Hashing For Humans: Making Strong Passwords You’ll Remember

Chances are you have an online account on multiple web sites. It’s going to be a long time (maybe forever) before authentication is standardized across the web. How do you remember all those passwords?

Hashing for Humans

Hashing is basically a technique used to take something complex or widely varying and create an ordered index for it. That’s an oversimplification, but it will do. Read the wikipedia article if you’re interested.

If you use a simple, mental hashing algorithm to create passwords on websites, you…

  • won’t have to worry about your other password(s) when one of them is compromised
  • won’t have to write down your passwords
  • will be able to have a strong, unique password for every site you visit

So the easiest way to do this is to go to the login screen of a website. As an example, look atgmail.com.

To make a unique password, you need some input from the website itself. And since you’ll see this page EVERY TIME you login, you won’t look stupid when others are watching as you try to ‘remember’ your password. As input, it’s easiest to take the (1) URL, (2) Page Title, or (3) the text around the username/password box. In this case, the page title and domain are basically the same [“Gmail…” and “gmail.com”]. Let’s go with that.

You want to use a hashing algorithm that is easy to remember. So, for example, we could make the first step of the algorithm to take domain name and spell it backwards. This gives us “liamg” or “moc.liamg”, in this case.

Next, we should add numbers, symbols, and capitals to our algorithm to make it stronger. One way to do this is to introduce leet, a way of visually replacing letters and syllables as numbers and symbols. “Magazine” can be “M@g@z1n3″, and “skullHunter” can be “5k0lHun73r”.

If that’s too much for you, you can prefix or append numbers/symbols to your website input. For gmail, we can have “liamg” become “%%LIAMG”. Here, I’ve introduced ‘%’ because “gmail” has 5 letters and ‘%’ is the alternate symbol associated with the ’5′ key on the keyboard. And let’s put two of them, just to boost the length. So far, our algorithm is like this:

  1. Write the name of the site backwards, in all caps: “LIAMG”
  2. Count the length of the password so far and prefix the symbol that corresponds with that length/number on the keyboard, twice: “%%LIAMG”

That’s not too hard, considering it’s all you have to remember for ALL your accounts. The more steps you add to your algorithm, the harder it gets to guess (don’t add too many steps to the algoritm).

NOTE: While probability-wise, we are under the assumption that the guesser is just as likely to try “liamg” as they are “liam6″, YOU are more likely to remember “johnny8pea” than “johnnyypea”—especially if you’re visual person like me. Also, this will protect you from word-dictionary attacks.

Remember, don’t choose algorithms that are self-evident. If you are on gmail.com and your password is “gmail123″, this might indicate that your password on twitter.com is “twitter123″ or “twitt123″. Don’t make it too easy, just in case randomcrappysite.com suddenly becomes compromised and your information gets phished.

You can use some of the following algorithms as a starting point and then vary them slightly if you’re not very creative (these are all based on “gmail.com”):

  1. Write the last syllable of the website backwards: “liam”
  2. Replace each series of vowels with the series’ length: “l2m”
  3. Lather, rinse, repeat for the rest of the title: “l2mg”
  4. Replace each number with the first letter of the English spelling for that number: “ltmg”
  5. Append @s until you’ve reached the desired length: “ltmg@@@@”
  1. Write the first two letters of the last syllable backwards: “am”
  2. Append the last two letters of the first syllable: “amg”
  3. Add the prefix “n.n”, where ‘n’ is the length of the password so far: “3.3amg”
  4. Append the same ‘n’, plus 1: “3.3amg4″
  5. Replace the first number with its corresponding symbol on the keyboard: “#.3amg4″
  6. Add @s as needed: “#.3amg4@”
  1. Write a prefix for your passwords: “335″
  2. Append the first five characters of the website: “335gmail”
  3. Replace all letters that go under the word (‘g’, ‘q’, ‘y’, ‘p’, etc) with ’3′: “3353mail”
  4. Replace all remaining small letters (‘w’, ‘e’, ‘r’, ‘u’, etc) with ’2′: “335322il”
  5. Replace all remaining letters with ’1′: “33532211″

It is very easy if you choose an algorithm that allows you to simply read the input forwards or backwards once, and be done. All the ones I’ve listed here can be done this way, once you understand the algorithm.

Visual rules based on character heights, as used in the last algorithm listed above, are very effective too. Just watch out for font changes!

Posted Mar 17 2010
0 notes

RSS | Archive | Theme: Optimus