Archive | April 2014

How to make awesome passwords

We all know that a simple password is stupid and that we all should use secure passwords that is long , contain lower case , upper case numerical  and non alphanumerical characters. The trouble with this is , that unlike computers , we humans don’t have very good long term memory at all and we usually have lots of passwords to remember[xkcd]. Some people decide to use password storage utilities. KeePass is an excellent example of this. Hack a Day even decided to implement a hardware based password storage utility [link].

One day listening to my lecturer rant on how brute force is not plain brute force anymore and that it now uses giant lists and even tries to common substitutions for words. He suggested that a password need not be longer than 5 letters , one upper case , one lower case , a number  and two other symbols. For example  $5pS7- . This is not hard to remember at all . But what happens when you want to remember 10 such passwords. It quickly becomes a mess of random chars. My solution is simple. Use a simple pass phrase and encrypt it for each site. In other words you have a base password , which is always the same, and a static algorithm that makes each password unique. For the algorithm to make a password unique you must use information regarding the place you try to log into.

Heres an example: lets chose a completely random the base word such as “outvoting”. And now we chose a random piece of information. In this case , lets chose the length of the name of the site we log on to. For wordpress it would be 9 and gmail it would be 5. Lastly we need an algorithm. Lets say our algorithm will replace the nth to (nth + 3) letters of our base phrase with 3&0 . So for gmail we would get outv3%0ng and for wordpress it would become &0tvotin3 . I wrapped the replacement once it exceed the length of the base phrase. if we logon onto Hack a Day we would use 0utvoti3&. Thats it!

I find this method very easy to remember and although it may be cumbersome at the start , later you will find yourself entering your passwords just as fast as if you were typing from memory. For the site information there is quite a few data points you could use including length of name , color of logo/background basic shape of logo ,  vowels and etc. Anything you can easily see from the site you log onto forms good data. And the realm of algorithms to apply is nearly infinite. One tip is to make sure your resulting password meets though password requirements or you may not be able to use this technique on all your accounts if you don’t. Worst case if someone guesses your password is that one account will be compromised. Unless they get very very lucky and guess your algorithm and data point (which you should also keep private). Basically you only need to remember three things namely : A base phrase , datapoint and a modification algorithm.