Somewhat safer passwords for all your 95 social networks and web x.0 services
The general advice: We are all supposed to use a separate password that has at least 25 letters, numbers and special characters in it for everything we use on the net, because if we don’t, one compromised site gives an attacker access to all your other accounts using the same password. Think of a hacked twitter account resulting in all your emails on gmail made publicly available.
The reality: We are all lazy bastards so most uf us have one single password they use for all their accounts (am I not right?). Some of us have 2-3 passwords for different levels of trust, so the bank account and credit card sites get one, personal email gets one and all the other sites get another. A bit better already.
My suggestion: One password per site (hey I’ve heard this before). But here’s the trick (and the catch at the same time, because the passwords are similar and can hence be hacked more easily). I will use the following convention to generate a separate password that is (for me) easy to remember for each site:
Take some random sentence:
This is my personal very secure password for [...].
Say you need a password for twitter, this sentence becomes:
This is my personal very secure password for twitter.
The password will be the first letter of each word in the sentence, so for this example it’s Timpvspftw. I’m actually using the first two letters of the site’s name so the convention works for twitter and t*** (uhm. insert name of another website starting with t). To make things a bit more secure, you should change your scheme, e.g. use the last letters, or alternating between last and first.
Using more or less random letters from a sentence to generate a secure password is nothing new. It actually has been recommended for years (decades?). My only addition to this is to use the name of the service in that sentence, so you can have separate passwords and still remember them easily. And they should be fairly secure, as long as your scheme of choosing the letters and your sentence are random enough (I’m still using something different for my bank account though).
Of course the whole would be much easier with somethingh like OpenID everywhere, but until then go and make up some funny sentences for your passwords.
March 19th, 2008 at 10:11 pm
Now you take that a step further, and combine the top- and second-level domain of the service you are using, say “twitter.com”, the protocol (”http”) and your really really secret password (”kjs8a%!&”), mix that via md5 and voilá: semistrong passwords for all your sites, and you could even put that into a firefox plugin.
What a dream: Firefox knows all your passwords, you only know the one!
March 20th, 2008 at 9:02 am
i’m not using firefox
anyway i would call your suggestion pretty strong passwords, but the point of this really was to have an *easy* wo to avoid using the same password everywhere. try to generate an md5 hash on a windows box, see? also, wouldn’t that firefox plugin you are suggesting be pretty much the same as the normal “remember password” function? give all your passwords to your computer and only keep the one to unlock that safe?
March 22nd, 2008 at 7:49 pm
No: The browser would not know any of your passwords, but calculates it on the fly from the strong one you remember (and have to type in once in your session). It doesn’t store it anywhere. So, even in an internet cafe you are on a somewhat safe side… without a password safe to be unlocked.