TID: FMail-lnx64 2.3.2.6-B20251227   
   RFC-X-No-Archive: Yes   
   TZUTC: 0100   
   CHRS: CP850 2   
   PID: GED+LNX 1.1.5-b20240604   
   MSGID: 2:280/464 6985e986   
   REPLY: 2:221/1.58@fidonet 291e37d8   
   Hi August,   
      
   On 2026-02-04 22:26:00, you wrote to me:   
      
    AA>>> Nothing about the formula is predictable.  Only I know it.  It's   
    AA>>> only in my head.  And.. depending on the circumstances for pw   
    AA>>> changes by some sites, even the tweeking follows a pseudo "rule".   
      
    WvV>> How long are your passwords? Do they have pronouncable words/parts?   
      
    AA> Length can vary, depending on the formula output for each "part".   
    AA> Pronouncable words are a choice. Pronouncable or not doesn't really   
   matter if   
    AA> the whole sum of parts makes no "sense".   
      
   Well it makes your password easier to guess. Password guessers use   
   dictionaries.   
      
    AA>>> add some other uniqueness in some other way that only you know, and   
    AA>>> you have a pw that no one could guess,   
      
    WvV>> "No one" isn't the problem. It's the automated password guessers that   
    WvV>> are your adversaries. And they can try thousands or probably milions of   
    WvV>> passwords in a second, and do that in a smart way.   
      
    AA> The automation doesn't matter. The front-ends for password entry would   
   slow   
    AA> down rapid attempts anyway.  No site would allow any of those millions of   
    AA> passwords in one second. Login attempts are limited per minute or max out   
    AA> after a handful of tries.   
      
   It will probably do for those type of attacks. But sometimes databases get   
   stolen. Or hackers get direct access to the systems that store the (encoded)   
   passwords.   
      
    WvV>> Can you give an example for a ficticious website (without revealing   
    WvV>> your formula of course)?   
      
    AA> Sure.   
      
    AA> Think of it in 4 or 5 parts:   [A] [B] [C] [D] [E]   
      
    AA> Part [A] would be something meaningful to you for the particular site/   
    AA> service: eg. for FictitiousWebsite.com, think of "formula" for it,   
    AA> say.. FW, or ficweb, or just use the first 3 or 6 consonants, or the   
   vowels,   
    AA> or the consonants for the first word, and vowels for the second word. The   
    AA> possibilities to encode that are limited to the imagination, but just   
   stick   
    AA> to an encoding scheme that you like - and that will make it easy to   
   remember   
    AA> when you need it.   
      
    AA> Part [B] could be a string of 4 to 8 numbers that are only meaningful to   
   you,   
    AA>  and you can even append a encoded number to that based on the string of   
   chars   
    AA>  you used for part [A].  How you encode it is up to you. eg. a simple ROT   
    AA>  function, some part of pi, or a combo of 4 numbers from one credit card   
   and   
    AA> the 4 numbers of another credit card [the latter credit card example is   
    AA> something you can always look up if you can't remember that].   
      
    AA> Part [C] could be reserved for one or more special characters that most   
    AA> systems often require.  So, pick some special char or sequence of chars   
   that   
    AA> you like and that would make sense to you. You could even pick the special   
    AA> char based on the string of chars you ended up for part [A], so that [C]   
   is   
    AA> always different from site to site.   
      
    AA> Part [D] could be reserved for a couple of short silly words that can   
   also be   
    AA>  processed to make them look less like obvious words. How you process   
   them or   
    AA>  not is up to you.   
      
    AA> Parts [A] [B] [C] [D] could be in any order you like.   
      
   As long as you always use the same order. Otherwise you can forget which order   
   you used for a particular website. ;-)   
      
    AA> Figure out something else for part [E] which could be another function   
    AA> of any of the other parts.   
      
    AA> As a whole, the result will be a pretty fine pw string that only you   
    AA> knew how to construct, and can reconstruct when you need it.   
      
   The devil is in the details I suppose. Depending on a few variables in your   
   sceme, it might be sufficiently random for passwords guessers (which have   
   become quite advanced, and will only become better in the future) to not break   
   it.   
      
   But I think it's much easier and safer, to use long truly randomly generated   
   passwords and store them in a password manager.   
      
      
   Bye, Wilfred.   
      
   --- FMail-lnx64 2.3.2.6-B20251227   
    * Origin: FMail development HQ (2:280/464)   
   SEEN-BY: 103/705 105/81 106/201 124/5016 128/187 153/757 7715 154/10   
   SEEN-BY: 154/30 110 203/0 218/700 221/0 1 226/30 227/114 229/110 112   
   SEEN-BY: 229/134 206 317 400 426 428 470 664 700 705 240/1120 5832   
   SEEN-BY: 266/512 280/464 5003 5006 291/111 292/854 8125 301/1 310/31   
   SEEN-BY: 320/219 322/757 335/364 341/66 234 342/200 396/45 423/120   
   SEEN-BY: 460/58 633/280 712/848 770/1 902/26 5020/400 5075/35   
   PATH: 280/464 292/854 229/426