Passwords – One or Many

Passwords

A while back I wrote a post on techniques to generate strong but memorable passwords. This clearly struck a chord with a number of you  judging by the number of questions it sparked.

One of the most commonly asked questions was whether it is better to have a single very strong password and use this for every log-in or to have a separate password for each site.

And the answer is……

The answer is that each approach has things in its favour but for me I just don’t like the idea of having one that does everything.

Thinking about it everyday terms: would you have one key which could open your house, car, and office?

The way you answer that question will probably answer the “one-or-may” password question.

If you are happy with one password?

It’s OK, it’s your choice, but just make sure that it is seriously strong and don’t even hint that you you use the same password for everything.

After all, if some knows that you use the same password for everything it makes you much more attractive as a hacking target.

Using multiple passwords

Some people advocate using an entirely different password for each service. While I respect their views this is a bit extreme for me.

My approach is to use a strong stem password, using the techniques I outlined in the post “Passwords – Strong or Memorable“, and add something to it which is specific to each log-in.

The trick is to disguise the add-on to avoid giving clues to any would-be hacker. As and example, if I banked at HSBC, I could just add “HSBC” to the end of my strong password stem.

To make it more secure I personally use techniques like substitution, word joining and using foreign words as I discussed in my last blog post, to disguise the add-on.

An example

Let’s use the BBC as an example. Clearly adding .BBC to your strong stem would work, and for something as like the BBC website would probably be OK.

But let’s assume that you want your BBC web site preferences to be kept more secure than that.

We know that we can use substitution but BBC does really lend itself to this. However something like 88( would probably be an improvement.

The next tack is to use foreign words. The problem for me is that there is no obvious translation of BBC that would be better than the English version from a substitution point of view.

What I would do in this case is a bit if lateral thinking. In the UK the BBC is often referred to as “The Beeb”. “Beeb” makes me think of “Bee”.

Translating “Bee” gives “Abeille” (French), “abeja” (Spanish) “Ape” (Italian) and “Beine” (German).

Taking the first three letters of each and applying substitution gives:

Abe > ^b3 (French and Spanish)
Ape > ^p3 (Italian)
Bei > 83i (German)

The key point is that none of these have any obvious connection to the BBC.

Another example

Many of us buy from Amazon. Given that Amazon hold your credit card and address details it is reasonable to want your login to be secure.

Something simple like ^m@ would work but to be really secure another dose of lateral thinking can really improve things

Here’s my suggestion: Start with the sentence: “The Amazon is a river in Brazil and by some measures is the longest river in the world”. Then take, as an example, the first letter of alternate pairs of word to make a new word.

In this case we get TAribstltw. Apply some substitution according to your preferred pattern to give something like T^r16st!t” and take what ever chunk of this that you want for your add-on.

Adding my preferred three characters, ^r1, to my foreign language password from by previous blog post would give 318htK^f.^r1 for my amazon password.

How secure is a password?

Is such a password totally secure? In terms of hacking by guessing a password then yes, in all practical terms it is.

To be a bit more objective I tested it using www.passwordmeter.com and howsecureismypassword.net

The former rated it as “Very Strong” while the latter reckoned that it would take a computer 41 quadrillion years to crack.

Whether or not you believe the actual number that howsecureismypassword.net gives, the example password is clearly seriously strong.

Is this the only way?

My approach to passwords is just one way of going about it. Another approach is to use a service like Last Pass, a browser based password manager.

Lastpass is available as an extension for all the major browsers and for android and IOS.

How far should should I go with my passwords?

How you generate and use passwords is your choice. The way I look at it, the most important step is to move away from easily guessable regular words.

Even some very simple substitution can make a password much harder to crack. As an example, according to howsecureismypassword.net my surname as password would be instantly guessable by a computer equipped hacker.

Tweaking it to W1ndm1ll would on average take the same hacker 4 days while going further to W1n9^^1ll would take up 4 weeks of the hackers time. Adding a site specific extension, say “.P@55” takes the crack time to 4 Billion years

Remembering by thought from my previous post, that all we need to do is make the hacker try an find a less secure account, I suggest that most hackers wouldn’t spend 4 days, let alone 4 weeks on one account.

Finally

I hope that you have enjoyed reading this post and found it useful. If you have thoughts on what I have written so far please leave a comment.

Also if you have an idea for another business topic let me know and I’ll be delighted to find a space for it.

Thanks again

Bob Windmill