Ficus Pontificus

< previous../10/4_Remote_Printing_from_iPad_and_iPhone.html
next >../../2011/5/27_A_Few_of_my_Favorite_Things_%28iPad_apps,_that_is%29.html
In this note, I describe a simple, safe, easy and strong password generation technique and a tool to support creating and filling in these passwords from any browser.

A few days ago, Gawker Media’s comment account names and passwords were compromised.

(Kind of interesting to download the torrent that has been released for this, and see the alarming childishness of the comments of the people who released this.  I’ve written extensively about my feelings that WikiLeaks-like behavior has some strong arguments in favor, but I can see nothing good in releasing this type of personal information on users.)

A big issue with the release of the names and passwords is that people will have used the same passwords, or trivial variations on them in multiple places, and so their accounts elsewhere have also potentially been compromised.   

The best practice I know on creating safe, easy passwords to date has been the described in Farhad Manjoo’s Slate article, “Fix Your Terrible Passwords in Five Minutes.”   The technique he describes is to come up with a pass-phrase one can remember, for example something like “I love my cat” and use it to create a memorable string of characters like “1lmC” (in reality one would use something a bit more complex).   If you want to customize the password for different sites, you can add in some site-specific bits, for example, 1lmWFC and 1lmGC for, say, the Wells Fargo, and Google sites.

The advantage of this approach is that it is quick, easy, and generates passwords that are not amenable to brute force guessing approaches.   But... As you can imagine once your password, 1lmLHC, has been compromised, it is easy for someone to figure out your wells and google passwords as well.  Darn!

Motivated by having to change my passwords, I looked around and stumbled on a great solution by Nic Wolff.  He has created a bookmarklet which you drag into your browsers’ bookmark bars.   On any website you visit, you can click on the bookmarklet to fill in password fields with a unique password based on a SHA-1 hash of the website. (Plus a phrase of your own you supply each time to keep this unique to you.  You can use the type of phrase described above, but use the same one for all sites.)  This works to create new passwords, as well as to login to sites afterwards.

Pick up the bookmarklet here, and try it out.

The one disadvantage to this approach is that it isn’t suitable out-of-the-box for situations where you want to generate multiple passwords for a site over time.   One way around this might be that for sites you want a new password for is to append the month or year to your passphrase.   

The only better solution I know is to use a password manager like RoboForm or 1Password (paid and well worth it) and keep the encrypted password files synced using Dropbox.   The password managers will generate safe passwords for you, or even keep track of the ones you generated using the bookmarklet described.  

Tricycle image (cc) by Kitch

Top of mind, worth a fig.