I just make sure my password would take a million years to hack, although I know it’s not guaranteed, it’s better then ‘pooboo’ 
Although there is a downfall to my passwords, I can’t remember them 
!
I use a password manager (KeePass) and I keep it in my dropbox account, which makes me feel pretty safe about not losing my passwords due to a hard disk failure, etc. I have a copy on at least 2 computers plus one on the remote dropbox servers. I like it better than pieces of paper which can be stolen, lost, torn, burned, soaked, etc.
My master password is 18-characters long, it’s an easy to remember sentence about my personal preferences plus a memorable number. However, I don’t setup random passwords - I prefer passwords which are somewhat difficult but which I can at least remember for a short period of time so that I don’t have to launch KeePass everytime I want to login somewhere.
The idea shown in the cartoon is pretty good! I think I have used too short and too difficult passwords most of the time.
Interesting, I should follow the same thing. Create a DropBox account.
Skip Dropbox and use LastPass, it automatically saves to a “cloud” service.
Password strength is so important these days. My PayPal account got hacked because it consisted of simple words. All of my passwords now are so complicated, even I can’t remember them lol I write them down in a little book
I wouldn’t trust ANY third party service to keep my passwords safe! If they got hacked, or had malicious intent, you are screwed. Dropbox has had its fair share of security problems as well… I have mine on an FTP, which KeePass supports natively. Also, I have it start up with windows, so easy to use random passwords and KeePass is always there (I have to unlock it when I log in, but that’s it). Ctrl-Alt-A autocompletes details!
Also, as a link earlier in this thread pointed out, the XKCD advice isn’t so good! Best way is using characters from all spaces (symbols, lowercase, uppercase, numbers), long and random.
I don’t think trusting third party service is that important here as long as you trust the software you use to encypt your data properly. Both KeePass and LastPass store all data encrypted on your hard drive and in this way they get sent to the servers. So even if someone gets access to your data on LastPass or Dropbox servers they won’t access your passwords as long as you use a strong enough password for encryption.
The question is whether you trust open source KeePass more or proprietry LastPass to properly encrypt your passwords. Personally, I would lean more towards open source plus I like all my data to be in simple files and folders that are fully portable.
But if I have a good master password why would I need to care if someone breaks into my Dropbox data? If they want to spend a few hunder centuries trying to break my password then I’m perfectly fine with this!
Not an issue with LastPass. The only data they receive is a series of encrypted files. They don’t even have your master password on file. Thus if you forget your password, your data is unrecoverable.
Oh OK, I thought LastPass was a web based service. Does it have a client that does the encoding before it gets passed on?
Ah, but you said your password only contains a sentence and numbers, so it isn’t as strong as it could be 
I wouldn’t use anything but a completely randomly generated string now. You learn to type them pretty easily after a few goes, even a long (20 character or so) one, and it’s only 1 that you need to remember anyway.
Yes, its all client side. Even on their website, JavaScript does the encryption and decryption locally. They have clients for almost all systems and browsers, as well for mobile devices.
If you are really concerned about securty of your passwords, LastPass supports dual-factor authentication a Yubikey like device for example.
My passwords have evolved over the years. From “pet’s name” to “pet’s name with a number” to “pet’s name with substitutions”.
Now I usually do “one off”. Something that makes sense to me and is easy to remember but instead of the actual key I use one next to it.
And I have a notebook full of them since I try to always use a different one for the many sites I’m registered at. If I ever lose that I sure hope the sites have the “did you forget” feature !
Well, the sentence also contains some special characters so it’s not that bad :). Anyway, I believe for a person like me a completely random password is too extreme, who would want to spend a huge amount of computational power to crack a password of some unknown John Smith? If the attacker is not able to use a fast dictionary attact he’ll move on to someone else. He would need to have a very compelling reason to try to break a long password of a person. So I prefer to have a password that is long but easy to remember.
What about this article: GRC’s*|Password Haystacks: How Well Hidden is Your Needle?* ?
The author argues that a password like D0g… is more secure than PrXyc.N(n4k77#L!eVdAfp9 because it has more characters while dictionary attacts are equally ineffective. I don’t know if I’m convinced but he may have a good point.
But KeePass does all this as well, and is free. The only difference is you have to sort out the online sharing bit yourself - nothing an FTP account can’t solve (or indeed Dropbox).
That’s not the point - there are ALWAYS people willing to crack anyone’s password just as a challenge. And you never know how valuable your passwords can be - banking? Your whole online identity? Email?
Indeed, length is the most important factor, but after that it says using all different types of characters is (in fact, both passwords use symbols, lowercase, uppercase and numbers). Imagine if everyone started using that though - suddenly they become easy to crack cause you try dictionary words plus a bit of padding.
Anything with a ‘system’ can be cracked. It might be impractical now but tools develop, things like that get better. You never know. Enigma may have stayed unbroken if it wasn’t for the way people used it - many used girlfriends initials etc to encode messages, and then when they repeated the first 3 characters of a message twice at the beginning of each message, it led to each message being cracked a lot easier.
I’m of the opinion that the only decent password is a totally randomly generated one. Anything with a system, or a meaning, is vulnerable to attack, and whatever the inconvenience of spending 5 or 10 minutes learning 20 or so characters in a row is, my online identity, banking info etc is worth a lot more than that inconvenience. Why make assumptions and take chances to save a few minutes of your life? It makes no sense to me at all!
I used to use incredibly weak passwords - digits only, 5 characters long, I thought noone would guess it because the numbers didn’t mean anything and was totally random. I now realise how idiotic this mindframe was, then moved on to an 8 character random password, yet still used the same password for everything. Now, I have gone on to 20 character, random, and even I don’t know what my passwords are - and being introduced to KeePass did all that! I won’t go back now 
I assume this comic was inspired by the password haystacks episode of Security Now (The TWiT Netcast Network with Leo Laporte) which aired only a few weeks before the comic was made. They also mention the comic in one of their latest episodes.
I also use a password manager and also a password generator. The best way I think.
Still the cartoon … quite simple algorithms to improve security.
Not really relevant, but I had to share this.
Nick Helm has won an award for the funniest joke at the Edinburgh Fringe with “I needed a password eight characters long, so I picked Snow White and the Seven Dwarfs”.
well you just need to memorize just one master password for your password manager.