Lev's personal webpage

25Dec/11

My super secure password scheme

For the longest time in my life I have only used a single password for all the online services until I realized how much of a bad idea that is.

However I still didn't want to start memorizing a huge set of different passwords for each service so I came up with a following scheme which allows me to remember a single master password while still providing different password for each service. The key is in using a scheme that combines a master password plus the username and name of an online service then running resulting combination through a hash function output of which is what actually ends up being used as a password.

Why do this?

  • You will only need to remember a single master password.
  • You will be able to use this scheme with relative ease and reasonable security from any computer.
  • Each service you use this scheme for will receive a completely different password, so if it gets compromised the rest of your services remain safe.

A few terms.

  • Hash function: turns any string of text into a fixed length digest message that is unique (ideally) to the source text. Sha1 is one of such functions and is the one I use for my particular scheme. For example if you feed "abc" (without quotes) to sha1 the output will be "a9993e364706816aba3e25717850c26c9cd0d89d". Output of hash function is what I use as an actual password for sites.
  • Service: is just a domain name for the website you use. For example for gmail I would just use gmail.com

The scheme.

My scheme then is the following:

  1. Come up with and memorize a single master password. It should be relatively long (10 or more characters) and not contain any personal related information such as your birth date, names of your close ones, pets, etc. This is because we want to keep this scheme secure even if attackers are aware of it.
  2. For a specific service combine master password + username used on the service + domain name of the service.
  3. Run resulting string through sha1 and use first 10-12 characters as actual password for that service. The reason for not using the whole hash is because it makes it is more secure. It is possible to brute-force sha1, and other hashes, however it is much much harder if not impossible to do with a partial hash. It also makes it easier for you to memorize the password if you use it frequently enough.

Example.

Let's say my master password is "omgsupersecurepassword123" (without quotes) and I am trying to create/use password for gmail for which I already created account under name lev.neiman. Concatenating master password and username and domain name of gmail will result in "omgsupersecurepassword123lev.neimangmail.com" After I run this through sha1 I will get "559ce7763e8d84b972bdb79da8543a84c46f5b60". I will then take first 12 characters - "559ce7763e8d". and use that as my password.

Using sha1.

For convenience I have modified and copied sha1 javascript page to following address: https://levneiman.com/sha1/sha1.htm This way I can use this scheme from any computer, public or private with reasonable security.

You can save that webpage so you can use it without internet access. Also on most *nix platforms you can use command line sha1sum program.

Granted I am not a security expert, but I believe this scheme to be reasonably secure and convenient to use. If it is not, please leave a comment explaining why.

Comments (8) Trackbacks (0)
  1. I think I might actually start using this, especially now that I know this exists to make it even easier:

    https://market.android.com/details?id=com.fuktommy.genpasswd&feature=search_result#?t=W251bGwsMSwyLDEsImNvbS5mdWt0b21teS5nZW5wYXNzd2QiXQ..

  2. anything for iPhone? in the off line mode.

    • I am not quite sure, but for my phone I have just saved the webpage that dose JavaScript sha1 to local storage and used that when without internet access. The UI is not that pretty but it works. Maybe I will work on making UI look better for smart phones in near future.

  3. just thinking, if one wants to access a certain site it means one has internet, one does not need to have passwords offline though it is a reassuring to have it offline anyway. The mobile version of that script would be helpful and I would try it as I have tried to solve the password problem for a long time.

  4. This is actually almost exactly what I do today

  5. @Jim: Yes, I know. 🙂


Trackbacks are disabled.