Everyone knows they're supposed to use strong, random passwords, and use different passwords on every single site. For most of us, tho, that's impossible - we just can't remember that many. Some of us give up and just remember one strong password (there goes your security when something is breached) or use a password locker like 1Password (hope you're backing up appropriately, and have access to the vault from every single place you'll need a password).
None of these are good strategies. A few years ago I thought about this a bit, and put together a tool to help me handle all this properly and safely. I've evangelized it a bit informally, but more people really need to know about this. So, here goes:
- Memorize one good, strong password. Make it long and random, as secure as you can possibly make it and still be sure to remember it. This is the only random password you'll be required to remember ever again.
- Whenever you need a password for something, visit https://tabatkins.github.io/password/. Put your master password from Step 1 into the master password slot, and enter a memorable "site tag" for that slot. This does not need to be secure in any way, so focus on making it as easy to remember as possible, like the domain name of the site.
- Hit the "Long" button and copy the generated password out. DONE.
- If you're using a terrible website like a bank that applies password limits, the "Short" button usually works - it gives you a 12-char password. If you need more control, the "More Options" section lets you customize the password thoroughly, which should satisfy whatever idiotic demands they call for. Try to avoid using this if possible, just because it means more memorization.
- Store the site tag (and the custom options, if necessary) somewhere accessible. I just use a Google Doc, which I can access from anywhere on multiple devices. This is not secure information, so don't worry about it being exposed - as long as your Master Password is good, you're safe.
And that's it! This method has several benefits over a traditional password locker:
- Same amount of memorization - one master password.
- No need to "back up" anything - you can probably remember the site tag anyway, and if you do record them somewhere it doesn't have to be securely stored.
- Accessible from anywhere - as long as you can touch the internet, you can reach this - no need for a browser extension or a separate program that won't be installed on public computers.
- Works offline - the site is totally self-contained in a single file, so you can save it to your device and use it locally without any internet connection at all.
- Totally independent - nothing can stop working because some company was acquired or went out of business. If you save a local version of the file or host it on your own site, even me removing my site won't stop you.
- No chance of losing passwords - no chance that your password file can be "corrupted" and impossible to decrypt, because there is no password file - it's just a hash function run on your two inputs.
If you're paranoid, feel free to audit the code on your own - it's unobfuscated HTML and JS that makes zero network calls and saves no information. The entire operation is done locally, my version of the file is served over HTTPS, and you can run a local version if you're really paranoid about code changes.
I've been using this for years, and it changed my life around passwords.
If you want all that plus the convenience of a bookmarklet when you are "at home", check out SuperGenPass
Very interesting, thanks!
This is exactly the same approach to passwords I've been using in the last years... only that I compute the hash in my head, so to speak.
My hash functions (I change them frequently) have to be kept very simple, of course: only character substitutions, shifting, reordering, prepending or appending strings, mnemonic associations -- stuff like that. But the idea is the same.
It never occurred to me that what I was doing could be implemented easily. I might switch to your tools, or to SuperGenPass, at some point.