Pretty much every web-based service one uses nowadays requires some sort of login and password. I have a list of most of the sites that I have registered on, and at the moment it has almost 100 entries on it. Probably 40 of those I still use at least twice a year, if not weekly. It became clear to me some years ago that I was going to have serious problems if I used the same password or small set of passwords on all of them. If someone managed to get one of my passwords, they potentially would have access to all of the other sites on which I registered using that password. This is an unacceptable risk.
The problem of course is that it would be hard to remember and keep straight separate passwords for all of those sites. There is password management software available which will help you with this by storing all of those login IDs and passwords and then entering them for you automatically when you go to those sites. Still, that strikes me as a poor solution when one uses more than one computer regularly; keeping two or more master lists of passwords synchronized would not be trivial, and would likely cause you a problem when you were most in a hurry. I wanted a solution that gave me separate passwords for every site, yet did not require any kind of additional complication of some sort of 'helper' software. I did not want to be dependent on anything but my brain.
The answer is actually an old idea which I read about, believe it or not, in a science fiction story more than 30 years ago. The key insight is to use a pass algorithm rather than a password. Such an algorithm will allow you to compute the password on the fly from the information at hand rather than having to remember it. This is much easier than it sounds. Here's a very simple algorithm one could use (although it is so simple I would not recommend it): use the name of the service as the password. Thus, the password for my Gmail account would be 'gmail', while the password for my Ebay account would be 'ebay', etc. As you can see, if this were my algorithm I would not have to remember any passwords. I would just look at the domain name of the site in the URL, and use that name for the password. Instantly every site has a unique password, but I only have to remember one thing, the pass algorithm.
As I said, this algorithm is too simple, since having seen one password, it would be easy to guess how the rest of your passwords were set up. So let's make a modest improvement. Look at the keypad of your telephone and you will see that most buttons have letter labels. Using this as a key, you could take the domain name of the site and translate it letter by letter to the corresponding digit. Thus, my Gmail password would be '46245' while my Ebay password would be '3229'. Now this is much better. It is unlikely that anyone who hasn't read this blog would be able to guess at this algorithm from just looking at one password. Still, it's possible. You could complicate it a bit more by always adding a prefix or suffix of some sort. (Be sure to make it a nonsense prefix/suffix rather than an English word or name.)
Here is another possibility: use your computer's keyboard as your key. For example, you could look at each letter in a domain name and map it to the character above it on the keyboard. With this scheme, the Gmail password is 'tjq8o' and the Ebay password is '3gq6'. The only real criterion for an algorithm like this is that it has to be simple enough that you really can do it in your head (or on your keyboard) and it has to scramble the name up sufficiently to make it hard for someone who obtains your password to figure out what you are doing. There are other kinds of mappings you could come up with. You could also combine a couple of methods in some way. However you do it, you should come up with your own algorithm, and then experiment a little to see how easy it is for you to execute it. It may take you a couple of tries, but believe me it is worth it. I find it very satisfying in a way to have a separate password for every site, yet not have to remember a single one.
Oh, by the way, the algorithm I use is not like any of the ones I described.
Addendum 12/5/2006: I just ran across this article, which describes several approaches to passwords like the ones I described above, plus a bunch of others.
3 comments:
I've already implemented pass algorithms on most of my online accounts. Thanks for the idea!!
i also have an algorithm that generates usernames on the fly from domain name. maybe i'm too paranoid.
Post a Comment