# Simple Password System

7,207

27

8

## Introduction: Simple Password System

We're always being told to have a secure password for all the websites we visit. You're supposed to have a strong password. Don't write them down where people can find them. It's supposed to be unique for each site, no repeating the same password you use for email when you log into Instructables!

The problem that many people run into is, how do you keep track of all them? Maybe I could do that in the early 90's when there were like three websites I would log into. Now I have logins for websites that I don't ever remember being on! How can I remember a unique password for a website I can't even remember?

It's easier than you might think. Here's an Instructable that goes step by step building unique passwords that you can remember. No password is foolproof but we can go a long way in making it harder for the bad guys.

### Teacher Notes

Teachers! Did you use this instructable in your classroom?
Add a Teacher Note to share how you incorporated it into your lesson.

## Step 1: Salts and Hashing

Lets pause quickly to explain why this system works if the website you're logging into does things right. You may already know this stuff. If so, feel free to skip this step. If you're still confused at the title of this step, you'll do yourself a big favor if you read through this step and get a basic understanding of what's going on behind the scenes of a website.

When you create a password with a website, it should not be stored in plain text. There was a reasonably reputable website that got hacked a few years back. The hackers got all the passwords that people used to log into the site because the passwords were being stored in plain text.

How should they store the passwords they get? They should be salted and hashed. Let's explain hashing first.

Hashing

This is a numerical operation that is applied to a password. It turns a text password into a string of numbers.

Under a hash called "md5" Becomes: 7be7c47db5818d392367c183e6f4a8f3

As long as I convert all my incoming passwords to an md5 hash and only store the hash, it becomes much harder for the bad guys to use the passwords they're stealing. If you were to break into my website right now and look at that hash, it's very hard to convert it back into the original text.

But every time I log in and type "MyVoiceIsMyPassword" it gets transformed into "7be7c47db5818d392367c183e6f4a8f3" each and every time. That hash does not change. So when the computer goes and checks to see if you entered the right password, it can convert my password into a hash and it will match the hash stored in the database.

Can you tell if a website is hashing your password? Nope. Unfortunately you can't, but it's important to understanding why this password system works.

Salting

In addition to hashing incoming passwords, they should also be salted. A salt is a string of text that is added to all incoming passwords. If say Instructables decided to make a salt of "1n57ruc7ab135" (which would be a not very good idea, it should be more random) this is what it would look like.

For example: MyVoiceIsMyPassword with a hash of 7be7c47db5818d392367c183e6f4a8f3

When salted becomes: 1n57ruc7ab135MyVoiceIsMyPassword with a hash of 731408efd06313fe205ee18fe253a5ee

The hashes are not the same. But why does that matter?!? You might ask, and a good question it is. It's because if each website out there has a unique salt, it become inordinately difficult to use a hash stolen from one website to access a hash on another site.

Can you tell if a website is salting their passwords? Nope. Again this is just important for understanding the system being presented.

## Step 2: A Strong Password

Single word passwords are easy to remember, but they're also easy to guess in a brute force attack. A difficult to guess password is a strong password. Only it's very rarely a human guessing. It's usually a computer throwing thousands of guesses a second at a system.

The goal is to make it very very expensive to try and guess a password. No password is secure, but it can be secure enough that the bad guys will go after someone else's weak password.

How do you do that? There are a number of ways.

A longer password is harder to crack. A phrase or a sentence is harder to guess than a single word or name.

A password that has capital letters and lower case letters increase the total number of possible choices a password cracker has to go through.

A password that uses numbers in it increases the number of possible choices.

A password that uses symbols in it like ! @ # \$ % ^ & * ( ) increases the number of possible choices. Not all password systems allow these symbols. If they don't, it's a good bet they're not hashing their passwords.

The whole idea here is to increase the number of guesses that a bad guy has to make before they get it right.

For example: MyVoiceIsMyPassword (hash 7be7c47db5818d392367c183e6f4a8f3)

Now go ahead and make your own, make it something easy for you to remember but something hard to guess. For example, my phrase that I'm using is from a movie I like. An exclamation point at the end is easy to remember because it's just natural to put punctuation at the end of a phrase. My capitalization scheme is one that I use when writing code, so it's simple for me. The 5n33 at the beginning is extra credit. You hack it and tell me what it means. The clue is it's related to the phrase.

## Step 3: Adding Your Own Salt

Here's the trick and the point of this Instructable. You want a unique password for each website you visit. Reformulating your password for every site is tedious and opens you up to weaknesses like a written list of your passwords just sitting there for someone to find.

Because we know (or rather hope) that the sites we're trusting with our information are salting and hashing our passwords, adding our own salt to the password increases the length, making it harder to guess and makes it unique to the site. To make it easy for our human minds to remember our salt, simply use the site's URL. Maybe we don't want to use the whole thing, because a lot of sites have long URLs, so we'll just use the first 5 characters of it. We want to use the same number of characters each time so it doesn't get confusing.

An instructables salt would become "instr".

When logging into instructables our password would become: instr5n33myVoiceIsMyPassword! (hash 2ba5d5cd7e83a0dd2b68ad8d9f9d8265)

When logging into ebay our password would become: ebay5n33myVoiceIsMyPassword! (hash 27114aea42578c31a7f29239e4531b4d)

Since no human eyes should ever actually see the plain text, this simple salt is enough to throw off anyone that's going to try and use the hash directly. It makes the password harder to guess in a brute force attack (as long as the hacker doesn't expressly know you're using this system).

If someone really knows what they're doing, and really wants your password, some hashes can be cracked with a huge amount of effort. There are a number of difficult but possible ways they could crack the best password. The idea is to make your password more difficult to steal and exploit.

## Step 4: Change It Up

Not to be ignored, is the fact that any system of passwords, if left for a very long time, is vulnerable. It's a good idea to have two passwords in your head. Your current password and your last password.

If you keep up a rotation, only websites you rarely visit will give you any trouble. It might be a good idea to ask yourself if you should maintain an account for a website that you use once a year (or in my case occasionally longer). The bigger your internet footprint, the more likely that some bad guy will break into a site you're credentials are on. It's not a question of if, but of when.

## Step 5: Not Perfect

There are assumptions that this system makes. That's a security risk which makes this system imperfect. The real trick however is to have a system that is secure enough for your needs. If you're a CEO of a major corporation, this isn't good enough for you (although, most CEOs don't even use a system this secure. Really, people at the top are usually the worst offenders). If you're like me, basically nobody special, this system is far more adequate than most passwords that are being used today.

There are systems you can subscribe to that will provide a randomized password for every website you go to. Even these are not totally secure. They're a step up for sure, but not unbreakable. I'm not a fan of them though, the effort they require is too much for my needs.

The trick is to balance your importance with your password security. For someone like me, basically nobody special, this system works fine. It is more secure than most people's passwords, and that's the point. I don't need to be the most secure, just more secure than you and the bad guys will skip me and move on to something easier.

The biggest issue with this system is that if a bad guy ever did find your password in plain text, it's relatively easy to figure out what's going on. Ask yourself though, if a bad guy found your current password in plain text, would it be any more secure than this system?

## Step 6: Variations

Variations to the system I've outlined here are a good idea. If everyone uses the same system, it again becomes easy to guess a password. Make your own small change and it makes it harder for bad guys to crack.

Here are some variations that you could adopt.

Capitalize the first letter of URL salt

Capitalize all the letters of the URL salt

Capitalize the first letter of the URL salt if the first letter is a vowel

Capitalize all the letters of the URL salt if the last letter is a vowel

Put the URL salt at the end of your password

Put the URL salt in the middle of your password

Put the URL salt at the end of your password if it starts with a vowel

Participated in the
Protected Contest

64 9.1K
202 9.0K
207 16K

## 8 Discussions

For example: First two letters at the beginning, last three letters at the end (or something equal). This will also solve the problem jetpower pointed out (and, at the same time, make it a lot harder to crack ("ebay" is pretty simple to add, but "ebsomeothercharactersay"?

Also acronyms of sentences are a good go at creating a strong, seemingly randonm password (also with symbols included):

Before we go to the store at the mall, lets check our emails.

"Bwgtts@tm,lcoe."

Maybe this will help remembering the phrases.

That will work. I worried that it would add a level of complexity that people would reject. I know it sounds trivial but I've had people outright reject something when you add just one more thing. So far, in my travels, people have accepted using this scheme, I've always worried about tweaking it and going over the edge of complexity.

Still if that sounds easy to you, then by all means use it.

Well, since worrying over ones password security is unfortunately by far not everyones cup of tea, you are probably right by fearing them to reject a too complex system.

However, since it is an instructable (and therefore mostly reaches people who are at least slightly interested in the topic), I would always go for the whole nine yards, and point out that it gets safer with each step applied (as you already did with the two salting steps employed). How complex the readers want their passwords to be is, at last, their own choice. You provided them with the know-how to create and manage these pretty safe passwords with more ease.

I myself came up with a very similar scheme as the one you opted for on my own before stumbling over your instructable (and I am somewhat into coding and codebreaking) - so tweaking this sort of stuff is my cup of tea. Nevertheless: A big thank you for putting in all the work and creating a well-readable and easily understandable instructable for everyone to go by, tweak, improvise, comment upon and promote further (or at least feel a little insecure (as they should) for not doing any of the above ;-) ).

As a last thing to mention: One should also think about how to provide safe and controllable (meaning: revokeable) access to ones digital world (emails, banking, data (clouds), other websites) for close people in case of an emergency or, worse, death. For this I still haven't found a very good solution, but there are some instructables around as well.

Thanks for promoting reasonably secure passwords. It's a sorely needed best practice. One quick amendment: One of your examples includes the vendor's name as salt; unless that vendor has recently changed its security policy, it doesn't allow its own name in a user password.That policy, widely applied, might make some C-level folks think a bit when creating passwords!

I've never had using the vendor's name as a problem. In all the websites I log into not a single one has ever rejected this password scheme.

And really, why would you? You'd only want to reject it if the vendor name was the whole or a majority of the password. Adding the vendor name to a strong password does not weaken it.

Agreed. As I mentioned, it's entirely possible that the vendor has changed its policy in the last couple of years.