Password Strategy for the Rest of us

03 December 2011

Put all your eggs in the one basket and — WATCH THAT BASKET. (Mark Twain in “The Tragedy of Pudd’nhead Wilson”)

There are several options to manage your passwords:

1. One strong password
2. Many simple passwords
3. Keep a list of all your passwords
4. Password manager (Keepass, 1Password)
5. Context based password strategy
6. Lose your mind and go crazy

A single strong password is fine until you enter it in a service which does not care about your safety and saves it as plain text, sends it in a confirmation mail or something like that. Boom, all credentials are compromised. Many simple passwords is the worst option. That way, every login is prone to standard attacks. The advantage of carrying around a list of passwords is that you can choose pretty long ones. But loose the list and all your passwords are gone. Bummer. Password managers are a good solution, probably the most secure as you can generate 30+ characters long passwords for each service. You only have to remember a single strong master password. I tried 1Password for a couple of days but for me it is too fiddly, especially on mobile devices.

Context Based Passwords

At the moment I am pretty happy with this strategy. It meets several password safety requirements:

• long enough (12+ characters)
• one password per service
• easy to remember
• no need to write them down
• not vulnerable to dictionary attacks

The passwords consist of two parts: A static and a context based one. The job of the first part is to guarantee high length and entropy. Something like 9RainbowWhiteboards!, My2ndComing,right? or even def self.foo(bar={}). Just make sure it’s pretty long, easy to remember and contains not only lowercase letters. It might seem cumbersome to type but once you get used to it, your muscle memory will kick in and you will type that part in no time. The second part is context based and requires a little creativity. What is the context? The name of the domain or program is a good choice. Now, invent a little algorithm that’s easy to remember and doesn’t take too long to apply. A couple ideas, feel free to steal and combine:

• nth character of the name (Yeah, there are 3 and now even 1 character domain names. You can still use n > 3 using modulo calculations)
• nth character of the name incremented or decreased by some steps in the alphabet
• maybe you have already memorized the ascii table for characters? Convert them to numbers!
• use the length of the service name and apply some math (subtract, square, negate)

Be creative but don’t overdo. If it takes you several minutes to determine your password, it’s probably not worth it. The main idea is that when one password gets compromised, the attackers can’t just log into all other services. Examples for www.farbeyondprogramming.com are GbS62 and -20ef. A completed password may be GbS629RainbowWhiteboards!. See what I have done here? The dynamic part ends with a number and the static part begins with one. It’s just playing around but the attacker would need two of my passwords plain text to be certain about what’s the static part.

Migrating to a new Password System

Now, you have decided to do the transition. I recommend two strategies to smoothen the process: Take an afternoon to migrate all the services that come to your mind. The ”I’ll do the transition whenever I log in with my old password” approach did not work for me. It’s easy to fool yourself into thinking you don’t have time at the moment to change the password. But there will be services you forget. When you encounter a login window and are not sure if you have already changed the password, assume you have and try the new password. If you haven’t, force yourself to change it before doing anything else. It takes a minute or two, so you can’t make excuses to yourself by referencing GTD and creating a task. Enjoy your new passwords! :)

Resources

• 1Password
• Keepass
• XKCD on passwords
• hat tip to @florianpilz who asked me to write about the way I handle my passwords