I have a memorized "satisfy stupid password rules"-string made up of lowercase, uppercase, digit, special character. Eg. pA5$word
Then i take use "service name" [space] above string [space] "4-5 word sentence that first pops into my mind when i think about the service name"
So for netflix I would get:
netflix pA5$word the net is flickering
Serves me well and I have never entered the secret string in any password manager, only the ending sentence. I can't autotype it though but since it's a sentence it's remarkably easy to type correctly. It also surprises me how often I remember the "first sentence that pops into my mind".
The only problem I have with this scheme right now is services that don't allow something in this pattern (mostly no spaces) and forces me to deviate which makes my blood boil.
For a brute-force dictionary attack: the "netflix" part is worth as much as a single random character, the length by the sentence will do you much good. The special chars are good.
When a hack like this becomes public happens and someone tries to attack you in specific: the "netflix pA5$word" becomes worthless, but the sentence saves you.
You forgetting stuff: the sentence will break your neck
I guess a good master-password and a password save with random passwords is better, but you are doing pretty good! Also you can use a single password on a untrusted computer without fearing to compromise all other passwords too (again, thanks to that sentence).
> His password: netflix pA5$word the net is flickering
I don't get it that you say that "netflix" in this password has no more worth than a single character. How can the cracker know that this is "netflix" and not "netfli " or "neTflix"?
Furthermore, it's not like the password reveals itself during the process. Untill all characters are found, there should be no logic in the result, or am I wrong?
I thought he uses the unchanged service name as a prefix. If I had the chance bruteforce netflix accounts with a dictionary I'd definitely have "netflix" as one of my dictionary words to it (and Netflix and netflix.com and Netflix.com etc).
I assume netflix is in the dictionary for all word based bruteforce attack. It's just a prefix word in the scheme that is super easy to remember, it's in the url. And an attacker can't know whether it's www.netflix.com, www.netflix.se, Netflix, NETFLIX, in the beginning, in the end or any number of variants that could be used consistently in the scheme. The main part is that I can remember it as "service name lower case" "breaker string" "words".
> the "netflix" part is worth as much as a single random character
Unless you mean that they'll look for "netflix" specifically because of the service they're cracking, surely a word adds much more entropy than a single character?
~50 commonly usable characters, vs tens of thousands of words.
I have a memorized "satisfy stupid password rules"-string made up of lowercase, uppercase, digit, special character. Eg. pA5$word
Then i take use "service name" [space] above string [space] "4-5 word sentence that first pops into my mind when i think about the service name"
So for netflix I would get:
netflix pA5$word the net is flickering
Serves me well and I have never entered the secret string in any password manager, only the ending sentence. I can't autotype it though but since it's a sentence it's remarkably easy to type correctly. It also surprises me how often I remember the "first sentence that pops into my mind".
The only problem I have with this scheme right now is services that don't allow something in this pattern (mostly no spaces) and forces me to deviate which makes my blood boil.