDIT: For clarity, the data is hosted on-prem. I don’t send govt credentials to the cloud like a moron.
Yeah idk about that. I’ve worked in state govt for a very long time and our cybersecurity controls essentially mandates we use one. I’m also in our security audit team and have to talk to state offices about our NIST controls regularly. And the NIST DOD controls are even more stringent than ours. Something sounds off.
Because they seem to fall into two categories. Those that have been compromised
And those who haven’t… Yet
Those are hackable too through
I have passwords I don’t care about, passwords I keep on the manager, and then important ones I enter manually every time
Don’t ever use lastpass and the likes, when good open source ones exist.
Like Bitwarden.
Here’s what you do: Generate long random string, for example: P5edM5Ce0SGE0rOr9k&#T*wG@d$ogqyBTk2@%dmO@2akbm!b5p!bH8w7Ei7gPSIR1Er&hab3ae@0odk3h76Ka48kYtXrsburM$7rf^vPRwXz1s5guO&$PZz3@w
Memorize it.
For each site just choose a number and select 16 characters starting at this number.
Remember which page uses what number. E.g. google = 32 -> &#T*wG@d$og^qyBTk2
Done. You don’t have to remember any more passwords for the rest of your life.
i’m sorry memorise that? i’d rather get hacked
Security is not easy.
It is. Use a password manager.
Me too but I’m halfway through memorizing 128 random chars and then bye bye Bitwarden.
Folks will rather memorize 100 random ASCII chars than use a password manager
Hmm… if a bunch of matchsticks fall on the floor, do you immediately know how many there are? If you do, I may have some news for you 🤣
Only if it’s less than 5.
Here’s what you do
USE A FUCKING PASSWORD MANAGER
can you say that a bit quieter please, we’re at a wedding
And in six weeks… It’s time to change your password! No repeats.
Get a password manager. It’s a lot more secure and easier to only have to remember one strong main password and have the rest randomly generated
FWIW, LastPass is bullshit. DYOR, and stay safe, citizens!
Also, it could be taken as a positive that BitWarden is the example Wikipedia uses to define password strength. 🤌🏼
KeePassXC, donor, and I sync it with my (self-hosted) SyncThing server.
^ I love Bitwarden
I enjoy self hosting it
(Rather vaultwarden)
If it’s something of vital importance, my mantra is to pay for someone else to host it.
They can have the responsibility of security / updates / etc. because a company full of people can do that better than I ever can.
That’s my reasoning as well. The only drawback I currently see for bitwarden is that it’s US based and I have zero trust in their current government not going to cut off the rest of the world at some point. I’m still using it, but I make sure to make regular encrypted backups of my vaults.
In case you didn’t know, you can opt to have your passwords stored in EU by making an account on bit warden.eu
deleted by creator
Once you forget it, you lose everything
deleted by creator
There’s a xkcd for that of course! Linking directly to the explain as it has more info but the important thing is: password guidelines tricked humans into thinking in a machine way about safe passwords but long pass phrases are more secure from an entropy point of view and way easier to remember!
https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength
deleted by creator
Take a sentence with 200 characters then.
And your opinion is exactly that and doesnt match security research:
For the following you’re not the target group but others reading this who might want to make their lifes easier. Just from your way of writing I at least don’t expect that minor sources like okta or the NCSC will change your mind.
( article links with high level descriptions and links to their primary sources)
https://www.okta.com/identity-101/password-vs-passphrase/
https://www.4bis.com/passphrase-vs-complicated-passwords-passphrases-are-best/
https://specopssoft.com/blog/passphrase-best-practice-guide/
deleted by creator
Both Bitwarden and 1Password can also generate passphrases with high entropy that are much easier to memorize and enter. I use that for my master password.
Quick question friends:
If I’m already using bitwarden and decide to switch to self-hosting it; can I import my usernames and such?
I would most likely change all the passwords, but being able to migrate the websites (with corresponding username) would be kinda nice
You should be able to export and import all your logins as a file. I did this when i moved from lastpass to bitwarden a while back
