kurastorm - creating memorable strong passwords

Creating strong passwords is a never ending rabbit hole I have been in for a few weeks now, a passwords strength is measured in entropy. Sun Kundsen's blog post is worth the read, I don't intend to summarize it here. 

Originally I wanted to come up with a method for a strong password, albeit not necessarily as strong as the 5-word passphrase, and rolling dice, not to mention ever since I started using a password manager I realize I have dozens of passwords if not over 100+ so I still wanted a method of memorizing some of them. Originally I was using mutated URLs, for example 

https://www.yOutube.com/@kura_bOt/videOs

URL's have special characters, are easy to remember, and distinctly long, all you would have to do is remember to change the case for all instances of a specific letter, in this example o's. Albeit clunky this was working ok, however obviously I could never use this password for Youtube, These URL passwords could only be used on websites not correlated to them, or else it would be easy to guess my other passwords if one were compromised

Eventually someone on 4chan mentioned his method of creating passwords. he would set variables in his shell, concatenate & echo them, and pipe that to a hashing function.  

$ user=kurabot
$ site=youtube
$ password=password
$ echo $user$site$password | sha256sum
b1642156bcf40ce9525a824597f0b213f5063ad2b07efca10795b0197b9dd8d5  -

I found this to be clever and elegant, the only real issue I had was the fact that all letters are lowercase, it would be nice to have lower and upper case, this is where a different anonymous user chimed in, suggesting converting the hash output to base64 

$ echo $user$site$password | sha256sum | base64
YjE2NDIxNTZiY2Y0MGNlOTUyNWE4MjQ1OTdmMGIyMTNmNTA2M2FkMmIwN2VmY2ExMDc5NWIwMTk3YjlkZDhkNSAgLQo=

This password is insane, however, when converting hashes to base64, often I see the only special character is an equals sign, additionally this password is very long which may be an issue for some sites. This leads to the final two changes, shortening it by piping the output into a shorter hash function

$ echo $user$site$password | sha256sum | md5sum | base64
ZjQzMDcyZDBmMWU5M2JjNTc4MzM2ZjA2OTM4NDEzY2MgIC0K

then appending a second weaker password to satisfy special character requirements

ZjQzMDcyZDBmMWU5M2JjNTc4MzM2ZjA2OTM4NDEzY2MgIC0K p4$$w0rd

This is the method I currently use, it is very much overkill, but also easy to remember, 
It has high entropy, I doubt it will be susceptible to any dictionary attacks, If a website were compromised, and they stored your passwords in plaintext for some reason, the attacker wouldn't know how you came up with the hash function, since the output of the hash changes if your reorder inputs or use more than 2 functions, such as:

echo $variables | sha256sum | sha256sum | sha512sum | md5sum | base64

Furthermore since the hash changes based on website, the 2nd weaker password you append to the end doesn't have to change, which means if you store this password despite not needing to, such as in a password manager then you don't need to add the appended 2nd password, in that scenario even if your password manager was somehow compromised, the attacker still wouldn't have the full password 

The main caveat when doing this, even with md5sum these passwords get long fast, so you will often run into websites that cap lower than you need, thus necessitating the need for password managers anyway. One additional thing to remember is your shell history will save the echo commands you ran, so you can either run $ history -c at the end to clear history or $ set +o history at the start to prevent commands in the current session from being saved.

Additionally Windows doesn't come with these utilities by default you must download them, the native Windows tool for hashes >certutil -hashfile generates hashes from files instead of stdin which means you must take into account the quirks of how Windows saves files compared to other environments.