Never forget your password again, version 1

The recommended practice is to have different passwords on different websites. But how do you remember all those passwords without storing them somewhere? The tricks is, you don’t. You remember a single strong password, and use a mechanism to generate other passwords from that.

This is not for securing government secrets, but should work for your twitter account.

Create a single very strong password

There are many ways to do this: http://xkcd.com/936/

Super strong password:

correcthorsebatterystaple

Let’s call this your ‘master password’.

Use a cryptographic hash function

Let’s say you want to generate a password for ‘johndoe’ on twitter.com.

First, pick a cryptographic hash function. In this example I’ll use md5, although other algorithms are propably better suited. Then, concatenate the master password, username and website name together, and finally run the hash function on the result.

This is how, in bash (btw, don’t use bash for real passwords, because you might forget to clear the history):

CONCAT=correcthorsebatterystaplejohndoetwitter.com
md5 -qs $CONCAT
# output: 5a7dac61ae984827aa26b859d1c9685e

So, ‘5a7dac61ae984827aa26b859d1c9685e’ or a prefix like ‘5a7dac61’ is your password for johndoe@twitter.com. If you can’t remember it, you can always compute it again.

Let’s say you use the same username somewhere else, e.g. on example.com. Let’s see that the passwords are actually different:

CONCAT=correcthorsebatterystaplejohndoeexample.com
md5 -qs $CONCAT
# output: 9437adf5736235d897603c7d96c956c0

So, ‘9437adf5736235d897603c7d96c956c0’ is your password for johndoe@example.com

Adding password versioning

What if you want to change your password? Maybe twitter.com was hacked and your password compromised.

Theoretically the hacker could reverse the hashing algorithm you used (if he guessed the method you used), and discover your master password ‘correcthorsebatterystaple’. Assuming that such is not the case, to generate a new password, simply prefix the master password with a version number, e.g. ‘1’, ‘2’, ‘3’ or n. That way you get a new password on twitter, but keep the same master password.

VERSION=1
CONCAT=${VERSION}correcthorsebatterystaplejohndoetwitter.com
md5 -qs $CONCAT
# output: 33bf2f35e6034b7e18bbf43047207152

And voilà, you have a new password: 33bf2f35e6034b7e18bbf43047207152 for johndoe@twitter.com.

Demo using Javascript

Here is a demo I’ve hacked together in Javascript. It’s just a demo so use at your own risk, i.e. don’t use your real master password. To try the demo, fill out the information and click ‘retrieve password’. I’ve added a clear button, to quickly clear the generated password. Also, as a low-tech security measure, the colors are set, so the password is hard to read (hard enough for spying cameras?)

open in new page

This demo executes a Javascript hashing function on the input in the browser without sending your data anywhere. But still, it’s only a demo, so don’t use it for real stuff.

See also: http://pajhome.org.uk/crypt/md5/

Using BASH is not a good idea!

If you want your password to remain secret, typing md5 commands in the shell to generate your password is not the best idea. Someone could search in your history for the word ‘md5’ or something else:

history | grep 'md5'

So you want a more secure solution, i.e. a solution were the computation you performed is not stored anywere, but is completely gone seconds after you’ve retrieved your password. Depending on how paranoid you are, there are several solutions that spring to mind. One solution is to write a program in Java, that prompts you for the input needed to retrieve the your password for USER@WEBSITE.

If you’re not super paranoid, you could use a Javascript solution like in the demo above.

Does this approach suck?

It might, but if it does, leave a comment that describes why, so we can all learn. The end goal is to find a way to not bog the brain down with remembering a gazillion passwords to a gazillion web sites.


Improving the solution

One could argue that md5 hashes are difficult to remember, and such a person might be right. An idea is to chop the 32 character hex into four 8 character substrings. These four substring are then used by the password generator as an index into a dictionary, to generate a 4 word, xkcd style password like ‘puddingboatgalaxymirror’. If such passwords don’t work on most sites because of arguably silly password policies, spice it up with leet and titlecase.

Leave a Reply