Monday, February 10, 2014

Keep Your Passwords in your Head

Please enter the details of your desired password below and click Hash It! to generate.

If you're wondering what the heck this is, please read on below.

Domain Name
e.g. amazonco
First Text
e.g. microscope
Second Text
e.g. operation


Why do I think you need yet another fancy password management tool?

Well, actually I don't.  As much as I like the warm and fuzzy feeling of helping people, this came about because I found the complexity of managing my passwords was becoming a major barrier to using the Internet.

So, it's bred of necessity, by me, for me.  If you get some use out of it, then that's just icing on the cake.

What you see above is a little helper tool to make the human calculable hash more convenient if you happen to be in front of a web browser and want to recalculate your password.  However, the intention is that armed only with what's in your head, and possibly a notepad, you can generate and reliably repeat a simple hash you can use to supplement your passwords.

What problems am I trying to solve?

These are the major challenges with personal password management, as I see it:

  1. You should (and in fact are generally required to) select a reasonably complex password when signing up to a website.  By complex, I mean some string of characters not likely to appear in a dictionary.

    This is often achieved by using a variation of upper case, lower case, numbers and symbols.  The rationale behind this is that complex passwords are resistant to dictionary attacks.

    Dictionary attacks can be performed where a hacker in a position to have many attempts to guess your password simply feeds a dictionary into a program that tries each word in the dictionary one by one.  The bigger the dictionary, the greater the computing resources required to perform the attack.

    So, if you can make sure you password doesn't appear in even very large dictionaries of known words or anticipated passwords, you are more likely to thwart a possible dictionary attack.

    Okay, I can accept that, we need complexity.

  2. You should use a different password for every website you register for.

    Even if you choose a very complex password, there are still a multitude of ways your password can leak out into the wild.

    Someone may stumble upon where you have it written down, you may perform a logon from a compromised device, or as recent news has shown us, even very large reputable companies staffed by skilled individuals can be victim to a serious data breach.

    If your password does leak out into the wild, having a per-site password is the best defense against having all your accounts compromised due to the exposure of a single password.  In fact I'd say that this scenario is the one that concerns me at the most at present. Private data is is leaking into the wild at an increasing rate through hacks, intrusions or just plain carelessness. Similarly, processing resources and techniques employed by hackers are advancing to the point where you may soon be faced with the reality that the bad guys have more of your supposedly private data than you do.

    Okay, I can also accept that we need a per-site password.

  3. Some companies (e.g. Google, Facebook, Microsoft, Yahoo) have taken it upon themselves to "solve" the problem by allowing you to access many services with a single logon by opening up their authentication model.

    Using Facebook credentials in particular is a non-starter for me because, apart from the obvious repeating of the "single password exposure compromises multiple services" problem, it also ignores the frequently overlooked aspect of this arrangement.

    If Facebook is doing me a service by allowing me to authenticate with them in order to access a third party site, it could be assumed that I willing to reciprocate by offering up details on my browsing habits, or agreeing to terms of service crafted by other people to benefit them, but not me.  They don't have a great privacy track-record, and I am in no rush to climb aboard.

  4. Given the above, the prospect of needing to remember a bajillion different complex passwords for various sites usually leads people to some sort of compromise.  Some people just give up and use the same password on most sites.  Some people create complex passwords and then select "remember me" on every site they register with, which works fine until they clear their browser cache and need to hunt around to find their original password.  Others use a password manager like LastPass to autogenerate and manage very complex passwords, which works fine until they start needing to casually access services from multiple devices where they don't have convenient access to their password store.  If you're like me, you use complex passwords for critical sites which you learn off by heart, a single simple password for all the crappy sites you never expect to return to, and a jumble of similar passwords for everything in between with some sort of strategy to jog your memory when you need it.

    This issue still hasn't been solved as far as I'm concerned, and this is my attempt to chip away at it.

How does it work?

This technique relies upon you being able to remember a string of 26 words, one for each letter of the alphabet.

This is easier than it sounds if you use a mnemonic link system. I try to pick words that lend themselves to vivid sensory stimuli, for example:

apple, banjo, cow, dime (and so on through to z)

You could remember this sequence of words by imagining an apple being flung at a banjo with the obvious twang noises this would make, the banjo being used to bop the cow on the head (more twang noises), then a dime inexplicably appearing from the rear end of the cow and the metallic tinkle sound of a metal coin bouncing on concrete.  Repeat this linking of your image-words from a through z.  Now given any single letter, you should be able to recall the corresponding image-word.  To begin with, you may need to sift through each letter and it's associated image word in your head until you reach the one you want, but pretty soon if you use this sequence a lot I think you'll be able to have instant recall.

Sometimes you might forget an image, but you can skip forward/back a few letters until you strike one you do recall, then cycle through until you get to the desired letter.  For example, you may forget that d is for dime, however if you remember that b is for banjo, then imagine the banjo bopping the cow on its head and a dime popping out and you're there!

I first read about this technique in Derren Brown's excellent book Tricks of the Mind.  Unfortunately I can't seem to find it explained in the blogosphere as well as Derren did.  If I find more detailed instructions somewhere I'll update this blog entry.

I generally select words of about 8 letters in length, without any confusing hyphenation or spelling.
Right, selected and memorized your 26 words?  Great. Now follow these steps:

  1. For any given domain, you first need to convert it into an simple 8 character blob of text.  Eliminate the "www" and any punctuation, then take the leftmost 8 characters.  If for some reason your're short of characters due to a domain name like or, then repeat from the beginning until you've accumulated 8 characters.  For example: becomes amazonco becomes bbccoukb
    becomes bitlybit
  2. Take the second and fifth letter of your domain string.  For example, amazonco would give you "m" and "o" and the corresponding words you've associated with them. Let's pretend your secret words were "microscope" and "operation".

  3. Line the two words up one underneath the other, and pad out to 8 characters if necessary by repeating characters from the beginning of the word  So with the example above, you've have:

    No padding was necessary because we're only intersted in the first 8 characters.

  4. Now, take your domain string and cycle through the letters one by one in sequence for 8 steps.  For each letter of the domain string, if it is from a-m, it's you want to categorize it as a 1.  If it's from n-z (or a symbol), you want to categorize it as a 2.

    The domain would map to first/second categories like this:


  5. Now you've got a list of 8 1s and 2s, run through these in sequence copying the corresponding letter from either your first or second secret word to your resultant hash.  For example:


    So the hash for this particular domain, based on your secret words is:

That's basically it, although I have some additional usage notes below.

Password complexity

An 8 character password with no numbers or special characters may still be considered a bit weak.  For that reason I recommend adding an extra blob of characters to it - but you could decide on this once and use in in many passwords.  Yes, I know it bends the rules about having a unique password per site.  However, even with the same blob of extra characters on each password, each password is still unique as a whole.  The amount of work required to crack a password increases rapidly as the password gets longer, so a couple of extra characters on the end may seem trivial to you, but it might be the difference between your password being a viable target for a hacker, and something that is unobtainable. For example, let's add some random gunk onto the end of the nice hash we've already calculated:


You could now just add 7B@.. to the end of any new passwords you create and are likely to meet just about any password complexity requirement you are likely to encounter.  If you're worried that somebody who happens to have one of your passwords can separate the gunk from your calculated hash and start to attack your passwords for other sites, put the gunk in a different position such as in the middle of the hash, or interleave the two together if you can be bothered repeating this process when you want to calculate a password for a domain.

Forced password changes

This is a policy I'm not a huge fan of, but some organizations do force you to regularly change your password, and the technique I've given you only describes how to calculate a single password.  I'm afraid I don't have a silver bullet solution for this.  Apart from just not using the service the organization provides, you could develop your own technique for creating multiple passwords for one domain.  The simplest would be to just add a number to the end and just increment this every time you redo your password.  But, I'm sure there are organizations that prohibit this, and other ways you could vary your password according to a pattern.

Make it your own

Now that you understand the general approach, feel free to customize it to suit your needs.  Instead of an 8 character hash, you might choose 12.  Where the domain name has a vowel in it, you might use an uppercase letter from one of your secret words, the possibilities are endless  In fact, it's probably more secure for all of us if everyone's technique is subtly different because there will be no single obvious target for hackers to concentrate on.  Feel free to take the trivially simple JavaScript code attached to this blog post and re-post it, or incorporate a variation of it somewhere else.

Have fun and start enjoying the Internet again

If you've made it this far, I salute your patience and hope this is of some us to you.

Go forth and be secure!