With all of the publicity surrounding LinkedIN, League of Legends, and possibly others, I thought I’d take a moment to explain how I manage passwords. Yes, I quickly changed my password on LinkedIN, but using this method will add you just a bit more security if and when a provider screws up. Remember, not every security incident involves a massive “post to everyone’s wall and make the evening news” style announcement!
I started this method after a screwup at Reddit a long time ago, which back in the day was storing plaintext passwords, and leaked them. It has worked extremely well over the last six or so years. For those who are unfamiliar with salting – it’s a method to increase randomness of passwords, and prevent rainbow attacks against password databases. Technical readers may point out some more particulars about that statement, but the general statement should hold true.
Websites and other authenticators are supposed to salt passwords, but they can forget. You can salt your own passwords by providing a hard to remember base password, then add some random characters to the beginning, after a fixed position, or end of the password. This will make deriving your password more difficult, and will prevent (quick) account theft by an attacker taking your email and password and trying it at well known sites.
- Choose a decent password. I recommend that people choose a nursery rhyme, favorite quote, saying, bit of religious text, or any kind of phrasing and choose the first letter or second letter of each word from that phrase. This usually gets them a reasonably strong, easy to remember base password. Capitalize a few of the letters and add a number at the beginning or end.
- Develop a salting mechanism. For every website that needs a password, develop a salting mechanism. Have two rules of thumb as to how you derive a few additional characters based on the site itself. Try to choose something relatively non-volatile. For example – use the first four letters of the company’s name as it appears on their logo. Or the last three letters of their domain name. Or something else that may not change very often. Then add these letters to your passphrase above at the beginning, middle or end of the phrase. Why two rules? So if your first rule doesn’t work due to some password scheme restrictions, you can use the second.
- You’re done. You now have an easy to remember passphrase that’s unique to that site (your base password + your derived salt). Best of all, your password looks fairly random and even if your password from another site was stolen, it wouldn’t be susceptible to rainbow attacks, etc.
A few benefits of this approach:
- You don’t need to rely on a “last pass” type application or system that stores all your passwords on a computer which may be hard to access sometimes.
- It’s easy!
- It’s free!
- It really works – I’ve never had a problem with this, even with some of those sites that have weird password rules.
- You now have a unique password to every system you access.
- You can change the base password every year if you’d like, for even better security, and to weed out those accounts you forget about / never use.
There are no silver bullets to any of this. Yes, this can still be attacked, but it’s certainly better than the “same password everywhere” or the “secure password for sites I care about and insecure one everywhere else” method.
I highly recommend you turn on Gmail’s 2 Factor security setting on your email account as well. Particularly now that they’ve released an “offline” authenticator token generator which doesn’t need network access to work.
Stay safe out there!