Good Passwords

By the end of this article, I’m going to tell you my password

Well… Sort of. I actually don’t have one password. I have a different password for every website I’ve logged into since high school.

That leads to remembering dozens, maybe even hundreds of passwords, but I don’t actually memorize any of them. I’m going to explain my methodology and also why having only one universal password is almost as bad as using “password” as your password.

This article uses concepts discussed at the Google Employee Security Orientation. It’s not officially endorsed by the company and I’m not directly using any materials from the talk.

The Problem — why one password isn’t enough

For the sake of this article, let’s pretend “password” is the strongest password in the world, so you use it everywhere, including at a bank.

Even if the bank is impenetrable, because you used the same password everywhere, an attacker would only have to attack a service with worse security (let’s say, Dropbox) to log into your bank.

Suddenly, your beautiful and unguessable password is powerless and all of your accounts are vulnerable.

The Solution

Make a new password for every service.

That might sound straightforward, but how do you sanely invent and remember hundreds of different passwords?

What if we add the first letter of the url to the end of your password? Instead of just using “password” everywhere, here’s what you would have on the following websites:

• Facebook.com =“passwordf”
• Gmail.com = “passwordg”
• BankOfAmerica.com = “passwordb”
• Dropbox.com = “passwordd”

None of those passwords are the same, and you don’t have to memorize any of them. Now if one gets hacked, the others are totally safe! This is due to something called “hashing”, explained here.

To those of you that are saying, “that’s stupid, anyone can figure out the pattern”, let’s come up with something a little harder. Maybe instead of using the first letter you could try something like:

(Using Facebook and Bank of America as the examples)

• First four letters: passwordface, passwordbank
• First and last letter split: fpasswordk, bpassworda
• 4 letters, every other letter: passwordfcbo, passwordbnoa
• Next letter in alphabet of first 4 letters: passwordgbdf, passwordcbol
• First 4 letters, mixed in the password: pfaascseword, pbaasnskword

You can see the potential to get really creative and complicated. With a good enough schema, even if someone had 100 of your passwords, they still might not be able to guess the next one. Also, you don’t actually have to remember any of them! All you have to remember is the base chunk and the schema.

For the experienced, think of the URL as salt to your hashing algorithm. It’s not a perfect analogy, but close enough.

Stupid Robots

I used human attackers in my animations and descriptions, but in reality, it’s not a person that’s going to try your password on another website. The Dropbox hack leaked 68 million accounts, so it would be absurd for someone to try each of those manually. Instead, people create programs to do it for them.

The simplest program would check every cracked password in the Dropbox leak and try it on bankofamerica.com. Among the tens of millions of leaked passwords, there’s bound to be a few that work.

Since the program doesn’t give your password much thought, using the simplest one-letter pattern (facebook = passwordf) would have thwarted this basic threat. Furthermore, the aforementioned “hashing” process would make it even harder for the bot to find your password in the first place!

Does This Matter?

Facebook’s CEO, Mark Zuckerberg had his Twitter and Pinterest accounts “hacked”. However, there was no evidence of a breach in the Twitter or Pinterest databases. How did this happen?

Zuck used the same password on his LinkedIn, Twitter, and Pinterest accounts (“dadada”). So when LinkedIn got hacked and 117 million passwords were released, it didn’t matter how secure Twitter and Pinterest were.

However, the dark truth is that if someone specifically wanted your password, chances are they’ll get it. In fact, some might argue that it doesn’t matter how good your password is, any password at all is a serious security vulnerability (opting for 2-factor as the most basic auth format).

However, for the general public, most attacks are automated. Their goal is to take advantage of the low hanging fruit. Consider the purpose of email spam filters. If someone really wanted to scam you, they probably could, but a spam filter protects you from the thousands of Nigerian Prince emails. In a similar way, this won’t protect you from a serious targeted attack, but it will protect you from cheap, automated ones.

Recently, Yahoo released a statement saying 500m passwords were leaked in 2014. Of those 500m, there are bound to be a few million people that used the same username and password as their bank account. Don’t be one of those people.

If you’re serious about protecting yourself and willing to give up a little convenience, enable two-factor authentication everywhere you can. Furthermore, invest in 1password.com, which can generate random passwords and remember them for you. For credit cards, privacy.com similarly generates a randomized credit card for each of your online payments. If you want a chrome bookmarklet that hashes passwords for you, check out SuperGenPass.

Extra Stuff: Advice for Making the Best Rules

For those who really like this concept, here are a few things to keep in mind before you create your password schema.

1. Don’t exceed the commonly-used 18-character limit. Example: instead of passwordfacebook, you might limit the added text to 5 characters so it becomes passwordfaceb. This way you won’t have to remember how much of the url you used for every website.
2. Have at least 1 capital letter and 1 special character in the base chunk of your password. Lots of websites ask for this anyway, so this way you don’t have to remember which special characters you added for each site. Example: password -> Pas$W0rd (the “0” is a zero).
3. Some websites don’t allow common English words. So if your password uses English words, consider converting some letters to symbols (eg: “a” to “@”) to break the word. You can also use abbreviations, gibberish, foreign words, or names.

One Last Thing

I promised I’d reveal my password, and while I won’t reveal the main chunk, I will reveal the fun part. First, see if you can figure it out yourself:

• Facebook.com = password4132
• Medium.com = password7338
• LinkedIn.com = password9868
• Dropbox.com = password3490

What’s my bank password?

(Solution)

Credits

Kudos to @KenChenDesign for the header animation. Icons: shield1 shield2 bank moneybag sword lock thief key claw