Thursday, November 20, 2008


In this post I mentioned that you should not use the same password for everything due to a number of security reasons. I also mentioned that you shouldn't store your passwords unencrypted anywhere.

Most people aren't going to remember a different password for every website/computer/email address they use. So what should you do?

Well the first option is to store them in an encrypted file (which requires a password to access...). Also, if you ever lose that file (stolen, deleted, hard drive crash, etc) then you are SOL.

The way I solve this problem is to use a predefined pattern to modify a base password. For a simple example say your base password is "VerySecret7" then you could make your password for Gmail "GerySecret7" and your password for Facebook "FerySecret7". Granted this is not a very secure example (yet still much more secure than the same password!), but you can extend this to make more complicated patterns. For example:

1. Use the next letter of the alphabet so the connection isn't as apparent. (thus "HerySecret7" for Gmail and "EerySecret7" for Digg)

2. Convert letters to numbers. ("7erySecret7" Gmail and "25erySecret7" for Yahoo).

3. Take multiple letters from the service name. (IE take the first and third letter and put them at the end -- "VerySecret7Ga" for Gmail or "VerySecret7Fc" for Facebook)

4. Use classes of passwords. (For banks use "SuperSecret39" for your base password, then apply your normal pattern to it.) This is probably overkill if you have a half decent pattern/base password.

5. If the first letter of the service starts with a letter after M spell your base password backwards. (Also probably overkill)

6. You get the idea, basically whatever you can think of. Combinations of patterns will be more secure, and symbols, caps, and numbers always improve password security.

Get creative, but not so creative that you won't remember it... Just be consistent. A relatively simple pattern such as take the letter after the first letter of the service name and add it to the front, then convert the last letter to a number gives you a pretty secure password and fairly unrecognizable pattern ("Hery11ecret7" for gmail).

It would be very hard for someone who has one of your passwords to both know you are using a pattern and discover your pattern (if it is half decent, not VerySecret7Gmail...). On the other hand it *should* remain easy for you to remember all of your passwords without writing them down.

The big drawback of this is that you can't change just one password without breaking the pattern, so to change one password you need to change all of them...

This technique is essentially a simple hash function. If you have a better solution (IE it solves the above problem), please let me know :).

No comments: