I just wanted to share this information in case anyone finds it useful. It touches more on the concepts I talked about above (Length>Complexity), but talks about how you can take advantage of that fact to create really easy passwords to remember, but are also extremely stong passwords.
https://www.grc.com/haystack.htmIf anyone is still trying to decide on the best solution for a password manager and is finding it difficult, an option could be to take advantage of the password haystacking concept.
When an attacker has exhausted all their easier options for cracking a password (dictionary, rainbow tables, common passwords, etc), then their only other option is to do an exhaustive brute-force search. Once that's begun, the
only thing that matters is length.
So how can you take advantage of this fact? Well, as the article talks about, all you need to do is come up with a simple and easy to remember password (for example, "Tig3r"), and then simply pad its length. Since all that matter is length, the padding will take care of that for you. All you need to do is worry about making sure that each site has a different password. Since an attacker isn't going to know what part of the password is different from site to site, each site's "key" only needs to be a few characters long.
What you could then do is simply create a key list for all your sites. For example, Amazon.com = ke2, ebay.com = pq5, etc...
You can then combine your password, with the key for that site, and then simply pad the rest with a character. So my passwords could look like this (using my example memorable password from above):
Amazon.com =
Tig3rke2!!!!!!!!!!!!
ebay.com =
Tig3rpq5!!!!!!!!!!!!
You could then simply store that key anywhere you'd like and have it with you anywhere you'd need it. It doesn't even need to be secure, since it isn't useful information to a hacker until other data breaches have also taken place. Let me explain...
Let's look at some scenarios:
Scenario 1) Compromising your actual website passwords is extremely difficult because of their length. That's already true and your secure from a password cracking/brute-force perspective. Nobody knows the concept behind your passwords since it is only in your head. Therefore, the strength of your 20 character passwords are just as strong as even the most randomized 20 character passwords.
Scenario 2) Let's say your Amazon.com password was exposed because you fell victim to a phishing website. So they didn't need to crack your password because you gave it away. All they know is that "Tig3rke2!!!!!!!!!!!!" is your Amazon.com password. They'd have no idea that the passwords for your other websites have patterns similar to it. They also have no idea of the existence of your key list. So your other websites are safe.
Scenario 3) Final scenario is that your key list is compromised. Since your website passwords haven't been compromised, they'll have no idea what those three characters for each website are for and would have no idea how to apply them. They're as good as nothing.
Long story short, password haystacking is a great way to create memorable passwords that are extremely difficult to crack. Your only chore is to design a method that takes advantage of the fact that length matters above all else to create different passwords for each website so that if one password is compromised, they all aren't.
If you're uneasy about using a password manager (and there is enough reason to be, IMO), then hopefully this advice is useful for coming up with another alternative that might be useful for some.
Final note, even if you do decide to use a password manager, you will still need to memorize at least one password. I highly recommend using the haystacking (length) technique as described.