Passwords, part three of two

This post and more specifically, this comment make me want to write a few more sentences on the topic of password selection. First off, the article is a good read, and talks about what kinds of bad passwords people chose.

Now for the frequent objections I get to the method I suggest. They all some some truth to them, but none of them are convincing enough not to use this system.


1. Someone can figure out your password generating rule if they get to look at one of them.

An example: okdufgo3fa. Can you tell that this is a password for Facebook? Could you tell that erdufgo3ga would be the corresponding Gawker password? You probably can, at least if you have two, and if you took a few moments to go through the most obvious ways to do that. There are two issues with this: One: This is a problem where you have to find a pattern. Humans brains are ridiculously good at anything pattern-related. Computer chips on the other hand are incredibly bad at it, especially if you start to use rules which are obvious to humans, but arbitrary to computers, such as "put all vowels in front of the consonants (facebook becomes aeoofcbk). Computers don't even know about vowels.

This directly leads us into our second point: We have CPU power in abundance, but not human eyes. No hacker would bother looking at thousands of leaked passwords personally, trying to figure out the rule for every one of them. And since everyone else has a password like '12345', why should he even bother?

Conclusion: Nobody will take the time to break it, and even if, it's not actually as easy as it sounds.

2. What do you do when you have multiple accounts for the same service?

Completely different, yet the same underlying issues. What does it mean to have two accounts at the same service? Well, two user names use the same password. But how is a hacker going to know which two user names match? He cannot even do this via brute-force, because all the people that chose '12345' will crowd the list of duplicates. Again, this comes down to the fact that a hacker won't even bother.

And secondly, how is someone going to use that knowledge, if they do not have your other account name? They cannot infer the rule to generate more passwords (since they only have one example), they cannot break into your e-mail or your bank, and most importantly: When a service gets hacked, you lose both your passwords there to begin with and usually not just one. In the end, this does not make any difference at all.

3. Some services require you to change your password from time to time.

In that case, there is no useful way out of it. Your chosen rule will probably not adhere to anything like this. But compare it to any other system of choosing passwords: You would also have to change your password every few months. In the end, no system can cope with this to begin with, so the best way to handle such an egregious exception is to make it one: You will have to remember a specialized (frequently changing) password for just that service. I would recommend not using the service, because that's just a huge bother.


4. Restrictions on character range or length.

This only really applies if you chose a bad function that does not include one or two digits, and is very short. The easiest way to avoid the issues is by selecting a function which will always result in 9-12 characters, and have exactly two letters in it. I know of no web-service where such a password would not work. Except for my bank account, where only letters work, so I have to write that password down on paper. It figures that my most important password is the one I have to treat the most risky, by writing it down.


Overall conclusion: There are some small issues with the system, but they are less impractical than any other system would have, facing the same problems.

Addendum: Nobody has yet pointed that out except for Randall, but the real issue of passwords is mostly length. 20 lowercase letters are way harder to solve than a combination of letters, capitalisation, punctuation and numbers if they only last for 8 characters. You can just use a very long static string in this system, and you're fine.

Passwords, part two of two

We have established why you really do not want to use the same password in more than one place. I have a really old text document in my backups which has a list of all passwords I used ten years ago. I believe it has more than one hundred entries. Online games, discussion forums, redundant companies (amazon.de, amazon.co.uk and amazon.com require their own logins) and generally useful services sum up faster than you think. The issue is:

You cannot ever remember a different password for every service.

It is just impossible to remember hundreds of expressions such as "agclue.jf312kd". Most people use a priority system: Crappy password "plork" for services they do not care about much. Medium password: "Naftalin23" for  their Flickrs, Twitter and Gawker. Safe and unique password for e-mail, eBay and Amazon. That leaves you with a dozen passwords or so. It is workable, but for obvious reasons not a good solution. Is there a better one? I present:

The One-Way-Function. ("hashing")

It works like this: You think of a function that only works in one direction efficiently. A typical example is "I see something and it is black." It is very easy for you to decide whether something is black. It is very hard for everyone else to figure out what exactly you are talking about. While I didn't invent the principle, there seem to be miserably few people who create their passwords with this technique. Let me give you a simple example:

Use the first two letters and the last two letters, then write "qelgf.15" behind it.

Google: "goleqelgf.15"

Twitter: "twerqelgf.15"

eBay: "ebayqelgf.15"

Facebook: "faokqelgf.15"

While already very strong, you could easily add capitalized letters to the static expression, that is "qelgf.15", making it "qElgF.15", for example. You might be disppointed that eBay can be recognized. That's an artifact created by our slightly less-than-ideal hash function, but it actually does not matter that much, because it is still incredibly hard to detect without human eyes taking a look at the passwords. And when you are a criminal and out to steal passwords, you don't want to waste hours to guess such functions, when there are thousands of people using "password" or "12345" instead. In conclusion: Just pick any function which you can do quickly in your head which will result in a few letters from a service url, and append something in front or after (or both).

And if you want insane security, you could even do something like writing your full name with birth year (note that this would be one of the least safe things otherwise), and interjecting one letter from the service name backwards. Assume your name is Michael Kennedy, and you're born in 83. Whenever you type your password, you first type out "Michael83Kennedy", then put the cursor at the beginning and move it right once, then type a letter, repeat.

Google: Meilcghoaoegl83Kennedy

Twitter: Mriecthtaweilt83Kennedy

eBay: Myiacbheael83Kennedy

Facebook: Mkiocohbaeecla8f3Kennedy

It isn't very fast, but leads to passwords that couldn't be safer, and it is impossible (and not just unlikely) to have the same password twice, because two services are always named differently to begin with. And before you point it out: For mathematical reasons, the last names looking identical is completely irrelevant. Do me a favour and adopt such a system.

Passwords, part one of two

In light of the current PSN disaster, and with clear memory of the recent Gawker problems, I want to write about something important, which bothers me a lot.

Do not use the same password in multiple places.

People do not understand why this is such a gigantic problem. They think it is just a matter of convenience (few passwords to remember) versus security, quite alike to how you don't use a different key for every lock in your life. The key that opens your car also starts it, and the key to your apartment complex also opens the door to your flat. But that is very far from the truth. The proper analogy would be to use a single key for all your locks, but at the same time, give a copy of your key to safeguard to every single person that ever enters your home, including the plumber and the boyfriend of your daughter of whom you do not approve.

In more technical terms: If you use the same password for Twitter, Facebook, Gmail, eBay, Gawker, PSN and Flickr, then your chance of losing all accounts in one fell swoop has risen significantly. It does not matter if Gmail and eBay have tight security. If Twitter screws up, your bank account is gone. If Flickr screws up, your bank account is gone. If PSN or Gawker gets hacked, kiss your eBay account goodbye.

It does not actually end here, it gets worse. We all have our major sites which we use daily. But most of us also have accounts at places where we really do not need them often. I play Bloodline Champions (recommended!) which is a tiny game with only a few thousand players, made by a small developer. But I have a forum account for that, which is all but inactive. Still, there is a password involved. And if they get compromised, or a disgruntled employee leaves them, my password could get lost. If it were identical to my others, I would be in trouble.

And it gets worse still. There are quite a few sites out there who want you to register with them, for no reason whatsoever. Some warez downloads lead to files that are password protected, with a text file nearby, telling you to register at their shady site. If you do, not only are you prone to get spam on your e-mail, but even worse, they get a username/password combination from you. They can just try that on google and see if it works. This is the extreme, but do you trust Google? Do you trust Twitter? Do you trust the guy that hosts that discussion forum on politics / porn / kittens you frequent often? Or would he just sell your password? Identity theft is a serious business.

Next up: How to do better.

Addendum
There is such a thing as "salted hashes", which is a technique to store passwords on a server without allowing people to read it, so as to prevent an employee to sell them. In that case, it is a lot harder to get your real password. But it requires that the people running the service know what they are doing. Most do, but if only one does not and gets compromised, the shit has hit the fan.