How to make awesome passwords

We all know that a simple password is stupid and that we all should use secure passwords that is long , contain lower case , upper case numerical  and non alphanumerical characters. The trouble with this is , that unlike computers , we humans don’t have very good long term memory at all and we usually have lots of passwords to remember[xkcd]. Some people decide to use password storage utilities. KeePass is an excellent example of this. Hack a Day even decided to implement a hardware based password storage utility [link].

One day listening to my lecturer rant on how brute force is not plain brute force anymore and that it now uses giant lists and even tries to common substitutions for words. He suggested that a password need not be longer than 5 letters , one upper case , one lower case , a number  and two other symbols. For example  $5pS7- . This is not hard to remember at all . But what happens when you want to remember 10 such passwords. It quickly becomes a mess of random chars. My solution is simple. Use a simple pass phrase and encrypt it for each site. In other words you have a base password , which is always the same, and a static algorithm that makes each password unique. For the algorithm to make a password unique you must use information regarding the place you try to log into.

Heres an example: lets chose a completely random the base word such as “outvoting”. And now we chose a random piece of information. In this case , lets chose the length of the name of the site we log on to. For wordpress it would be 9 and gmail it would be 5. Lastly we need an algorithm. Lets say our algorithm will replace the nth to (nth + 3) letters of our base phrase with 3&0 . So for gmail we would get outv3%0ng and for wordpress it would become &0tvotin3 . I wrapped the replacement once it exceed the length of the base phrase. if we logon onto Hack a Day we would use 0utvoti3&. Thats it!

I find this method very easy to remember and although it may be cumbersome at the start , later you will find yourself entering your passwords just as fast as if you were typing from memory. For the site information there is quite a few data points you could use including length of name , color of logo/background basic shape of logo ,  vowels and etc. Anything you can easily see from the site you log onto forms good data. And the realm of algorithms to apply is nearly infinite. One tip is to make sure your resulting password meets though password requirements or you may not be able to use this technique on all your accounts if you don’t. Worst case if someone guesses your password is that one account will be compromised. Unless they get very very lucky and guess your algorithm and data point (which you should also keep private). Basically you only need to remember three things namely : A base phrase , datapoint and a modification algorithm.




One response to “How to make awesome passwords”

  1. toruser says :

    If you are compromised more than once, the attacker could find out what’s the pattern behind your passwords. I still suggest to use a password-manager such as 1Password, Keepassx(and keepassc), Unix Password-Store or something similar. If you need your passwords in the “cloud” you can additionally use a truecrypt-volume(especially since the last security audit was quite positive, the main problem was the poorly written code base – at the moment don’t use encfs, it has some problematic security flaws – which probably won’t be fixed until the next minor version jump). Alternatively for a “cloud-like” functionality, you could also use btsync or “clearskies”.

    But yeah, your algorithm is still better than using the same password on every homepage. If you want something that works the same way, but is more secure you can also use .

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: