Featured, Technical, Technology

TIP: Manage Infinite Passwords

Problem: You have logins to a bajillion things and that is too many unique passwords to remember. Maybe you remember a half dozen passwords, if you’re lucky, but you would prefer to have a unique password for each account so the hackers can’t get you.

One approach is to always generate a new password when you get access to a new account, and store that somewhere safe. Sticky notes on your monitor? A GPG-encrypted file with a regularly-changing hash? Either way, you have to account for what happens if someone else gets access to your password list, or you yourself can not access this password list. I am not fond of this approach.

My Tip: I suggest instead of storing passwords, you come up with a couple of ways to “hash” unique passwords depending, on say, a web site’s name.

For example, if you were really lame, and you used the password “apple” for everything, you’d make things better if instead, say, you replaced the the ‘pp’ part with the first three letters of your web site’s name.

For example:
Yahoo: “apple” becomes “ayahle”
Google: “apple” becomes “agoole”
Amazon: “apple” becomes “aamale”
MSN: “apple” becomes “amsnle”
Apple: “apple” becomes “aapple”

Now, you can get a lot more creative than that, like using a non-dictionary word, mixing up letter cases and punctuation, etc.

Try a more advanced hash:
– Start with a pass-phrase “apples are delicious, I eat one every day”
– Take the last letter from each word: “sesiteyy”
– Capitalize the last half of the passphrase: “sesiTEYY”
– Stick the first three letters of the web site’s name in the middle: “sesi___TEYY”
– If the third letter you insert is a vowel, follow it with a “!” otherwise, add an “@”
– Change the first letter that you can from the substitution: a becomes a 4, e becomes a 3, i becomes a 1, and o becomes a zero

Now you get:
Yahoo: sesiy4h@TEYY
Google: sesig0o!TEYY
Amazon: sesi4ma!TEYY
MSN: sesimsn@TEYY
Apple: sesi4pp@TEYY

It is best if you have a few different schemes you can use: some web sites reject strong passwords, so having a really bad password handy is good, and some places you’ll want extra secure. For example, use a different “hash” for your bank passwords, just in case your “every day” hash is compromised.

Read More

Categories: Featured, Technical, Technology

  • -berto

    Way too complicated. A few long words that don’t have origins in English, much less any language recognizable to the average American, a few numbers, and if the website allows it, special characters. Yes, your coworker’s sneaky eyes will strain after typing in 20 characters with no vowels with numbers thrown in. Or a light bulb will come on over their head as they experience a ‘Eureka!’ moment, and start hacking into your accounts before you even logout. Whatever works, I guess.

  • dbt

    Given a sitename S, a secret key K, a secure hash H (I’m still using SHA-1 for this), I wrote a script that does:
    base64(H(S + K))[:8]
    that’s a pretty damn random key. Enjoy running that through your password guessing algorithm….

  • hunter

    Hey, I really like that idea. I always do something really weird if I’m afraid to use my typical password.
    Then I forget my brilliant new password. I might try your idea. it makes a lot of sense to me. But I am not a computer guy.