Ever since Evernote was hacked and the password database compromised, I started getting concerned about my passwords being broken and my accounts hijacked. I took a serious inventory of my passwords and I didn’t like what I saw. Although my “master password” was long and secure, it was the password I used for way too many accounts… Access to one of those accounts meant I was vulnerable to having my bank account accessed. But how can anyone remember more than one truly “secure” password?
I committed to finding a solution that was memorable, secure and different for every site I visit. I stumbled upon a popular xkcd comic about password strength. It made me think.
The good news is, I can use phrases to make secure passwords, which can in fact be easy to remember but hard to break. But unique for every page? That is still a challenge… Then I remembered hashing technology. You can feed anything through a hashing algorithm to get disgusting-looking secure passwords like these:
If you didn’t already guess these are SHA1 hashes. Try it for yourself. How does this help? Well now I can use a systematic approach to coming up with password phrases, like these (add capitalization and punctuation for added security):
- alexkrasny password ebay
- alexkrasny password amazon
- alexkrasny password wellsfargo
Then I run these phrases through a SHA1 (or whatever) hashing algorithm to get long, disgusting, impossible to remember passwords. This solves all of my problems! Easy for me to remember. Hard for people to guess. Different for each site.
People will say SHA1 hashes aren’t even secure blah blah. Well let’s break it down. There are two ways your password can be found and broken.
- Someone guesses it.
- A major website gets hacked and the hashed password database is compromised.
In the case of a human guessing those absurd hashes? That would be nearly impossible. It would take a quattuordecillion years (that isn’t made up)! Even if someone KNOWS you are using a SHA1 hashing system, they still need to guess the pass-phrase. The beauty of this is you only need to remember a single pass phrase “my password at X” and it creates a unique password for every site. Even if someone somehow sees the hash, there is no way they could get your pass phrase out of it.
In the case of a major password database being compromised? Well if that is the case, the hackers can still crack your password. Hacking a hashed password database is actually almost identical to simply guessing your password except they are guessing thousands at a time. The hackers aren’t actually inputting passwords and either getting it right or wrong. They are hashing a guess, and comparing the hash to the database and seeing if it matches. If it does, it replaces the hash with the pre-hashed password. The whole process is well explained in this comprehensive article on Ars Technica about password hacking.
Although the article does make it seem like passwords are hopeless, the key takeaway is, if the source password is complex, it will be hard to crack. Hackers will likely stop cracking the database before getting to the most complex of the passwords.
Because you are already inputting a hash as your password, and then the website in question is RE-HASHING it, your source password is actually very long and complex. Of course if a website you have an account on get’s hacked, it’s a good idea to change your password. In the LEAST you can be comfortable knowing that only a unique and specific password is in danger, not your entire life.
As for password management, I am a huge fan of the LastPass extension. You just add it to your browser and it stores and organizes all your passwords. Whenever you add a new one, or change one it asks if you want it recorded. Just make sure you have a secure password for your LastPass account! Also make sure to read the great password management tips on Penguininitiatives using a KeePass and Dropbox system.
Do you have a better system? I would love to hear about it! Please let me know in the comments below.