>Use a mnemonic that includes the name of the service or website in an algorithm.
I'm not sure what the point of this when there are password managers available. Sure, it prevents simple credential stuffing attacks, but you're still open to sophisticated attackers deducing your passwords based on a leak. For instance, if your bank password is "correct horse battery staple chase", an sophisticated attacker might try "correct horse battery staple paypal" for your paypal account. Attackers already bruteforce common variations of passwords (eg. password -> (Password, password1, etc.), so this isn't too far fetched. Password managers with randomly generated passwords have none of these issues, and you still only need to remember one password.
I'm not advocating for or against, but one big difference is that with a mnemonic you don't need access to your password manager to be able to log in somewhere.
Of course, that's a major weakness; if the password trick is simple to remember it is likely simple to figure out for a motivated attacker! But when there are millions of password leaked and your mnemonic-password doesn't contain "chase" or "paypal" but "chicken5" and "pony6" and has otherwise enough entropy, will the attackers stand around a whiteboard and crack your code or just run their scripts and take what they can get automatically?
A password manager is probably very good, but it's a single point of failure and a huge target for the black hats; it's a program on a computer or on a smartphone that (potentially) sends data back and forth as it pleases.
So maybe the idea is to use a password manager for single-use entropy and then add some mnemonic manually before submitting the password. Then it's down to keyloggers and other sophisticated attack vectors?
>A password manager is probably very good, but it's a single point of failure and a huge target for the black hats; it's a program on a computer or on a smartphone that (potentially) sends data back and forth as it pleases.
What's the threat model here? If it's downloading a malicious password manager, that can be mitigated by using an open source/audited one (eg. keepass or bitwarden). If it's your browser/computer being compromised, that really isn't fixed with manually entered passwords either. If there's malware on your machine, you can assume that all your keystrokes and form submissions are logged. The only advantage is that rather than getting all your passwords, the attacker only have whatever passwords you've entered prior to detection.
You'll want better mnemonics than this, but for a start:
correct horse apple stable eat (c.h.a.s.e) is, I suspect, closer to the spirit of the original suggestion. Just tacking the name of the company onto the end instead of weaving it in is, as you say, pretty weak.
>correct horse apple stable eat (c.h.a.s.e) is, I suspect, closer to the spirit of the original suggestion.
The nice thing about password breaches is that they're all from the same source, so you can come up with a few variations and they'll be valid for all the passwords in the breach.
I'm not sure what the point of this when there are password managers available. Sure, it prevents simple credential stuffing attacks, but you're still open to sophisticated attackers deducing your passwords based on a leak. For instance, if your bank password is "correct horse battery staple chase", an sophisticated attacker might try "correct horse battery staple paypal" for your paypal account. Attackers already bruteforce common variations of passwords (eg. password -> (Password, password1, etc.), so this isn't too far fetched. Password managers with randomly generated passwords have none of these issues, and you still only need to remember one password.