The recommended practice is to have different passwords on different websites. But how do you remember all those passwords without storing them somewhere? The tricks is, you don't. You remember a single strong password, and use a mechanism to generate other passwords from that.
This is not for securing government secrets, but should work for your twitter account.
Create a single very strong password
There are many ways to do this: https://xkcd.com/936/
Super strong password:
correcthorsebatterystaple |
Let's call this your 'master password'.
Use a cryptographic hash function
Let's say you want to generate a password for 'johndoe' on twitter.com.
First, pick a cryptographic hash function. In this example I'll use md5, although other algorithms are propably better suited. Then, concatenate the master password, username and website name together, and finally run the hash function on the result.
This is how, in bash (btw, don't use bash for real passwords, because you might forget to clear the history):
CONCAT=correcthorsebatterystaplejohndoetwitter.com md5 -qs $CONCAT # output: 5a7dac61ae984827aa26b859d1c9685e |
So, '5a7dac61ae984827aa26b859d1c9685e' or a prefix like '5a7dac61' is your password for johndoe@twitter.com. If you can't remember it, you can always compute it again.
Let's say you use the same username somewhere else, e.g. on example.com. Let's see that the passwords are actually different:
CONCAT=correcthorsebatterystaplejohndoeexample.com md5 -qs $CONCAT # output: 9437adf5736235d897603c7d96c956c0 |
So, '9437adf5736235d897603c7d96c956c0' is your password for johndoe@example.com
Adding password versioning
What if you want to change your password? Maybe twitter.com was hacked and your password compromised.
Theoretically the hacker could reverse the hashing algorithm you used (if he guessed the method you used), and discover your master password 'correcthorsebatterystaple'. Assuming that such is not the case, to generate a new password, simply prefix the master password with a version number, e.g. '1', '2', '3' or n. That way you get a new password on twitter, but keep the same master password.
VERSION=1 CONCAT=${VERSION}correcthorsebatterystaplejohndoetwitter.com md5 -qs $CONCAT # output: 33bf2f35e6034b7e18bbf43047207152 |
And voilĂ , you have a new password: 33bf2f35e6034b7e18bbf43047207152 for johndoe@twitter.com.
Demo using Javascript
Here is a demo I've hacked together in Javascript. It's just a demo so use at your own risk, i.e. don't use your real master password. To try the demo, fill out the information and click 'retrieve password'. I've added a clear button, to quickly clear the generated password. Also, as a low-tech security measure, the colors are set, so the password is hard to read (hard enough for spying cameras?)
This demo executes a Javascript hashing function on the input in the browser without sending your data anywhere. But still, it's only a demo, so don't use it for real stuff.
See also: https://pajhome.org.uk/crypt/md5/
Using BASH is not a good idea!
If you want your password to remain secret, typing md5 commands in the shell to generate your password is not the best idea. Someone could search in your history for the word 'md5' or something else:
history | grep 'md5' |
So you want a more secure solution, i.e. a solution were the computation you performed is not stored anywere, but is completely gone seconds after you've retrieved your password. Depending on how paranoid you are, there are several solutions that spring to mind. One solution is to write a program in Java, that prompts you for the input needed to retrieve the your password for USER@WEBSITE.
If you're not super paranoid, you could use a Javascript solution like in the demo above.
Does this approach suck?
It might, but if it does, leave a comment that describes why, so we can all learn. The end goal is to find a way to not bog the brain down with remembering a gazillion passwords to a gazillion web sites.
Improving the solution
One could argue that md5 hashes are difficult to remember, and such a person might be right. An idea is to chop the 32 character hex into four 8 character substrings. These four substring are then used by the password generator as an index into a dictionary, to generate a 4 word, xkcd style password like 'puddingboatgalaxymirror'. If such passwords don't work on most sites because of arguably silly password policies, spice it up with leet and titlecase.