Saturday, 29 March 2014

Using and remembering strong passwords

Do you use a password manager? It seems to me there is no perfect solution, whether cloud-based like LastPass or locally-based like KeePass. See here for a recent review from PC Pro (Jan 2014) of some of the best choices available.

If cloud based, do you trust the security of the central server or for that matter, the source of the WiFi hot-spot that you happen to be connected to whilst in StarBucks or your hotel? Also, the apps tend not to be free.

If you use a local database, you have to store it somewhere in the cloud so you can access it when you are away from your own systems (e.g. at work or in a cyber cafe or at another office). Also, you have to ensure that the database, which may be kept on various 'local disks', are all synchronised. Keeping your entire password database on a mobile phone is not the most secure of scenarios either!

What we need to do is generate a 'long and strong' password, that is not easily subject to a 'dictionary attack', for each site we use - but make it easily 'recall-able/remember-able'. A few years ago I was looking for a 'hash' algorithm which would create a strong password from a master password 'salt' and another unique 'character string', when I found  Nic Wolff at this site had already done it!

The mechanism is simple and secure (as no password data is passed across the web). It is not as convenient as using a proper password manager (no auto-fill, syncing, etc.) but it is free and you are in control and there are no management/sync/security issues. You can also use it on your mobile devices too (or even off-line if you save the html source file somewhere handy).

Do you use the same password for several sites? Well, use this generator and you can still use just the same password (as a 'master password')  but it will generate a unique, strong password for each different site.

As I could never remember the URL for Nic's site, I simply copied and modified his code and added it to a page on my easy2boot site here. Try it out (no data is sent or recorded - honest!).

Feel free to add Nic's code to your own site and modify it, or just use my page to generate your passwords (accessible from the Easy2Boot SiteMap page).

You can make up your own 'rules' on how you use it - for instance, you could precede the Master password with the first letter of the site (e.g. Bmypwd for Barclays and Nmypwd for Nat West, etc.). Or add a letter and a number. Just think of a rule and stick to it for all sites and passwords.

If only there was a nice, easily-remembered URL that everyone could use... If I get enough +ve feedback, maybe I will register one just for this type of password generation with a nice short, easily remembered name.

[Edit 2014-03-30] It seems there is already a Chrome Extension called PassWordChameleon which does pretty much exactly what Nic's code does (not sure which came first!). He also has a website but it's certificate is no longer valid.

There is still the outstanding problem of changing the password however. It is good practise (and often you are forced) to change or reset your password. So we still have a problem with this method because we would need 3 or 4 'secret password' keys and we would have to try each in turn until we found the one that we used previously. Some sites would still use the first secret password key, other sites where we have to change the password, would require a new secret password.

An idea for all sites that require a login and password

Wouldn't it be a better idea, if instead of requesting a single weak password which can be dictionary attacked, sites provided a similar 'salt+password' hash technique? For example, the site would ask us for TWO words or phrases and then hash them first before sending the hash to the site's server. That way a strong password is always sent across t'internet even if we only enter in two 'weak' ones. Or, the website could just prompt for a password as normal but then hash it with the site's name to make a strong password which is the password that is actually sent to the website server and recorded. That way we can use the same password for all sites, but the 'actual' password is a strong password which is different for all sites (and each site could encode it in a different way too).

- o -

P.S. Many years ago, when Phishing sites were just starting to spring up, I wrote a letter which was published in the UK publication Computer Weekly, suggesting that Phishing could be prevented if we told the site during registration, of a preferred phrase or picture etc. that we would recognise when we accessed the same site at a later date. That way, after we provided a user name, but before we entered the password, we could check that the site was the correct one because we would recognise the phrase or picture that it would display to us. Roll on a few years and now a great many sites use this anti-Phishing security feature which I believe I was (at least, one of) the first to suggest. I wish I had patented it now!