Easy way to generate new passwords for each website?
May 1, 2013 7:57 PM Subscribe
Does anyone have a simple method of coming up with a excellent new passwords for every website that you can nevertheless easily remember? I'm thinking some combination of a master password combined with the website url or something like that, but the underlying rule should not be easily guessable by others even if they have a few examples in front of them. Any ideas?
Use software like LastPass or 1Password to generate unique and random passwords.
posted by primethyme at 8:03 PM on May 1, 2013 [11 favorites]
posted by primethyme at 8:03 PM on May 1, 2013 [11 favorites]
1Password can automatically generate strong passwords for you and autofill them after unlocking with a master password. It's cross-platform and can share your (encrypted) password database among computers and devices using DropBox.
Chances are, any scheme you come up with for generating memorable per-site passwords will be significantly easier to guess than a long random password, and with tools like 1Password you don't have to remember them all.
posted by murphy slaw at 8:03 PM on May 1, 2013 [1 favorite]
Chances are, any scheme you come up with for generating memorable per-site passwords will be significantly easier to guess than a long random password, and with tools like 1Password you don't have to remember them all.
posted by murphy slaw at 8:03 PM on May 1, 2013 [1 favorite]
passphra.se - Generate long passwords that are easy to remember, inspired by the xkcd comic.
posted by xtine at 8:05 PM on May 1, 2013 [1 favorite]
posted by xtine at 8:05 PM on May 1, 2013 [1 favorite]
my vote is for lastpass. Best $12/year I have ever spent. Takes care of all the 12 character long passwords on virtually every website . . .
posted by nostrada at 8:31 PM on May 1, 2013 [1 favorite]
posted by nostrada at 8:31 PM on May 1, 2013 [1 favorite]
That's what my password generator does – it was the inspiration for super gen pass and its ilk.
posted by nicwolff at 8:35 PM on May 1, 2013
posted by nicwolff at 8:35 PM on May 1, 2013
Response by poster: Thanks for the automated password generator recommendations -- and maybe it's easy when you're on your own computer. But what do you when you're on a public computer (at a library, at an airport, etc.) and you need to log into a website quickly? Isn't it annoying to have to go to the lastpass website or whatever, sign in, and only then get your password to some other website?
posted by shivohum at 8:50 PM on May 1, 2013
posted by shivohum at 8:50 PM on May 1, 2013
inspired by the xkcd comic
Or go to the original, Diceware. But this still means something to remember for each site: nicwolff's technique (see also PwdHash) is a good way to get around that.
posted by hattifattener at 8:56 PM on May 1, 2013
Or go to the original, Diceware. But this still means something to remember for each site: nicwolff's technique (see also PwdHash) is a good way to get around that.
posted by hattifattener at 8:56 PM on May 1, 2013
I regularly have to use a public computer and it literally takes seconds to log into any site using Lastpass AND 2-step authentication. It really is easy, convenient and safe.
posted by Midnight Rambler at 8:58 PM on May 1, 2013
posted by Midnight Rambler at 8:58 PM on May 1, 2013
If I am using public computers that I don't control, I would be really hesitant to type in any passwords that I wouldn't want keylogged. Neither random passwords nor password managers will protect from many software keyloggers. Either I don't log in from public computers, or I only use sites with two-factor authentication (in which case the password itself doesn't matter too much - I use keepass and have the app installed on my phone so I can look up the passwords and type them in manually if needed).
posted by muddgirl at 9:03 PM on May 1, 2013 [4 favorites]
posted by muddgirl at 9:03 PM on May 1, 2013 [4 favorites]
I settle for nearly-unique: I have a base password that I mesh with the website name.
ThisIs##MyPassword:
Metafilter: ThisIsmMyPassword
Bank of America: ThisIsboaMyPassword
New York Times: ThisIsnytMyPassword
At worst, I have 2-3 possibilities, but most websites are perfectly clear (such as Yahoo: ThisIsyMyPassword). The only problem is entering sites that use membership services, like the various Disqus sites (I may establish the password for BlahBlah.com, or forget that Fubar.com uses Disqus). In general, though, it's very effective, mostly unique, and let's face it: no one who harvests passwords from cracked sites manually looks at each harvested password for patterns like this. Once they crack 12 million accounts, they simply use the as-is passwords.
posted by IAmBroom at 9:19 PM on May 1, 2013 [2 favorites]
ThisIs##MyPassword:
Metafilter: ThisIsmMyPassword
Bank of America: ThisIsboaMyPassword
New York Times: ThisIsnytMyPassword
At worst, I have 2-3 possibilities, but most websites are perfectly clear (such as Yahoo: ThisIsyMyPassword). The only problem is entering sites that use membership services, like the various Disqus sites (I may establish the password for BlahBlah.com, or forget that Fubar.com uses Disqus). In general, though, it's very effective, mostly unique, and let's face it: no one who harvests passwords from cracked sites manually looks at each harvested password for patterns like this. Once they crack 12 million accounts, they simply use the as-is passwords.
posted by IAmBroom at 9:19 PM on May 1, 2013 [2 favorites]
Like muddgirl, I try not to login from public computers. But if I do need to, it's not that hard to look the password up on my phone and type it in manually.
posted by primethyme at 10:01 PM on May 1, 2013
posted by primethyme at 10:01 PM on May 1, 2013
When I'm not on my own computer, I use KeePassDroid on my phone. I sync its password database with the KeePassX database on my computer. It doesn't slow me down very much, and avoids the danger of typing my master password on an insecure computer which might be running a keylogger.
Also, if I do have to type in a password on a potentially virus-infested public machine, I change that password from a secure machine as soon thereafter as I can.
posted by pont at 10:04 PM on May 1, 2013
Also, if I do have to type in a password on a potentially virus-infested public machine, I change that password from a secure machine as soon thereafter as I can.
posted by pont at 10:04 PM on May 1, 2013
"Isn't it annoying [using a password manager]?"Yes. But much less annoying than having your password stolen and used without you. But I'm with you, it's pretty annoying, and I only use mine as a backup when I forget my mnemonic.
I create my passphrases* using simple rules: **
1) Start with a phrase that leaps to mind when I think of that company or web site. eg: "Amazon has the world's ugliest web site"
2) Remove spaces and punctuation "Amazonhastheworldsugliestwebsite"
3) All i's become ones, o's become zeros, a's become fours "4m4z0nh4sthew0rldsugl1estwebs1te"
4) Hold down the shift key on the first three and last three characters. "$M$z0nh4sthew0rldsugl1estwebs!TE"
5) Question mark and exclamation point at the end. "$M$z0nh4sthew0rldsugl1estwebs!TE?!"
Nice an secure, and all I need to remember is the phrase which should leap to mind whenever I think of the site, and the rules, which are simple. I can do the conversion in my head and after you enter a few passwords this way it becomes automatic. Even if someone guesses my phrase they have to guess the same rules too.
*Don't think "password", think "pass phrase" and you're automatically creating a much more secure key.
**These aren't my rules, but mine are equally simple. Rules 2-5 are to make the phrase into an almost universally accepted password with mixed case, numbers, and punctuation.
posted by Ookseer at 10:52 PM on May 1, 2013
But what do you when you're on a public computer (at a library, at an airport, etc.) and you need to log into a website quickly? Isn't it annoying to have to go to the lastpass website or whatever, sign in, and only then get your password to some other website?
This is why I prefer to use a password manager (I like 1Password) in conjunction with Diceware generated "real word" pass phrases.
Before I discovered the Diceware technique, I was going crazy with all my super-random 1PW generated passwords. They're not a problem when Im using my own computer, but when it came time to logging in to sites on other people's devices, it was indeed very annoying.
I quickly found that switching to a Diceware style passphrase generation scheme is one of the best ways to balance password security with ease of password entry. So instead of having to type in a password like "jFt6~>;4uib{__10£€HIOkjtr", I can type in a password like "cat.rainbow.elevator.fart.florida.cupcakes", and be just as mathematically secure as the password made up of random, impossible to memorize gibberish.
This comes in handy when you're using a computer that doesn't have 1password installed on it. As long as you have 1Password on your phone, you can use it to find and display the password for any site. And the fact that your password is an easy to remember human readable passphrase means you can easily use your own eyes and brain as a secure "clipboard" from which you quickly transfer the password from your phone's display to the "foreign" computer's keyboard.
While you can technically do the same thing using a gibberish password, there's no way your brain can process a string like that quickly. And annoyance is guaranteed to ensue.
posted by melorama at 12:05 AM on May 2, 2013 [1 favorite]
This is why I prefer to use a password manager (I like 1Password) in conjunction with Diceware generated "real word" pass phrases.
Before I discovered the Diceware technique, I was going crazy with all my super-random 1PW generated passwords. They're not a problem when Im using my own computer, but when it came time to logging in to sites on other people's devices, it was indeed very annoying.
I quickly found that switching to a Diceware style passphrase generation scheme is one of the best ways to balance password security with ease of password entry. So instead of having to type in a password like "jFt6~>;4uib{__10£€HIOkjtr", I can type in a password like "cat.rainbow.elevator.fart.florida.cupcakes", and be just as mathematically secure as the password made up of random, impossible to memorize gibberish.
This comes in handy when you're using a computer that doesn't have 1password installed on it. As long as you have 1Password on your phone, you can use it to find and display the password for any site. And the fact that your password is an easy to remember human readable passphrase means you can easily use your own eyes and brain as a secure "clipboard" from which you quickly transfer the password from your phone's display to the "foreign" computer's keyboard.
While you can technically do the same thing using a gibberish password, there's no way your brain can process a string like that quickly. And annoyance is guaranteed to ensue.
posted by melorama at 12:05 AM on May 2, 2013 [1 favorite]
Also, while the idea of using some sort of personal hashing algorithm to generate your passwords based on the URL makes logical sense (and is certainly better than using a password that is susceptible to brute force "dictionary attacks"), it's technically susceptible to reverse engineering because unless your "underlying rule" consists of a large, truly random number or string (which by its very nature is unmemorizable), it's completely feasible to determine your "rule" by brute force.
If your password is stored on a website that stupidly doesn't encrypt the password fields in thier database, an attacker will have 2 known sources of data--the password and the website URL--which can be used to reverse engineer the method used to generate the password. Because your "rule" will ostensibly be a static rule, all the attacker has to do is brute force or reverse engineer what that rule is based on the 2 pieces of data they already know, and then EVERY password you've generated using this rule becomes instantly compromised.
Your idea is actually very smart in concept. It's basically how public-key cryptography works. But the reason why most PKI schemes are considered secure is that the "rule" they use is based on a truly random, impossibly large number which makes brute force attacks practically impossible.
That said, if you value complete device/software independence when coming up with your passwords, then your idea is better than nothing. But what happens when a site for which you've generated a password for gets compromised because the entire goddamned password file was left unencrypted on their server, and youre forced to change your password for the site? Since the URL for the site won't change, you'll have to come up with a new "rule" to generate your new password. And how will you remember which sites the new rule applies to?
A password manager, you say? Hey, that's not a bad idea!
posted by melorama at 12:43 AM on May 2, 2013
If your password is stored on a website that stupidly doesn't encrypt the password fields in thier database, an attacker will have 2 known sources of data--the password and the website URL--which can be used to reverse engineer the method used to generate the password. Because your "rule" will ostensibly be a static rule, all the attacker has to do is brute force or reverse engineer what that rule is based on the 2 pieces of data they already know, and then EVERY password you've generated using this rule becomes instantly compromised.
Your idea is actually very smart in concept. It's basically how public-key cryptography works. But the reason why most PKI schemes are considered secure is that the "rule" they use is based on a truly random, impossibly large number which makes brute force attacks practically impossible.
That said, if you value complete device/software independence when coming up with your passwords, then your idea is better than nothing. But what happens when a site for which you've generated a password for gets compromised because the entire goddamned password file was left unencrypted on their server, and youre forced to change your password for the site? Since the URL for the site won't change, you'll have to come up with a new "rule" to generate your new password. And how will you remember which sites the new rule applies to?
A password manager, you say? Hey, that's not a bad idea!
posted by melorama at 12:43 AM on May 2, 2013
Although "security experts" recommend strongly in favor of different passwords for different web sites, the truth is that most of the password-protected sites you visit are not that important. Using one password for all of the vanilla sites is not such a bad thing.
One rule of thumb I always follow is that I do not visit the sensitive, important sites at all unless I am at home, on my own secure network.
posted by yclipse at 4:17 AM on May 2, 2013
One rule of thumb I always follow is that I do not visit the sensitive, important sites at all unless I am at home, on my own secure network.
posted by yclipse at 4:17 AM on May 2, 2013
For work-based computers where I didn't want to log into LastPass, and I had to not only change my password on a monthly basis but was banned from writing it down, I used song lyrics. One line of the song per password, capitalising all nouns, and with as many letters switched to numbers as possible. One instance was:
The prophet took my hand on Old Souls Day; He preached the value of deception.
became: tPtmH1oSDHptVoD
The following month, I moved to the next line of the song. So all I had to remember was which song went with which system, and I could do the conversion from lyric to password in my head.
posted by talitha_kumi at 5:32 AM on May 2, 2013 [1 favorite]
The prophet took my hand on Old Souls Day; He preached the value of deception.
became: tPtmH1oSDHptVoD
The following month, I moved to the next line of the song. So all I had to remember was which song went with which system, and I could do the conversion from lyric to password in my head.
posted by talitha_kumi at 5:32 AM on May 2, 2013 [1 favorite]
If your password is stored on a website that stupidly doesn't encrypt the password fields in thier database, an attacker will have 2 known sources of data--the password and the website URL--which can be used to reverse engineer the method used to generate the password. Because your "rule" will ostensibly be a static rule, all the attacker has to do is brute force or reverse engineer what that rule is based on the 2 pieces of data they already know, and then EVERY password you've generated using this rule becomes instantly compromised.
Is there any known instance of this really happening in the wild, though? I agree in theory that it is possible, but what is the actual risk of someone cracking your passwords this way?
posted by BrashTech at 5:47 AM on May 2, 2013
Is there any known instance of this really happening in the wild, though? I agree in theory that it is possible, but what is the actual risk of someone cracking your passwords this way?
posted by BrashTech at 5:47 AM on May 2, 2013
1Password has an iPhone/iPad app. If I am forced to use a public computer, I look it up on my phone. Honestly, I can't say enough about how good 1Password is.
posted by Silvertree at 8:28 AM on May 2, 2013 [2 favorites]
posted by Silvertree at 8:28 AM on May 2, 2013 [2 favorites]
Isn't it annoying to have to go to the lastpass website or whatever, sign in, and only then get your password to some other website?
For 1Password at least, this is way more than balanced out by the convenience when I'm at my own computer, because autofilling username/password and credit card info is much nicer than entering it manually. Visiting some site I haven't been to in six months where I don't even know if I used my normal username? Click plugin, type master password, click, 1Password automatically logs me in. Logging into any website becomes a matter of muscle memory. And if you set it to stay unlocked (the default is to relock after 20 minutes of inactivity I think), any site you log into after that is even faster. It's surprisingly satisfying to use.
posted by jhc at 8:53 AM on May 2, 2013 [1 favorite]
For 1Password at least, this is way more than balanced out by the convenience when I'm at my own computer, because autofilling username/password and credit card info is much nicer than entering it manually. Visiting some site I haven't been to in six months where I don't even know if I used my normal username? Click plugin, type master password, click, 1Password automatically logs me in. Logging into any website becomes a matter of muscle memory. And if you set it to stay unlocked (the default is to relock after 20 minutes of inactivity I think), any site you log into after that is even faster. It's surprisingly satisfying to use.
posted by jhc at 8:53 AM on May 2, 2013 [1 favorite]
You might want to consider something like the name of the site, or a obvious word linked to the site's purpose, a verb combination like "runsawayfrom", "smilesat", "makesfriendswith" (although not any of them) and then a 4 digit number which may or may not be your dog's year of birth, 1234 or 2013, for example googlemakesfriendswith1234. You can add capitals to mix it up.
This gives a nice long password which is easily remembered within a couple of tries.
posted by jontyjago at 9:15 AM on May 2, 2013
This gives a nice long password which is easily remembered within a couple of tries.
posted by jontyjago at 9:15 AM on May 2, 2013
« Older I need to buy a phone in the US for somebody else... | Can you help me figure out what book I'm... Newer »
This thread is closed to new comments.
posted by Bella Sebastian at 8:03 PM on May 1, 2013