Tag Archives: passwords

Why Having Different Passwords Matter.

317657937_4595dfcff6For years, myself and many people I know used a fairly simple password strength hierarchy.  You had a simple password for all those forum sites, and unimportant websites.  You had a more complex password for sites that probably involved transactions, maybe your utility company, or Amazon.  Finally, you had a top-level password reserved for bank or credit card website access, which probably exceeded 12 characters and had punctuation and mixed-case letters.  The rationale was that if someone hacked one of the lower-level passwords, they would only have access to some special interest group forum, and who cared about that, you could always reset the password.

But here’s why we are wrong.  You see, most websites use an email / password combination, and what works on one site, works on another.  You may think that even if they get my password by hacking one site, how are they going to guess which other sites I’m a member of.  You think this because you’re imagining that there’s some bored hacker teenager staying up all night entering your email / password combination into a couple of key sites.  But he doesn’t exist.  Your details are fed into a complex network of computers that are trying your combination into thousands, if not millions of sites.  And, when a match is found, your details are stored in a database and sold to other hackers and organizations.  So that little forum that was run by a part-time enthusiast, who didn’t have time to implement complex security on the storage of passwords to his forum becomes ground zero for a sequence of attempted logins on websites around the world.

This is why you should have a different password for every site you visit or require registration on.

I’ll repeat that.  This is why you should have a different password for every site you visit or require registration on.  It’s important because, just like dominoes, once one site is compromised, every other site will fall.

Arguably, the best solution is to have password manager take care of all your passwords for you.  I’ve been recommended Dashlane by many people who’s opinions I respect. But, there are still aspects to this that cause concern. You are putting all your eggs in one basket with password managers. If someone cracks that nut, they get everything. I know it’s unlikely to happen, but it’s still a risk, especially as password managers now work in the cloud, enabling you to have your password management work across multiple devices, and we all know how secure the cloud is proving to be.

No.  I think the solution for the more paranoid amongst us is to maintain a system for having unique passwords for every site, but create a method for minimizing the amount of information to have to remember.

So how do you go about devising a scheme?  For this we need to understand a little about how passwords are stored in most online databases, which control your access rights to websites.  Typically, your plain-text password is converted into an encrypted hash.  In the past, this might have been MD5, but that’s been proven to be not as secure as previously thought.  It’s successor SHA1 has been replaced with the even more secure SHA2.  Both the SHA algorithms were produced by the NSA, which might give you some cause for concern, but peer review seems to indicate that they are secure.  What a hash algorithm does is convert your password into a long, unique string of ASCII characters.  For every password you use, a different hash is produced.  Now, there is a small problem with this.  If you acquire the plain-text password and its corresponding hash, you can search for that hash in another website’s database and be able to decode the hash.  This is because the hash for a specific password will always be the same.  In fact, there are many websites devoted to storing MD5 hashes, which you can look up a hash and get its plan-text string. You’d be surprised how many MD5 hashes are on these sites.  The recommended method for obscuring these hashes is a technique called “salting”.  Salting adds an additional string to your password before converting it to a hash, and storing it in the database.  This means that the hash produced is doubly obfuscated, and the same hash value stored in two separate databases will be different even though they represent the same plain-text password.

Using the method of salting as inspiration, it is possible to design a personal password system that is easy to remember but very difficult to crack.

Here’s how you start.  Pick a phrase or collection of words (minimum of 3), use title case, that is make the first letter of each word upper-case.  Add a couple of numbers, and a special character (something like an exclamation point, hyphen, or curly bracket.  You should end up with something like this: PurpleFriendlyWombat37!  You can decide how to mix up the words, numbers, and punctuation yourself.  Better yet, add punctuation to the whole phrase.  Whatever you decide on, just make sure you can remember it.  This is actually a lot easier than you think.  Now here’s the twist, the salt so as to speak.  Now you’re going to add the name of the website to your password root.  Let’s say it’s America Online, or “AOL”.  For AOL your password would be “PurpleFriendlyWombat37!AOL“, or to mix it up further perhaps “PurpleAOLFriendlyWombat37!”.  Whatever method you decide for adding to your password, you will apply this method to all passwords for all sites.  Therefore, if you chose the second method indicated above, your password for citibank, would be “PurplecitibankFriendlyWombat37!”.

That’s it.  You now only need to remember one root password, which is most likely already more complex and secure than most of the passwords you’re already using, but with the addition of the website, or organization name you’ve got a different password for every site.

Annoyingly, a few organizations require password changes on a regular basis (30, 60, 90 days, or so).  This is irritating for everyone concerned, from the users, to the support desks that constantly have to deal with forgotten passwords.  This method doesn’t handle situations like this.  You’re on your own there.