My `pwhash` and `pwcheck` approach, combined with using passwords generated by `pwqgen` from Openwall's `passwdqc`, empowers a holy grail of password memorization assistance for me: recovering a password that I almost remember, but have forgotten just a little bit of.
Usually, when I "forget" a password, I remember almost all of it. Back when I did password phrases, I might forget the exact word order or choice or punctuation, but I would remember most of it. With `pwqgen` passwords, I might at worst forget one of the three words.
So let's say I have a password like... (runs `pwqgen`): spear9rome_Clap.
That's 12 bits of entropy for each word out of a word list of 4096 words, 1 for whether each word starts with a capital letter or not, and I think 4 for each special character out of a list of 16.
Now let's say I forget one word. I only need to try 4096 combinations, and I can try them locally, against my securely generated and stored "hash" of my password. Any reasonably secure remote system would make that impossible due to lock outs or rate limiting. But even on phone hardware from ten years ago, I can have a script check all 4096 possibilities within a few minutes.
Of course, I only have it this easy because I remember most of my password. Someone else trying to crack my password would have to try all 47 bits of entropy instead of my 12 bits. So it would take them... years? decades? I don't know exactly, but long enough that I'm not too worried. That's assuming they get access to my password "hash" files that I use for this purpose. If I wanted to be pretty safe, I could keep them all inside one big encrypted file or otherwise secure them all with an additional longer master passphrase - in other words, I could have security strictly greater than a regular password manager, by doing every security measure that password managers do on top of my current setup.











