Saturday, 29 March 2014

A Different Password For Every Website - No Memory Palace Required

Hopefully my previous posts will have scared you into wanting to have a different password for every website, and will hopefully also have convinced you that simple passwords are weak.  So how do you create a different password for every website without having to have some kind of Sherlock Holmes- or Derren Brown-esque memory capacity?  There are 2 main ways of doing this:

  1. Use a password manager such as 1Password or Last Pass to generate and store your passwords for you.
  2. Use this blog article to create your own sexy password system.
The first option is definitely easier, but because you're storing everything in one place protected by a master password, there is a small risk from the all eggs in one basket approach.

The second option does require some mental effort, but keeping your brain active has all kinds of benefits, including helping to prevent memory loss, Alzheimer's and dementia.  And it saves you paying $25 for 1Password.  So let's go...

Here's the idea:
  1. Create a base password which is used as the basis for all of your passwords.
  2. For each different website use characteristics of the website's name to modify the base password.

Pros And Cons

First though, I don't want to give illusion that this method is foolproof, so for the sake of covering my ass, here are some good and bad things about it.

  • All of your passwords are in some way different.
  • You hopefully have enough memory power that you don't need to write anything down.

  • Unless you play ridiculous tricks with the website name it is theoretically possible to work out what your system is from the password(s).  This would probably require someone knowing at least 2 of your passwords and the websites which they belong to though.
  • If  anyone finds out or works out what your system is then everything is compromised.
  • The derived passwords may not meet the requirements of some websites, if that is the case then you should probably complain to them.  See here.
With that said, let's take a gander at this cunning method of permuted password production.

Choose A Base Password

For this just take the first letter of each word from an easy to remember phase, such as The Quick Brown Fox Jumps Over The Lazy Dog.  That gives us tqbfjotld, which is suitably obscure.

Modify The Password Using The Website Name

The simplest way to do this would be to add the website's name onto the end, so for Google we would use tqbfjotldgoogle.  But with that system anyone who finds out your password for Google is going to be able to make a pretty good guess at your passwords for other websites.

For it to be worthwhile having a different password for each website, it needs to be almost impossible for anyone to use the knowledge of one of your passwords to work out another.  Even the knowledge of several of your passwords (including knowledge of the sites they are used for) should be insufficient to allow any of your other passwords to be figured out.

There are many many methods which would achieve such obscurity.  I'm going to suggest a couple of them, but I encourage you to make up your own, as using a method which has been published online is not going to do you any favours.

An Example Modification Method

For each letter in the base password we're going to instead use either the letter in the alphabet which comes before it, or the letter which comes after it.  For example, T will become either S or U, and O will become either N or P.  We will decide whether to use the letter before or the letter afterwards by comparing it to the letter in the  corresponding position in the website's name.  So the first letter in our password is compared to the first letter in the website's name, the second to the second, and so on.  In each case we will move alphabetically in the direction of the letter from the website name.  Here is an example of using this method to modify our password for use with Facebook (the base password is written down the left column, the website name in the next column, and the result in the third column):

  • t & f => s
  • q & a => p
  • b & c => a
  • f & e => e
  • j & b => i
  • o & o => o (note, if they're the same then do nothing)
  • t & o => s
  • l & k => k
  • d & f => c (note, we looped around with the website name)

Now that gives us a password of spaeioskc which bares no resemblance to anything meaningful whatsoever.  Perfect.  But it's not good enough yet.  To make it even harder to guess, and to satisfy the requirement which some websites impose that the password must contain capital letters and/or numbers, let's add some more nonsense to it.

The website name 'Facebook' contains 8 letters, 5 of which are in the first half of the alphabet (up to m).  So let's add 8 to 5, which gives us 13, and add that on.  And now let's take the letters from the name which are after the half way point of the alphabet (o and o), and add those on in capitals.  That gives us a final password of spaeioskc13OO.

Given this password it's pretty difficult to work out how it was derived.  If someone knew several of your passwords along with the names of the websites they were used for then they could probably reverse engineer it eventually, but it would be difficult.  If you want to get properly secure then read the 'Going Enigma' section below.

You may find at first that working out which letter comes before or after each letter of your base password is a bit brain taxing, but your base password doesn't change, so you'll soon just know them.

So there you have it.  Crazy passwords, no memory palace required.

Passwords For Work

You may find that you sometimes have multiple accounts for the same website, for example I have a Google account for my personal use and another one for work.  My advice here is to just create a different base password for each category/area of your life.  So one base password for work and another for your personal things.  The method for your passwords can stay the same.  If you use easy to remember phrases for these then it's a very easy to create a whole new set of passwords while not really having to remember anything more.

Never Tell Anyone Your Method

This is hopefully obvious, but I'll say it anyway.  Using a method like this means that the method is the foundation of your online security.  I encourage you to make modifications to the method which I have suggested.  And never tell anyone what it is.  Especially don't use the same method which someone has published online in a blog post. :-)

Going Enigma

If like me, you think that the method described above doesn't provide enough protection against reverse engineering, and you also think that the mental capacity required isn't anywhere near taxing enough, then you can take things to the next level by employing something a bit more badass.  Read on.

Learn each letter's position in the alphabet.  A=1, B=2, C=3, etc.  They're going to be needed for this method.  You only need a few reference points to get started, and you can then work out the rest by counting either side.  Here are some easy to remember reference points:
  • Haters will be haters.  Sorry, H8-ers.  H is 8.
  • Sweet 16.  Or as I like to call it, sweet pea 16.  P is 16.
  • T is for... 20!
Now then, we have our base password, derived from a memorable phrase as before.  And now we do some serious modification.  As before we will go through each letter of the base password, paired with the corresponding letter from the website name.  For each pair, we take one letter and shift it through the alphabet, not by one place, but by the numerical value of the other letter.  So if we have A (1) and D(4) we shift A 4 places, which turns it into E.  If we have F(6) and G (7) we shift F by 7 places which turns it into M.  Note that for any pair of letters it doesn't matter which you shift by which, the result is the same.  If we reach the end of the alphabet then we just loop around.  Easy.  So we'll make it a bit harder by adding this rule: if the letter from the website name is higher in the alphabet, then we capitalise the result.  Here's our password for Facebook done with this method:

  • t & f (20 + 6 = 26) => z
  • q & a (17 + 1 = 18) => r
  • b & c (2 + 3 = 5)   => E (c comes after b, hence capital)
  • f & e (6 + 5 = 11)  => k
  • j & b (10 + 2 = 12) => l
  • o & o (15 + 15 = 30)=> d (30 loops around, so effectively 4)
  • t & o (20 + 15 = 35)=> i (35 loops around to become 9)
  • l & k (12 + 11 = 23)=> w
  • d & f (4 + 6 = 10)  => J (back to the f of facebook)

So that gives us rEkldiwJ.  And now we'll add some digits and another capital letter, just in case the result didn't produce any.  As with the earlier method we'll take the length of the website name (8) plus the number of its letters which appear in the first half of the alphabet (5) and add them to get 13.  Then slightly different to the earlier method, we'll take the letters from the website name which are in the second half of the alphabet, and just use the first one, shifted by the 13.  So that's O shifted by 13 places, which is 28, which loops around to become B.  Still here?  Blimey.  So our password for Facebook is rEkldiwJ13B.

Ideas For Your Own Variations

I highly encourage you not to use this system.  No, you should create your own.  Here are a few ideas for ways to use the website name to modify the base password.
  • How many of the letters in the website name are alphabetically after its first letter?  That gives you a number to incorporate somehow.
  • For each letter in the website name, is it alphabetically after the next letter?  E.g. in Facebook, F comes after A, A does not come after C, C does not come after E, E comes after B, etc.  You could use this to decide whether or not to capitalise each letter of the derived password.
  • Use different letters from your memorable phrase.  Instead of taking the first letter of each word, take the second or third or forth.  You could use something from the website name to decide which letter to take.
  • Incorporate a third piece of information.  Using something such as whether or not each letter of the website name appears in your either of your parents' names gives you another modifier.  This would be a good way of deciding whether or not to capitalise each letter.
The way you combine your modifiers matters.  Supposing you modify each letter of your base password in some way, and then you see whether the resulting letter is contained in your parents' names or not, and if it is then capitalise it.  This means that across your different passwords it will always be the same letters being capitalised, so if someone looked at several of your passwords they could potentially figure out which letters you capitalise and which you don't.  A much better approach would be to look at the letter from the website name and use that to decide whether or not you will capitalise whatever letter the modified letter in the password ends up being.  This way, the letter which you use to determine the case does not actually appear in the password.  This makes it much harder to reverse engineer.

Have fun.  Enjoy the reduced risk of cognitive degeneration.

For Techies

I'm interested to hear from web developers or computer geeks on this subject.  What do you think are the relative risks of putting all of your passwords into one place using something such as 1Password versus having a password generation system such as one of these which could potentially be reverse engineered?  Which do you think is the greater risk?

No comments:

Post a Comment