> So a minimally functioning brain can be assumed.
I doesn't matter how functional your brain is, it sucks at remembering arbitrary strings. Unless you are some sort of idiot savant.
> Now what is required to the brain is not much more elaborated than that.
No what is required for the brain is to do something it's not designed for.
> From the list of partial passwords, say written on paper, but not necessarily, you modify the partial passwords with a simple rule, like:
> - adding your pet name to the written down partial passwords (not very good actually), better
> - replacing the last 3 characters with the next ones in the alphabet, or
> - swapping the odd and even positioned characters,
> - etc.
None of that is very good, actually.
I have 5 sets of passwords I need to memorize for work.
I need a unique password for each website I need account for. That is probably about 10 or 15 different websites.
My mortgage company
My house insurance company
My car insurance company
My credit card
The power company for my rental
The water and sewage company for my house
The water and sewage company for my rental.
some other websites.
and a few other dozens websites I use for various reasons. A lot of them I very rarely use, but when I need to use them it's somewhat important.
You tell me you can memorize all these and keep them straight by just swapping out pet names or doing random 3 letter word combinations. I have probably about 30 different passwords that need to be kept track of. A average person who uses the internet for bills and social media stuff probably has at least 15 accounts they need to keep track of.
What you are suggesting is all incredibly bad advice that will lead to a forgotten passwords, lots of password recoveries, lots of phone calls to the help desk at work. People will invariably choose to use shorter and simpler passwords and using the same passwords over and over again. Even if they are smart and try to use a good policy it will just end up punishing them and pushing them towards bad password management habits.
This sort of really bad advice that is repeated over and over again is exactly why people get their crap broken into. This contributed to why Debian got hacked. Fedora got hacked. Kernel.org got hacked. This is why people were able to gain access to source code repositories and key signing servers and all sorts of sensitive places like that. 90 times out of a 100 it is not a software vulnerability; it's because some goofball used a password to access a system that was hacked or should not of been trusted and they used the same password, or variation of it, on something that was actually important or their own workstation (and allowed ssh access from the internet).
- Use unique passwords, _always_.
- Use very long passwords. Minimal 8 letters. Better of with 16, better off with 32, etc.
- Use random passwords.
- Passwords not based on favorite names or important dates or favorite teams, etc
- Passwords NOT based on words or misspelling of words. Swapping around letters is NOT useful. Substituting special characters for letters is NOT useful. Tacking on numbers to the end of words is NOT useful. These increase the difficulty of accurately remembering passwords massively while at the same time only trivially more difficult for a attacker to brute force or guess.
Trying to keep that straight in your head is very counter productive. It's better to not even try. Once you give up the need to try to memorize passwords then using proper passwords is massively easier.
> """able to remember that you wrote down the passwords on the pad of paper"""
Now compare all that to something that humans are actually very good at like:
"Were did I leave my wallet?"
"Were are my car keys?"
"Which drawer in my desk did I leave my password book in?"
If you don't know these then it's very easy to find out answers relatively quickly with usually minimal work.
Now if you don't use your online bank account but once every 3 or 4 months to check your balance... what are the chances you'll be able to recall a password that is _actually_secure_?
I understand a paper pad is not suitable for all purposes and is vulnerable to theft. Password managers are almost as good.
For Linux users something that is simple would be a LUKS encrypted USB key or something like that to store a text file of passwords or something like that. Real password managers are probably better, as long as you know how they function and keep their 'vaults' backed up to multiple systems. Encrypted files generally can be trusted so even if you back your password vaults up to insecure systems, you will be OK as long as you don't actually try to access their contents on those systems.
Some websites I use crap passwords because I am lazy. This is very hard to avoid.
But when I am doing good I always use passwords like this:
That is randomly generated stuff by using the 'pwgen' command, because creating new passwords is irritating and time consuming. In this case it was "pwgen -c1y 20 10" When I feel like being paranoid I won't even trust pwgen output.
For passwords that I need to recall on a continious basis, which is about 2-3 that I absolutely use on a daily basis I can memorize something strings like above. After using a password like that for a few weeks in situations were I must use it over and over and over again I can actually recall it much better using muscle memory then I can with just thinking about it. It's a bit silly feeling to have to sit down and close my eyes and type a password out to gedit to be able to recover it, but it is not atypical.
But lately I've been basing passwords on random strings of english words that end up about 20-30 characters long, for passwords I must use very often. No intentional mispellings or '7331' speak or any of that nonsense. They take a long time to type out, but accuracy increased massively and now I have to make less phone calls to unlock my accounts. For commonly used passwords changing them every month or two is critical.
(by-the-way: password lock-out policies are asinine. It amazes me that they don't understand that a person with simple shell script and a list of usernames can trivially perform a DOS attack on any major corporation that uses a password lock-out policy.. So irritating.)