Monday, April 12, 2010

How To Maintain Strong, Unique Passwords across Hundreds of Websites

With just about every website on the Internet requiring you to have a username & password on their system in order to use their service, people tend to use the same login credentials everywhere. Many of you have come up with a system that uses three or four login/password combinations depending on the type of site. For instance, one login/password combination is specified for all financial institutions, another user/pass is common to social media sites, and yet another is used across all your systems at work. This password management policy is a perilous because if any one of those systems is compromised then the people who breached the security will now be able to get into many of the other websites you subscribe to masquerading as you! In this post a secure and portable alternative to this common password management policy is proposed.

The principal behind the technique that follows is called "multi-factor authentication". The "factors" will be a combination of something you KNOW and something you HAVE. You'll use a password that only you know and wrap it in another password that you have stored in your address book. This technique can work in conjunction with publicly available password managers like 1Password browser plug-in and others linked below. Solutions like 1Password are unacceptable by themselves though because they store the password on a server somewhere. That server can be hacked, your password compromised, and you'd never even know it. Other password solutions, like Steve Gibson's "Perfect Passwords" generate cryptographically strong passwords that are impossible to remember. You have to write them down somewhere and this creates a weak link if someone ever finds your password stash. Additionally, if you don't bring that password with you everywhere you go, you're going to be unable to login at certain websites when you are traveling. What's more, if you have to type a 64 character password with lots of !@#$%^& characters into a website from the keyboard of a cell phone, you may as well cancel any plans you had for the rest of the day. The ideal solution would have these four characteristics:

1. It's memorable
2. It's unique
3. It's portable
4. It's strong

Here's how this ideal solution is accomplished: Let's say that one of the passwords you've used for years across a spectrum of websites was Party@1999. You like it because it's easy to remember and it's derived from your favorite Prince song. That password may have been strong enough back in 1999 but it's time to strengthen it for the new millennium. This can be done simply by wrapping your password inside another.

Real World Example
Our example site where we want to create a password is going to be the Music Genome Project's Pandora. To start, use the web based Mnemonic Strong Password Generator at> to create a password. That website will give you something like:

  • Password: !bonkclen*
  • Pronunciation: bang bonk clen star ('!' is pronounced "bang").

Replace the "clen" portion of the password above with your Party@1999 password.
The resulting password's mnemonic is now 'bang bonk Party@1999 star' which represents the true password: !bonkParty@1999*.

You now have a strong, but reasonably short, password. The next step is to make the password even stronger by giving you a way to remember it without writing it down anywhere! It will even help you remember which website this password belongs to when you suddenly realize you need to retrieve 2 years from now. This step is also crucial for making sure your new password comes along with you wherever you travel.

1. Pull up the address book (sometimes called a PIM) that syncs to your mobile device. Blackberry and PocketPC users have Outlook while Mac based iPhone users have Apple's 'Address Book'. Just about everyone else can use Google's gmail or Yahoo! mail. Google and Yahoo! are not normally safe places to store a password but, as you'll soon see, we're *NOT* going to put the actual password into the data cloud at all.

2. Create a group in your address book that's called "www" and create a new company contact inside this group called Pandora. Use the 'notes' field for the newly created contact to enter your username & password like this:

user: PrinceFan
pass: bang bonk P******9 star

Here's an example from Address Book in Mac OS X:
Notice that all but the 'P' and the '9' in Party@1999 has been obfuscated with asterisks. Only you know your full password so even if someone finds this record in your address book, they're going to be hard pressed to figure out those remaining characters.

Now, the next time you show up at a party and some smart-ass is playing a Pandora station they seeded with Moby, Credence Clearwater Revival and Napalm Death, you can actually take control of the situation. Find a quiet lull in the music (pretty much anytime during the Credence inspired section), fade the track out and quickly login with the username and password you've carried with you on the mobile device. Pandora will now begin streaming the station you created based on the works of Prince. For the rest of the party you can bask in the adoration of dancing party goers who quietly thank you for stepping in as guest DJ.

This password management technique can help in more places than just social media and Web 2.0 sites. It can be used on the job search when asked to create new credentials in order to apply for work. Create a group called 'Job Search' and then create contacts with the user/pass, URL and any notes, e.g. "04/12 applied to Global Megalo corp - Svc Info Developer II, position. Cover letter wasn't accepted". It can also be used for creating unique passwords for equipment you manage like broadband routers and Tivo. For the latter you would create a group called, simply, 'Equipment'.

In this article a solution for creating, organizing, securing and carrying passwords has been proposed. If you have other ideas for password security and mobility, or just comments on the above, please post your message here or write to us through the contact listings on

Below are links to more password generating systems:

Password widget for Mac OS X: Yann Esposito - Welcome
Password managers for Windows: Search - VersionTracker

1 comment:

  1. A variation that does not require writing down. Three pieces of information that only you know, can remember, or figure out...

    a) The initials of your paternal great grandfather (GGF)
    b) The zipcode in which you were (or he was) born reversed (96284)
    c) An abbreviation of the website name, url, or nickname that you give the purveyors (Bank of America - BofA or blood suckers online - bso)

    So your password to access your bank records would be:

    You can add some typographic character as a separator to get a password tougher to break by a program; i.e. GGF!96284@BofA

    In either case, the information is either remembered or can be determined - no part of the password is written down anywhere.