Jul 152012
 

I’m sure you’ve seen reports in the news recently of all the online services which have been hacked causing their users’ passwords to be exposed. Assuming the website has followed best practice and only stored password hashes, this shouldn’t be a big deal as it will take the hackers some time to decode the password and in that time you can log on and change your password. However, a lot of people will use the same password on multiple services. This means that, if a hacker gets access to one password, he may be able to log into lots of other services using your account.

The Security industry is constantly reminding people not to use the same password for multiple services, but this is an almost impossible task. I recently spent a couple of days tracking down all my online accounts and setting secure passwords on all of them – I found 78 different accounts – there is no way I could remember 78 unique passwords without some sort of reminder.

A few years ago I came up with one solution, but I think I now have a better one.

My original solution was to come up with a password which I would be able to remember – I used a line from a book, taking the first letter of each letter to make up the password.

For example, if I chose the line “It was a bright cold day in April, and the clocks were striking thirteen.”, my password would be IwabcdiA,atcws13. That’s not a bad starting point as it’s easily memorable, 17 characters long, it has upper and lower case letters, numbers and symbols. But, we now need some way to make it unique to each site.

I added the consonants from the site name to the middle of the password. For example, www.google.com would become “Ggl” and my password would be IwabcdiA,Gglatcws13. My twitter password would be IwabcdiA,Twttratcws13.The problem with this system is that an attacker who finds one of your passwords might recognise the string “Twttr” as being related to Twitter and be able to guess your other passwords.

I realised that it would be more secure to have completely unique passwords for every site, and tried to find a way of performing some sort of hashing algorithm on the domain name with and appended salt mentally to produce a unique password. It turns out this is pretty difficult to do. I came up with the following system which will allow you to work out your password with a pen and paper – I think this is better than having your passwords written down, and does not rely on having access to a password manager (although I have a solution to that too!)

Ok, bare with me – this gets a bit complicated, but after you have done it a couple of times it becomes easier.

I’m not a cryptographer, so I can’t vouch for this being at all secure, use it at your own risk. In my opinion, though, it must be more secure than using the same password in multiple places.

  1. Firstly, choose a secret number, say 5 numbers long. I’ll use 35187 as an example – this is used for every password
  2. Next, take the domain name – example.com
  3. Use RotX on each of the numbers where X is a digit of your secret number. RotX just means to count X letters through the alphabet from your starting letter. So, C Rot5 would become H (count in your head “C,d,e,f,g,H”) We will change our domain name e+3, x+5, a+1, m+8, p+7 (then repeat your number as necessary) l+3, e+5, .+1 (I’ll come back to the dot in a second), c+ 8, o+7, m+3
  4. We now have hcbuwoj.kvp
  5. Where there is punctuation, count the number of characters before the symbol and use [shift]+number to create a symbol. In this case, hcbuwoj has 7 characters, and [shift]+7 gives an & symbol.
  6. We now have hcbuwoj&kvp
  7. Transpose (swap) each pair of characters – this becomes chubow&jvkp
  8. Capitalise all characters which are on the left side of the keyboard – this becomes ChuBoW&jkp
  9. Before each group of capital letters, enter the number of preceding lower case letters – we now have 0Chu2Bo1W&jkp
  10. Before each number insert [shift]+[n+1], that is, increase the number by one and insert the symbol which you get by typing shift and the number. On a UK keyboard, this gives !0Chu£2Bo”1W&jkp which is your final password.

You can, of course, come up with your own set of steps and customise to suit your own taste. The idea is to come up with a password which looks as random as possible and does not obviously relate to the original domain name.

This system may be useful where you are travelling across borders and do not want to transport passwords which could be intercepted by the authorities.

You can make some changes to the above steps to speed up the generation process – for example step 8 can be done at the same time as step 3.

Do you have any better systems, or see any holes in the system? Let me know in the comments!

Jul 132012
 

Recently, there has been a spate of websites being hacked and passwords being exposed.

Although I do use unique passwords on all sites they all followed a rule which meant that, if one password was exposed, it wouldn’t take a genius to work out the others. I know that a lot of people use the same password for multiple online accounts. And who can blame them, I have found I have 59 different accounts (that I know of!) – who can remember that many unique passwords?

I decided it was time to come up with a better system. I wasn’t interested storing the passwords on my computer as I wouldn’t have access to them on my phone, or at work, or if I was using a friend’s computer.

I considered writing them down and carrying them in my wallet as has been suggested previously by Bruce Schneier, but I didn’t want to face the mad dash to change my passwords if I ever lost my wallet.

I came up with a system which will give you a secure(?) password for every site, but it has drawbacks. I may post the method later.

I did some research and found that it is possible to use a password manager and share the database via Dropbox which makes it available on all your computers and on your mobile phone. Problem solved!

Here are the steps you will need to follow to set it up for yourself.

  • Sign up for a Dropbox account and install the client on your desktop computer. If you use this link, we both get some extra free space and I will be forever thankful to you Smilehttp://db.tt/4Db0HSpj
  • Download KeePass from http://keepass.info/download.html It is available for Windows, Mac and Linux. I suggest you download the Classic Edition rather than the Professional Edition as it will allow you to write passwords on your mobile (The professional edition will only allow read access from your phone)
  • Install KeePass, following the wizard and run it when complete.
  • Create a new database in KeePass by choosing File > New
  • Choose a strong password as the master password – this will be the only password you need to remember.
  • Repeat the password when prompted.
  • You should now see the main KeePass window with categories under which you can save passwords.
  • See the excellent Keepass FAQ for details on how to enter and generate secure passwords (it’s easy)

image

  • Save the database to your local Dropbox folder.

image

  • Close the desktop client.
  • Download the Dropbox app for your phone and install it – enter the details you used when signing up for your dropbox account.
  • Download the appropriate client for your mobile phone. I use Android, so downloaded KeePassDroid.
  • Open the mobile Dropbox client and you should see the .kdb – click on it and it will open in KeePass.
  • Enter the secure password you set up earlier and click ‘OK’
  • You will now see the General group – click on it and you will see the same sub-groups which you saw in the desktop client. Once you have stored your passwords, you will be able to access them under the appropriate group.

So, now all my passwords are secure, how do I use them on my phone?

  • Open the General group, then the Internet sub-group – you will see all your website logins.
  • Click the site you want to access.
  • In the notifications bar at the top of the screen, you will see two new entries with padlock symbols next to them: Copy username to clipboard and Copy password to clipboard
  • Click the URL of the site and navigate to the login screen
  • Choose ‘Copy username to clipboard’ from your notification area and paste it into the Username field on the Website
  • Choose ‘Copy password to clipboard’ from your notification area and paste it into the Password field on the Website
  • Click ‘Login’ – you are in the site without having to memorise your password!

Now, go and change all your passwords choosing secure, unique passwords and store them in your password manager. If a hacker gets one of your passwords, your other accounts will still be safe, and if you choose complex enough passwords, the hacker may not even be able to get your password at all if they are stored as hashes by the website.

If you’ve found this useful, please sign up to Dropbox using my link so we both get some extra free space! Thanks!