A bunch of articles have been written on the topic of passwords both on Habré and on the Internet. Surprisingly, so far no one has described another way that I use, which would seem obvious.
Immediately I would like to note that I do not use a smartphone, so all kinds of password managers on a push-button phone are not available to me.
Initially, like most users, I had 1-2 passwords that I inserted for all sites. There is no point in writing about the shortcomings of this method, there are a lot of them. Over time, it became clear that this approach should be changed. It is inconvenient to use generators of complex passwords on third-party sites, because after generation this password is forgotten and after the expiration of the session it is necessary to change it. On the one hand, this is good, because it forces us to constantly change passwords, making it difficult to find them. But there are sites where the session ends in just a day, and changing them starts to annoy.
What qualities should a password have in order for it to fit our conditions and also satisfy the conditions of the sites?
Be unique for each site
Have a set of letters of different case, numbers and special characters
Be able to comply with the policy of the site, where the change occurs once every N months
The first thing that came to my mind was using a site hash and a custom rule. I took md5 as a basis, because the md5 generator is available both online and as an application for mobile.
Next, a basic rule for generating a password is drawn up, which is used for all sites.
The essence of the rule is as follows - to generate a password, we take the login@site.com string. Next, we take the first / last N characters depending on the complexity of the password. For most sites, a 10-character password is sufficient. It turns out a string that already contains a complex set of numbers and letters. The resulting password is already much more complicated than the usual one, but it is still possible to guess it. Plus, most sites require special characters and letters in different cases to be present in the password. To do this, we will come up with and introduce a rule that will be common for all passwords.
, 2, 1 ( 10, 9 + 2 1, 9 + 1 0). , , . , , .
, :
noroots@habr.com = c05184b3af6965b29f15571556a4cccd
10 , c05184b3af
2, 1 c25284b3af
, , C25284b3af#
C25284b3af#, .
, , , .
Now about the exceptions. Sometimes it may happen that the hash will contain only numbers, or just one letter and we will not be able to satisfy the requirements for letters with different cases. To do this, you can simply increase the length of the string from 10 to 15, or use a more flexible rule that we take not N characters, but a string that is longer than N characters and includes at least 2 letters. Also, some sites require periodic password changes (for example, banking sites or google). The solution is simple - in the line login@site.com we add the year and quarter (month, half year, depending on the frequency of the change), which will allow us, again, to always have an up-to-date password and the ability to restore it in memory.