MSGID: 2:221/1.58@fidonet 292e4e6a   
   REPLY: 2:280/464 6985e986   
   PID: OpenXP/5.0.64 (Win32)   
   CHRS: ASCII 1   
   TZUTC: -0500   
   Hello Wilfred!   
      
    AA>> Length can vary, depending on the formula output for each "part".   
    AA>> Pronouncable words are a choice. Pronouncable or not doesn't really   
    AA>> matter if the whole sum of parts makes no "sense".   
      
    WvV> Well it makes your password easier to guess. Password guessers use   
    WvV> dictionaries.   
      
   First of all, a password guesser only comes into play when the hacking system     
   relies on known email addresses that are assumed to be the username part.   
      
   There is no risk of hack if even the username part follows some obfuscation     
   process too.   
      
   I don't know about you, but many of my site/system logins are NOT email     
   addresses.  So, to guess the right username + password pair would be nearly     
   impossible to "guess", and force-feeding millions of combinations of those at     
   the user interface would be impossible.   
      
      
    WvV> [...] But sometimes databases   
    WvV> get stolen. Or hackers get direct access to the systems that store the   
    WvV> (encoded) passwords.   
      
   I think unencryted databases are the true target.   
      
      
    AA>> Parts [A] [B] [C] [D] could be in any order you like.   
      
    WvV> As long as you always use the same order. Otherwise you can forget which   
    WvV> order you used for a particular website. ;-)   
      
   That's right.  Find the "formula" that works for you, and stick with it, and     
   then you can recreate a pw for any site you need.  The whole point is to   
   avoid having to remember a particular pw string - just rebuild it.   
      
      
    WvV> The devil is in the details I suppose. Depending on a few variables in   
    WvV> your sceme, it might be sufficiently random for passwords guessers   
    WvV> (which have become quite advanced, and will only become better in the   
    WvV> future) to not break it.   
      
   Still, the guessers  are useless if they can't throw all their guesses at an     
   account in a few seconds.   
      
      
    WvV> But I think it's much easier and safer, to use long truly randomly   
    WvV> generated passwords and store them in a password manager.   
      
   I dunno.. I find it quite easy (and fun) to rebuild my passwords when I have     
   to.  I might need to use an intermediary computer to access something     
   temporarily, and I won't need to rely on any other devices to provide the pw.   
      
   And length is not as critical as to avoid outright guessable.  I have a     
   friend who simply uses her first name and 1234 for her hotmail account, and     
   her name is in the email address itself!   
      
   Another fellow uses the layout of the keyboard to guide him to "remember" his     
   passswords.  Eg. the leftmost keys on the kb = qweasdzxc, or qazwsxed, and     
   then some numbers.  Personally, I would not use that scheme as the sole pw.      
   Instead, maybe the qweasdzxc or qazwsxedc strings could be one of the parts     
   in [A] [B] [C] as a minimum.   
      
   I do admit, that some of my sites don't follow exactly the same scheme     
   between them. I do something different for financial/banking accounts too.      
   And a few older sites have pws before I came up with the formula method.   
      
   I have stored a few more pws using my gpg method. I luv it.   
      
   I wish I had thought of using my formula method and gpg store idea for my     
   facebook account that I started using over about 15yrs ago.  Last night, I     
   accidentally logged out of facebook and the recovery system is not allowing     
   me to finish authentication unless I "use another device"!  That is     
   impossible, since I've only ever used facebook on only one recent device     
   which is the one I logged out of!   
      
   I did once access facebook on one of my iPods, but the wifi on it stopped     
   working a long time ago.   
      
   For recovery, facebook can send a 6-digit code to an email address that I had     
   associated with facebook.  That works.  But when I enter the 6-digits at the     
   facebook prompt for those digits, it comes up with "you have to use another     
   device that you used before".   That requirement is stupid!   I think this     
   might be the perfect time to drop Facebook.   
      
   --    
     ../|ug   
      
   --- OpenXP 5.0.64   
    * Origin: What do you call an excavated pyramid? Unencrypted. (2:221/1.58)   
   SEEN-BY: 50/22 103/705 105/81 106/201 124/5016 128/187 153/757 7715   
   SEEN-BY: 154/10 30 110 203/0 218/700 221/1 6 226/30 227/114 229/110   
   SEEN-BY: 229/112 134 206 317 400 426 428 470 664 700 705 240/1120   
   SEEN-BY: 240/5832 266/512 280/464 5003 5006 291/111 292/854 8125 301/1   
   SEEN-BY: 310/31 320/219 322/757 341/66 234 342/200 396/45 423/81 120   
   SEEN-BY: 460/58 256 1124 633/280 712/848 770/1 902/26 5020/400 8912   
   SEEN-BY: 5054/30 5075/35   
   PATH: 221/1 280/464 460/58 229/426