23 May, 2011

Passwords, part two of two

We have established why you really do not want to use the same password in more than one place. I have a really old text document in my backups which has a list of all passwords I used ten years ago. I believe it has more than one hundred entries. Online games, discussion forums, redundant companies (amazon.de, amazon.co.uk and amazon.com require their own logins) and generally useful services sum up faster than you think. The issue is:

You cannot ever remember a different password for every service.

It is just impossible to remember hundreds of expressions such as "agclue.jf312kd". Most people use a priority system: Crappy password "plork" for services they do not care about much. Medium password: "Naftalin23" for  their Flickrs, Twitter and Gawker. Safe and unique password for e-mail, eBay and Amazon. That leaves you with a dozen passwords or so. It is workable, but for obvious reasons not a good solution. Is there a better one? I present:

The One-Way-Function. ("hashing")

It works like this: You think of a function that only works in one direction efficiently. A typical example is "I see something and it is black." It is very easy for you to decide whether something is black. It is very hard for everyone else to figure out what exactly you are talking about. While I didn't invent the principle, there seem to be miserably few people who create their passwords with this technique. Let me give you a simple example:

Use the first two letters and the last two letters, then write "qelgf.15" behind it.

Google: "goleqelgf.15"
Twitter: "twerqelgf.15"
eBay: "ebayqelgf.15"
Facebook: "faokqelgf.15"

While already very strong, you could easily add capitalized letters to the static expression, that is "qelgf.15", making it "qElgF.15", for example. You might be disppointed that eBay can be recognized. That's an artifact created by our slightly less-than-ideal hash function, but it actually does not matter that much, because it is still incredibly hard to detect without human eyes taking a look at the passwords. And when you are a criminal and out to steal passwords, you don't want to waste hours to guess such functions, when there are thousands of people using "password" or "12345" instead. In conclusion: Just pick any function which you can do quickly in your head which will result in a few letters from a service url, and append something in front or after (or both).

And if you want insane security, you could even do something like writing your full name with birth year (note that this would be one of the least safe things otherwise), and interjecting one letter from the service name backwards. Assume your name is Michael Kennedy, and you're born in 83. Whenever you type your password, you first type out "Michael83Kennedy", then put the cursor at the beginning and move it right once, then type a letter, repeat.

Google: Meilcghoaoegl83Kennedy
Twitter: Mriecthtaweilt83Kennedy
eBay: Myiacbheael83Kennedy
Facebook: Mkiocohbaeecla8f3Kennedy

It isn't very fast, but leads to passwords that couldn't be safer, and it is impossible (and not just unlikely) to have the same password twice, because two services are always named differently to begin with. And before you point it out: For mathematical reasons, the last names looking identical is completely irrelevant. Do me a favour and adopt such a system.