First and foremost, the biggest hard drive on the planet is your mind. Reliance on technology - while almost second-nature at this point - isn't always the best option. Hopefully this will assist you in being able to 1) create a strong password 2) remember multiple passwords (to the tune of dozens even hundreds) 3) Secure those passwords (after all no one can pick your brain).
For those searching for "password storage systems" there are no shortages to find many helpful even free programs [1,2,3,4]. There are also no shortages on documents explaining why or how to create strong passwords . What I noticed in most documents and even programs is their lack of creativity. Let's be realistic, no one wants to remember $#.()p@%//\\- as a password. This would be an interesting form of mental punishment. Not only would it be mental punishment, but imagine for a moment the following scenario: You need a key safe to store your keys. You go out and buy the strongest one and lose the key... Now what?
Let's take a look at a small shop, say 20 servers. All have a distinct role and we want to keep all machines with a different password on each. We want to do so in the event someone compromises the machine, they're stuck to that specific machine. Or, maybe we just want to torture ourselves and have different passwords. Let's lay out the framework for this company we'll now name Forgetful Inc.
Forgetful Inc. has ten servers running database instances for 5 credit card companies with each server having a redundancy. Let's name them:
Company1.forgetfulinc.com, Company1BU.forgetfulinc.com, Company2.forgetfulinc.com, Company2BU.forgetfulinc.com, Company3.forgetfulinc.com, Company3BU.forgetfulinc.com, Company4.forgetfulinc.com, Company4BU.forgetfulinc.com, Company5.forgetfulinc.com, Company5BU.forgetfulinc.com
The also have 5 other servers for WWW, Mail, Active Directory, ClientServer, Knowledgebase
WWW.forgetfulinc.com, WWWBU.forgetfulinc.com, Mail.forgetfulinc.com, MailBU.forgetfulinc.com, AD.forgetfulinc.com, ADBU.forgetfulinc.com, ClientServer.forgetfulinc.com, ClientServerBU.forgetfulinc.com, KB.forgetfulinc.com, KBBU.forgetfulinc.com
Twenty servers, each with a unique password. Each with a strong password we'd never have to keep stored anywhere other than our brains. Where should we start?
For starters we will need (drum roll): A strong password. The rest is simple. It really boils down to creativity from here.
We'll use password as our framework. (Seriously, password will be our guide here). Using character substitution we'll replace the a with an @ sign, the s with a dollar $ign, the o with a zer0. Typical "leet speak" leaving us with the password of:
p@$$w0rd and this will be a starting point. Because many experienced security engineers, hacker and crackers will likely have a good list of variants on words, we now move on to making this password more secure.
Using the fictitious domain name, we will do the same. The letter o becomes a zer0, any a becomes an @ sign, the letter i will become ! and so on. We now create f0rgetful!nc from forgetfulinc and we have the second piece. Third piece? You got it, the hostname. Mail becomes m@!l and we're ready for a strong password that can't be forgotten:
m@!l.f0rgetful!nc.p@$$w0rd aka mail.forgetfulinc.password
We now have something that is extremely difficult almost impossible to guess let alone run ANY kind of wordlist against. We also have something extremely difficult to forget, after all if you forget your hostname and domain name, you need more than a password keeper.
For each server we will go through the motions. 20 different servers, each with a unique password almost impossible to crack. The key is to find a suitable password combination. You could use MAC addresses, passwords, etc., whatever you need to do to remember it. It gets easier after a while.
So how does this apply elsewhere. On the personal side of things, let's look at what I perceive to be the average amount of passwords a typical person would have. I'd say 1 for work, 1 for personal e-mail, 1 for say a social networking site, maybe another for Twitter or some other site. Let's say 4 passwords. An issue with people is one of "ease of use" which is where the person will think "no one would ever guess my password is...", since many here are in the security field, I will tell you some of the things I've done to my wordlists which are GB's in size:
Reversed entire words
Massive amounts of regular expressions 's:a:A:g;s:a:@:g;s:a:4:g;s:e:E:g;s:e:3:g;s:e:/=:g' and the list goes on.
Massive amounts of compound words using paste
Massive rehashing of the above with numbers before and after. E.g.: for i in `cat MASSIVE_WORDLIST` ; do for j in `seq 1 2010` ; do echo $i$j ; done ; done
Let's see how the last line works for those curious:
strategos ~ # cat MASSIVE_WORDLIST
strategos ~ # for i in `cat MASSIVE_WORDLIST` ; do for j in `seq 1 5` ; do echo $i$j ; done ; done
strategos ~ # for i in `cat MASSIVE_WORDLIST` ; do for j in `seq 100 105` ; do echo $i$j ; done ; done
So imagine a 500 million wordlist with most numbered combined or appended to them. For those thinking about appending numbers and getting away with it, its not quite safe. Anyway, back to the password game here. On the personal side of the spectrum, I stated that I needed to remember 4 distinct passwords. Using the same context, here is a fictitious list of sites I have passwords for: Hotmail, Twitter, Worksite, MyBank. Using the same principles:
Hotmail becomes h0tm@!l
Twitter becomes tw!tt3r
Worksite becomes w0rks!t3
MyBank becomes myb@nk
My password? Thisissecret: th!$!$$ecret Combined?
An eyesore? We could further add a period for a little more complexity:
Definitely an eyesore, will take some getting used to, but we can create memorable, secure passwords for individual accounts, never store them and always recall them. It's that simple. The hardest part is sticking with a regex you will always recall. Too much complexity will leave you banging your head however, I'd even go as far as making a post-it (purposely because I'm a glutton for punishment) with the regexs and keeping THAT stored somewhere. E.g.: a@, s$, i!, e3 The one thing you can never forget is a password. Meaning don't be afraid to pick your favorite sports team, do it wisely, e.g.: @$tr0$.p@$$w0rd.h0tm@!l
Remembering passwords? Piece of cake. On my laptop, I have a 38 character password combination. Pain to type, easy to remember. Secure as heck. EVERY SINGLE account I have access to, all have a different password. All are well over the 20 character mark and I can recall them at will. Takes some getting used to sure, but remember... You're brain is the safest storage system you have.
Encryption... Different story altogether.
 http://operationstech.about.com/od/info ... swords.htm