SpashID (which I also use) is only for encrypted, secure information storage, though it does have a built-in WebKit browser for you to do simple browsing within that includes the ability to call up said username/password on-screen while browsing so you can enter it when required. However it’s typically not used in actual surfing, it’s just there to remember stuff for you in case you forget.
However, SplashID can sync to one’s desktop via a desktop companion that can call up the same information whenever it’s needed, and sync back and forth if you lose the data on the iPhone.
Wait a minute, those are all 7 characters. What’s up with that?
For me, I usually combine the site with a related word and a pin number. For example, my Amazon password will be something like AmazonBooks9677. I have a notebook that I keep these written in, but hopefully they are written in a way not easy to decode as I always convert the pin to hex and swap the order:
Books: Amazon, 25CD
At work, I have to switch every 90 days, minimum 8 characters, with 3 of the following: capital letters, lower case letters, numbers, or a non-standard symbol (*, _, -, etc…). They also will not allow any kind of repeat, so Hampshire’s method would not work as they would disallow Dec2008 because the previous password had 2008 in it also. So, with these requirements, I typically just make something up and hope I remember it. I am always forgetting my password and having to reset it…
It is time to admit that the method of using passwords for identification purposes is broken. Every site you log on to requires you to have a password, every site has different length requirements, every site has a different set of allowable characters, most sites asking you to create a password do not list the minimum/maximum lengths and the allowable character set for passwords.
( I can count on the fingers of one hand the sites I have seen that list all three things you need to know to create a password:
minimum length allowed, maximum length allowed, list of characters allowed
People implementing password schemes seem to have no idea of ways to make it at least a little easier for the user.)
The different requirements for passwords in effect at each site prevent you from reusing the same password in several places unless you stick to small passwords with no special characters, which defeats the purpose.
I use randomly generated passwords, a different one for each site, that are stored using KeePassX (a password database program) on my desktop machine. I have very few of them memorized.
If you’re a touch typist, an additional layer of fucking with dictionary-based attacks can be had by moving your hands one key to the left and typing your password normally.
I also have jumped on the passphrase bandwagon–no matter whether it has dictionary words in it or not, a 130-character password is going to be nigh-impossible to break if it’s not a ridiculously common phrase. Add a few number-for-letter substitutions or weird turns of phrase and you’re all set.
For the longest time, the root password on my work machines (three jobs ago) was “Mares eat oats and does eat oats and little lambs drink c0ff33!? Yeah, brute force THIS.” (with the insult built right into the password. =P
I forgot to say: I hear a lot of talk about dictionary-based attacks, but in which situations are those really effective? It seems that most places will disable your login after a certain number of invalid login attempts. Does anyone know of a recent real-life case of a password stolen through a dictionary attack?
The most typical dictionary-attack scenarios are those where the attacker gets the ciphertext of your password in some way first–by way of example, say, by intercepting an NTLM packet from your corporate wireless when you log into the Windows domain, or by abusing poor/default Apache configuration to grab your /etc/shadow file from your Unix box.
Then a dictionary attack is done against the stolen ciphertext, so the target system’s lockout-after-x-attempts is never touched.