Sean Reiser

Introduction

A friend was recently asking me about passwords. He’s heard some of my password rants in the past and was curious how I handled passwords. I’m going to lay why most people have bad passwords and what I do to get around those issues. I know my solution isn’t new or radical, others have done similar things before, I’m just publishing it as an example and to get people thinking.

Why Your Passwords Suck

Most people have passwords that suck. It’s not your fault, really you just don’t know how to make a decent password. Let me break out a few reasons why your passwords suck:

1. You use the same password on every service. If one service is compromised every system you use is in jeopardy.
2. Your password is some portmanteau of the service name and some constant word you use. You use “passwordtwitter” on twitter. If this is found out it’s a short trip to knowing that you use “passwordfacebook”, “passwordfriendfeed” and “passwordflickr”
3. You’ve come with some password scheme combining the names of your children / girlfriends / pets or their birthdays. Information that can be found in personal records or social engineered out of you.
4. You’re using dictionary words as your password. (Dictionary words are words that can be looked up in a dictionary). Dictionary attacks are common ways to attack
5. You’re using some substitution scheme with dictionary passwords. For example you’re using “1337 speak” and “password” becomes “p455w0rd”.

What’s Needed for Less Sucky Passwords

Here are the rules I use for passwords:

1. Passwords should be different for each system.
2. Passwords should appear random to people and computers.

You’re thinking “how can I remember a password that changes and appears random”. It’s simple build a system to generates them and can regenerate them at will.

How Do We Do This?

The solution takes advantage of hashing. To make it easy to understand, a cryptographically secure hash takes data, whether it’s a string or a file, mixes it together, uses some math and outputs a number. The number appears nice and random to both people and machines. Other then brute force it’s impossible to take the number and reverse it back to the original data. I could go on for a bit about MD5 and measures of entropy but I suspect that is outside the cope of keeping this easy to read. In this instance, the number is then put through an encoding process using letter and special characters to make it shorter and more readable.

The process is simple, you enter the site you’re using and a long passphrase you always remember. Through the magic of math a hard to guess password is generated.

Wait, Didn’t You Say Having One Password For All Sites Is Bad

Sort of. I was referring to the actual password. In the “passwordtwitter” example above. If I take “password” as the passphrase and “twitter.com” as the website the alphanumeric special options generates “)O~dM7iD5Q/j3Yb.9,|<” and the lowercase alpha generates “bfblwxcpbglfjsueiqtlmkrinosy”. As you can see I can’t look at that and know that the facebook password would be “%AFT|3QIR)nY`zgK]EOl” or “ardadyqjxrgfvgaltfgsncblpqxb”. As it’s difficult to take a hash and generate the source all is secure.

All that said let me be clear DO NOT USE PASSWORD AS A PASSWORD. The advantage to this system is that there is only one thing to remember and it can be any length. Choose something long, easy to remember and not easy to guess. A quote from a book, your favorite bible passage, a phrase like “I’m Sean and I’m a computer programmer who was born in 1969. There is nothing more useless then a single password to keep you safe. People who think useing password as a password should be shot.”

How can I do it

So there’s a website I built that I need go to when I need to remember a password and fill in 2 fields:

• My Master Passphrase - I suggest picking a line out of a book that you remember or some other long phrase. I’d avoid “The quick brown fox jumps over the lazy dog” since it’s so well known.
• Website - The website I’m using using eg: twitter.com, youtube.com

Then I select the character set I want to output:

• numeric - Only the numbers 0-9
• lowercase alpha - Only the letters a-z
• alpha numeric - The Letters a-z and numbers 0-9
• alpha mixed numeric special - the letters a-z, A-Z, numbers 0-9 and a number of special characters

There are a few reasons why there are several character sets available. I do suggest that where possible you use the alpha mixed numeric special password but there have been a few exceptions:

• My bank (and yes I did write this for me) requires a numeric only password.
• Many systems don’t allow special characters in passwords.
• If I plan on needing to share a password over a phone, I use the lowercase alpha.

You’ll notice that if there are fewer characters in the set, the password is longer. I could go into a long discussion why, but again it’s a little outside the scope of this document.

Security

I was asked why there is no SSL cert on that site. The reason is simple, all the work is done in your browser using javascript, no data passes to my server. And at the end of the day, this doesn’t need to run on a webserver at all. I encourage you to download the source unzip it on your harddrive and load passgen.html in any browser which supports javascript and it will work for you.

Guarantee, Warrantee, Assurances

OK, to make my lawyer happy: None. The software is made available for example purposes only. As far as I know the concepts here are secure but I am not responsible for any ill effects from the use of this software. If you lose data, forget your password, go blind, lose your girlfriend, or die in a tragic blimp accident over the superbowl, I am not responsible.

Share and Enjoy!