39 comments

[ 1.9 ms ] story [ 88.7 ms ] thread
I'm porting over all my passwords to a formula. The basic gist is that I have a set of rules that dictate what my password should be based on something such as the the name of the website or service I'm using.

so let's say we're talking about hotmail. I don't have a hotmail account, but the formula could be something like.

Take the first, third and fourth letters of "hotmail"

"htm"

now the letters 3 spaces to the left of each of those in capitals (wrap to the right of the keyboard if you run out of space)

"htmDWV"

and sandwich in between the upper and lower case letters the numerical value of the last three numbers

"htm42322DWV"

And so on until I have a formula that I like that generates suitably obscure and difficult passwords.

I plan to build an app or a script that processes "hotmail" according to my formula, copies it to the pasteboard ready to be pasted.

100% secure? No. But it'll do for me.

In this case, you really still only have one password (the formula that generates your passwords), and saving a script that runs that formula is the same as someone else putting their single password on a Post-It.
I'm well aware of this, but if my laptop falls into the wrong hands, I'm screwed anyway since (like most people) I'm permanently logged into most things anyway.
I use keepass with something like a 30 character password that I can remember with numbers and special characters, it already has things like autotype and copy paste and generates random secure passwords for sites I use which are then encrypted.

My eggs may be all in one basket but at least that basket is heavily protected while your solution seems less good than the alternatives that already exist.

I use a similar technique (although I didn't make a script for it). I fail to see how it is "less good" [sic]. My password for every website is unique (15+ characters, mix of character cases, special characters, etc), it is not stored anywhere other than my brian, and the pattern is not easily discernable. Furthermore I have two different patterns, one for high value sites and a different one for social networks/forums/other low value sites.

With keeppass, someone with a keylogger on your machine can compromise all your passwords in one fell swoop.

And I simply store the encrypted password database in my Dropbox, which automatically syncs it across all machines I'm using (including my Android phone).
I use a process somewhat like this (but simpler) and thus have a unique password for each site. I do this with my BRAIN, not with a script on my computer. I can prompt my memory with notes I keep in a secure location. I write the notes in a mixture of other languages I know, besides English, so that it is very hard for an onlooker even to recognize that they are notes about how I construct passwords. I change my passwords for my sites with the most potential for spoofing or other mishaps (currently Gmail and Facebook) from time to time.
I do something similar, but my "formula" also takes a few other inputs, like the security level of the website and the number of times I've had to change the password for regular password changes. The hope is that I have a hard-to-brute-force password, and if one password is revealed, it won't be a key for all my other accounts, but I only have one thing to remember for dozens of accounts.

I can't even tell you the number of times I've gone to a website, said to myself, "I know I have an account here...was it before or after I started using the password formula?" and applying the formula gets me into my account.

It's not that hard to have secure passwords.

    $ mkpasswd
    -tJ6yfcO5
Write it down on a postit note. Put that in your wallet. 2-3 weeks later you have a secure password that you remember. Discard the postit at this time. Do this for your bank, gmail, and a couple more high value targets.

Don't use the same password for gawker/plentyoffish/facebook.

1. mkpasswd

2. write on postit note

3. ???

4. Secure, memorized passwords for your high value accounts.

I prefer "a miracle happens"
3. Use it over and over again until it enters muscle memory.

(Just in case, I also have a list of important passwords in a truecrypt folder.)

But where do you keep your truecrypt password :)
Are you using one high entropy password for all of your 'high value' accounts?
That would defeat the purpose, no? I admit, this scheme might not scale if I had more than 3 high value accounts that I access more than once a year. But all I have is gmail + 2 banks.

I also have a few rarely accessed accounts (retirement fund from past job and similar things) with random passwords that are stored in the aforementioned truecrypt folder.

An even bigger problem than password reuse, in my opinion, is secret question formulas to reset your password. My banking site requires a strong password, which of course means that I often forget it, which means that resetting my password has become a regular part of the login process. The site allows me to reset my password directly from the site after answering my secret questions correctly. It does not send an email link to reset.

If a password can be reset by answering a series of secret questions, then the password itself is moot and the account is only as secure as its secret questions. Which in many cases aren't very secure to anyone who might know the person (What is the color of your first car? What is your first pet's name?).

Given the choice between being allowed a "weak" password that I might actually remember, and a "strong" password that I either have to write down or reset every time I log in via answering a series of questions that are even less secure than a weak password, I would take the weak password.

1Password was a godsend for this problem.
What's the difference between using these password managers and a plain old spreadsheet file?
Basically that password managers

(a) store the passwords encrypted and require a master key to see them

(b) generate random, long, secure passwords for you

(c) allow you to group passwords in folders and subfolders

...

(d) can integrate with the browser in a convenient way
Spreadsheet file's open to anyone who gets access to your computer, including forgetting to lock it at lunchtime and while it's sitting at the PC repairshop after the fan's gone.

Also you can carry around an encrypted password manager file on a usb stick without having to really worry about losing the stick.

One big difference is that a password manager like 1Password (and I would presume others that integrate similarly with the browser) won't enter a password unless you are at the correct site. This provides some pretty good protection against most phishing attempts.
Came across this solution last week http://16s.us/sha1_pass/index.php. You come up with a sentence you can remember and you take the base64 version of the SHA1 hash of this sentence as your password.
If you can remember sentences and maybe a few numbers and characters added in that would work just as well for a password as the base64 version of an sha1 hash.

Example:

My c@ sleeps 7 hours every day!

(Sorry I can't think of anything smarter)

https://www.pwdhash.com/ allows me to use the same, simple password with a lot of websites, with no fear of it being compromised by poor website design.

Also, I keep my comprehensive list of passwords in a gpg-encrypted file. You need the file, my password, and the gpg key to decrypt it. When on a long trip, away from my computer, I printed out this password list after permuting the passwords in a memorable way (e.g. move the last character to the beginning, then tack on an extra character). The gpg-encrypted file lives in my Dropbox folder, so it's up-to-date across my machines.

For security questions, which are always B.S. anyway, I use the PC Tools Secure Password Generator to make a three or four character string, then add it to the aforementioned encrypted file.

http://www.pctools.com/guides/password/

I have a pretty simple way to generate a unique password for each site I use. I start with a strong password:

aw3#rTT

That will not change from site to site.

Then I insert site specific data into that password. You can also append, prepend or insert. The point is to have a site-specific password that uses a formula that is hard to guess. There are a number of ways to do this. You could use the company name, login name, domain name, url of the login page or any other site specific rubrik.

Let's say my formula is to use the first and last character, the last character always being capitalized. Let's use the domain name:

gmail.com -> gL -> gaw3#rTTL

Or, you could take the first and last characters and insert them after a specific character in your password. Say, the pound symbol:

facebook.com -> fK -> gaw3#fKTTL

Or take last two characters of the domain (or last two, etc) and prepend them to the password:

twitter.com -> Er -> Eraw#rTT

That would be a little too easy to figure out if the bad guy got to see 2 or 3 of your passwords, which could happen if 2 or 3 sites you use got compromised.

A better scheme in the same spirit as yours but with better security would be to take your master password and append the name of the site, say aw3#rTT:gmail.com, an then hash this, and then use a base 92 encoding to map that to letters, digits, and punctuation, and take as many characters of the resulting string as the site allows.

I started to design and build a simple password manager based upon something like that. It would store in a file a list that looked something like this:

    0:*.amazon.com
    0:*.ycombinator.com
    ...
When you ask for the password for a given site, it would look through the file matching the URL against the patterns on the right, until it found a match. The input to the hash would be the matching line and your master password.

The prefix number is a password revision number. Since the whole line is part of the hash input, changing the revision number changes the generated password.

Then I got 1Password as part of MacHeist, and my simple password manager project pretty much died.

That's certainly a vulnerability, though a pretty small one. Most huge credential compromises that result in other accounts being hijacked are done programmatically: It's not like the script that's checking if your gawker password matches your gmail password will try permutations after first attempt.

I really like your mechanism for secure passwords. Though it's definitely more time intensive.

1Password has been praised highly by a couple coworkers and I've been meaning to try it -- the problem is, you should still have strong passwords for individual services even if you're strong them in a single repository like 1Password. I think my formula is decent, though by no means totally secure.

1Password (and most other password managers, I believe) are happy to generate strong passwords for you. I generally actually have no idea what my password is at most sites, as I let 1Password deal with that.

Here are a few samples. I've asked it for 16 character random passwords with 2 digits and 2 symbols, repetition allowed and ambiguous characters allowed:

    xQO3<hCnp^uKh7mP
    t0ee4uHIsQv'Kk<Z
    zXS;DY3)U3OzAebT
It also lets you ask for pronounceable passwords, although you generally then nead longer passwords for good strength. Here are some examples:

    cac-kon-eg-voil-eng-es-
    rhook-bea-say-rou-hen-h
    ju-cadd-irv-iaf-moif-do
I'll use that kind if I'm using 1Password just for storage, not automatic entry (for example, the login password for a game client). You can also ask for digits instead of dashes in the pronounceable passwords, like this:

    ho9swap4cyat6lold9us6bu
or no separators (requiring you ask for a longer password for the same strength), like this:

    mitalwebshefrufegbiheagdihet
(comment deleted)
So what do you do when the site doesn't allow hashes? Or special characters? Or letters? And yes, there are lots of these http://troy.hn/dJbdTU
I haven't run into that problem yet. If I consistently had to deal with that, I think my approach would be two have two password keys. A strong and a weak one.
I have a different approach, I use visual patterns on the keyboard.

azlm)O!Q(I@W

ZX)(!@MN

(J&G%D$S

GH)!JS93

I have been doing it for years -- it makes it damn near impossible to recall the PW without a QWERTY KB though.

I have particular patterns I use for various things.

I modulate the shift key to get upper and lower case. My passwords are all typically >10 character.

The article ignores an even bigger problem with bad server password encryption (ie, not salted) - rainbow tables.

No expensive compute time required; cracker can easily decrypt most passwords without even blinking an eye (the tradeoff is storage space vs. compute time). http://ophcrack.sourceforge.net/tables.php

HBGary was cracked using rainbow tables... which then led to the rootkit.com social engineering crack.

1Password and it's like can move us closer to eventually just doing PKI since once the passwords become unrecognizable they are quite effective.

btw, I love and promote 1Password and KeepassX (1pwd has better usability and security since it's autofill will stop phished logins by matching the domain exactly not visually... KeepassX's autofill is experimental right now).

Actually, the article explicitly mentions that problem:

"Undoubtedly, much of this problem is related to poor security implementations on websites. It’s very, very easy to build websites with fundamental security flaws."

But obviously this is not within the control of the end user.

Use SHA1_Pass and never store, synchronize or remember a password ever again. Comes with full source code and no proprietary encryption. Full disclosure, I wrote the software and am the number one advocate ;)