TIP: Manage Infinite Passwords
Problem: You have logins to a bajillion things and that is too many unique passwords to remember. Maybe you remember a half dozen passwords, if you’re lucky, but you would prefer to have a unique password for each account so the hackers can’t get you.
One approach is to always generate a new password when you get access to a new account, and store that somewhere safe. Sticky notes on your monitor? A GPG-encrypted file with a regularly-changing hash? Either way, you have to account for what happens if someone else gets access to your password list, or you yourself can not access this password list. I am not fond of this approach.
My Tip: I suggest instead of storing passwords, you come up with a couple of ways to “hash” unique passwords depending, on say, a web site’s name.
For example, if you were really lame, and you used the password “apple” for everything, you’d make things better if instead, say, you replaced the the ‘pp’ part with the first three letters of your web site’s name.
For example:
Yahoo: “apple” becomes “ayahle”
Google: “apple” becomes “agoole”
Amazon: “apple” becomes “aamale”
MSN: “apple” becomes “amsnle”
Apple: “apple” becomes “aapple”
Now, you can get a lot more creative than that, like using a non-dictionary word, mixing up letter cases and punctuation, etc.
Try a more advanced hash:
- Start with a pass-phrase “apples are delicious, I eat one every day”
- Take the last letter from each word: “sesiteyy”
- Capitalize the last half of the passphrase: “sesiTEYY”
- Stick the first three letters of the web site’s name in the middle: “sesi___TEYY”
- If the third letter you insert is a vowel, follow it with a “!” otherwise, add an “@”
- Change the first letter that you can from the substitution: a becomes a 4, e becomes a 3, i becomes a 1, and o becomes a zero
Now you get:
Yahoo: sesiy4h@TEYY
Google: sesig0o!TEYY
Amazon: sesi4ma!TEYY
MSN: sesimsn@TEYY
Apple: sesi4pp@TEYY
It is best if you have a few different schemes you can use: some web sites reject strong passwords, so having a really bad password handy is good, and some places you’ll want extra secure. For example, use a different “hash” for your bank passwords, just in case your “every day” hash is compromised.
Responses
-berto
Way too complicated. A few long words that don’t have origins in English, much less any language recognizable to the average American, a few numbers, and if the website allows it, special characters. Yes, your coworker’s sneaky eyes will strain after typing in 20 characters with no vowels with numbers thrown in. Or a light bulb will come on over their head as they experience a ‘Eureka!’ moment, and start hacking into your accounts before you even logout. Whatever works, I guess.
dbt
Given a sitename S, a secret key K, a secure hash H (I’m still using SHA-1 for this), I wrote a script that does:
base64(H(S + K))[:8]
that’s a pretty damn random key. Enjoy running that through your password guessing algorithm….
hunter
Hey, I really like that idea. I always do something really weird if I’m afraid to use my typical password.
Then I forget my brilliant new password. I might try your idea. it makes a lot of sense to me. But I am not a computer guy.
Comment / Tip
. . . or leave a Tip
Danny Howard is 100% responsible for the content on this site, except some of it is stolen.
All rights are reserved, unless otherwise noted. Generally, I'm a BSD guy, so you can assume implicit permission to adapt, modify, and redistribute my intellectual property with appropriate attribution. Except some of this content is itself re-appropriated, so you'd best ask first, especially for commercial use. Thanks!
You can contact me via e-mail: dannyman@toldme.com
Most of http://dannyman.toldme.com/ is powered by WordPress.
If you're hip to RSS and whatnot, you can subscribe to this site.
These links are for dannyman: login AND backlinks