Simple Password System

We're always being told to have a secure password for all the websites we visit. You're supposed to have a strong password. Don't write them down where people can find them. It's supposed to be unique for each site, no repeating the same password you use for email when you log into Instructables!

The problem that many people run into is, how do you keep track of all them? Maybe I could do that in the early 90's when there were like three websites I would log into. Now I have logins for websites that I don't ever remember being on! How can I remember a unique password for a website I can't even remember?

It's easier than you might think. Here's an Instructable that goes step by step building unique passwords that you can remember. No password is foolproof but we can go a long way in making it harder for the bad guys.

Disclaimer: No password system is perfect. This system assumes that the guys that designed the website you're logging into are handling your password properly. If you're logging into a dodgy website, they may not be properly salting and hashing your password (we'll explain this). Heck, they may be selling your password to the badguys for all we know. If that's the case, this system will not really help you be secure. If they do properly salt and hash the passwords they get, then this system works nicely.

Lets pause quickly to explain why this system works if the website you're logging into does things right. You may already know this stuff. If so, feel free to skip this step. If you're still confused at the title of this step, you'll do yourself a big favor if you read through this step and get a basic understanding of what's going on behind the scenes of a website.

When you create a password with a website, it should not be stored in plain text. There was a reasonably reputable website that got hacked a few years back. The hackers got all the passwords that people used to log into the site because the passwords were being stored in plain text.

How should they store the passwords they get? They should be salted and hashed. Let's explain hashing first.

Hashing

This is a numerical operation that is applied to a password. It turns a text password into a string of numbers.

For example: MyVoiceIsMyPassword

Under a hash called "md5" Becomes: 7be7c47db5818d392367c183e6f4a8f3

As long as I convert all my incoming passwords to an md5 hash and only store the hash, it becomes much harder for the bad guys to use the passwords they're stealing. If you were to break into my website right now and look at that hash, it's very hard to convert it back into the original text.

But every time I log in and type "MyVoiceIsMyPassword" it gets transformed into "7be7c47db5818d392367c183e6f4a8f3" each and every time. That hash does not change. So when the computer goes and checks to see if you entered the right password, it can convert my password into a hash and it will match the hash stored in the database.

Can you tell if a website is hashing your password? Nope. Unfortunately you can't, but it's important to understanding why this password system works.

Salting

In addition to hashing incoming passwords, they should also be salted. A salt is a string of text that is added to all incoming passwords. If say Instructables decided to make a salt of "1n57ruc7ab135" (which would be a not very good idea, it should be more random) this is what it would look like.

For example: MyVoiceIsMyPassword with a hash of 7be7c47db5818d392367c183e6f4a8f3

When salted becomes: 1n57ruc7ab135MyVoiceIsMyPassword with a hash of 731408efd06313fe205ee18fe253a5ee

The hashes are not the same. But why does that matter?!? You might ask, and a good question it is. It's because if each website out there has a unique salt, it become inordinately difficult to use a hash stolen from one website to access a hash on another site.

Can you tell if a website is salting their passwords? Nope. Again this is just important for understanding the system being presented.

Single word passwords are easy to remember, but they're also easy to guess in a brute force attack. A difficult to guess password is a strong password. Only it's very rarely a human guessing. It's usually a computer throwing thousands of guesses a second at a system.

The goal is to make it very very expensive to try and guess a password. No password is secure, but it can be secure enough that the bad guys will go after someone else's weak password.

How do you do that? There are a number of ways.

A longer password is harder to crack. A phrase or a sentence is harder to guess than a single word or name.

A password that has capital letters and lower case letters increase the total number of possible choices a password cracker has to go through.

A password that uses numbers in it increases the number of possible choices.

A password that uses symbols in it like ! @ # $ % ^ & * ( ) increases the number of possible choices. Not all password systems allow these symbols. If they don't, it's a good bet they're not hashing their passwords.

The whole idea here is to increase the number of guesses that a bad guy has to make before they get it right.

For example: MyVoiceIsMyPassword (hash 7be7c47db5818d392367c183e6f4a8f3)

Could become: 5n33myVoiceIsMyPassword! (hash 1cad413cecfc416ee0f56aa07274b95d)

Now go ahead and make your own, make it something easy for you to remember but something hard to guess. For example, my phrase that I'm using is from a movie I like. An exclamation point at the end is easy to remember because it's just natural to put punctuation at the end of a phrase. My capitalization scheme is one that I use when writing code, so it's simple for me. The 5n33 at the beginning is extra credit. You hack it and tell me what it means. The clue is it's related to the phrase.

Here's the trick and the point of this Instructable. You want a unique password for each website you visit. Reformulating your password for every site is tedious and opens you up to weaknesses like a written list of your passwords just sitting there for someone to find.

Because we know (or rather hope) that the sites we're trusting with our information are salting and hashing our passwords, adding our own salt to the password increases the length, making it harder to guess and makes it unique to the site. To make it easy for our human minds to remember our salt, simply use the site's URL. Maybe we don't want to use the whole thing, because a lot of sites have long URLs, so we'll just use the first 5 characters of it. We want to use the same number of characters each time so it doesn't get confusing.

An instructables salt would become "instr".

For example: 5n33myVoiceIsMyPassword! (hash 1cad413cecfc416ee0f56aa07274b95d)

When logging into instructables our password would become: instr5n33myVoiceIsMyPassword! (hash 2ba5d5cd7e83a0dd2b68ad8d9f9d8265)

When logging into ebay our password would become: ebay5n33myVoiceIsMyPassword! (hash 27114aea42578c31a7f29239e4531b4d)

Since no human eyes should ever actually see the plain text, this simple salt is enough to throw off anyone that's going to try and use the hash directly. It makes the password harder to guess in a brute force attack (as long as the hacker doesn't expressly know you're using this system).

If someone really knows what they're doing, and really wants your password, some hashes can be cracked with a huge amount of effort. There are a number of difficult but possible ways they could crack the best password. The idea is to make your password more difficult to steal and exploit.

Not to be ignored, is the fact that any system of passwords, if left for a very long time, is vulnerable. It's a good idea to have two passwords in your head. Your current password and your last password.

Depending on your need for security, you want to set a time period for your passwords to change. For my use, I think changing my password once every six months is adequate. It's best to hit the main websites you use and update them in one marathon session, but I rarely do that. I usually change my passwords as a rolling process. As I attempt to log into a website, if it doesn't let me in with my current password, I try my last password. If it doesn't let me in with either, I use the password recovery system that the website (hopefully) has.

If you keep up a rotation, only websites you rarely visit will give you any trouble. It might be a good idea to ask yourself if you should maintain an account for a website that you use once a year (or in my case occasionally longer). The bigger your internet footprint, the more likely that some bad guy will break into a site you're credentials are on. It's not a question of if, but of when.

There are assumptions that this system makes. That's a security risk which makes this system imperfect. The real trick however is to have a system that is secure enough for your needs. If you're a CEO of a major corporation, this isn't good enough for you (although, most CEOs don't even use a system this secure. Really, people at the top are usually the worst offenders). If you're like me, basically nobody special, this system is far more adequate than most passwords that are being used today.

There are systems you can subscribe to that will provide a randomized password for every website you go to. Even these are not totally secure. They're a step up for sure, but not unbreakable. I'm not a fan of them though, the effort they require is too much for my needs.

The trick is to balance your importance with your password security. For someone like me, basically nobody special, this system works fine. It is more secure than most people's passwords, and that's the point. I don't need to be the most secure, just more secure than you and the bad guys will skip me and move on to something easier.

The biggest issue with this system is that if a bad guy ever did find your password in plain text, it's relatively easy to figure out what's going on. Ask yourself though, if a bad guy found your current password in plain text, would it be any more secure than this system?

Variations to the system I've outlined here are a good idea. If everyone uses the same system, it again becomes easy to guess a password. Make your own small change and it makes it harder for bad guys to crack.

Here are some variations that you could adopt.

Capitalize the first letter of URL salt

Capitalize all the letters of the URL salt

Capitalize the first letter of the URL salt if the first letter is a vowel

Capitalize all the letters of the URL salt if the last letter is a vowel

Put the URL salt at the end of your password

Put the URL salt in the middle of your password

Put the URL salt at the end of your password if it starts with a vowel