In the wake of Heartbleed, one particularly interesting side effect kept surfacing: users of Lastpass were encouraged to regenerate all “important” (read: All) passwords. 1Password, on the other hand, announced that they weren’t affected. I think it’s great that these password security options are promoting good practices. That said, OpenSSL’s bug today is Agile’s bug tomorrow. It’s still software, and it’s inevitable for it to become vulnerable someday.
I don’t remember where I first heard about the first version of this trick, but it’s possible to make human-memorable, secure passwords from the website or app in question. Taking that one step further, if we build those passwords from a set of easy-to-remember building blocks, we can even write those passwords down!
Here’s how it works. Let’s say we want to make a new password for Facebook (which, according to this great tool, is “either fixed or unaffected”). Since this is the first password we’re making, we’ll first need some building blocks. Let’s make a building block called name. Instead of just being the name, “Facebook”, let’s make it the name reversed, “koobecaf”. To add to that, let’s make a second building block, salt, that’s a constant group of letters: “heartbleed”.
The names of the building blocks can be written down, though their meaning remains secret. In our Password List, then, we’d write:
Facebook = name + salt
Anyone could read that, and never guess the actual password. Not only do they not know what to do with name, but they don’t know what the salt is. Even if they attempted to break the password by brute force, the password is 18 characters long, which is great. According to this tool by Dropbox, the password would take “centuries” to crack. That’s secure enough for me.
- Always use at least two building blocks per password.
- Never use the websites name exactly. Change it somehow. Take only the first six letters, reverse it, translate it into French. Just don’t use the site’s name by itself.
- Have as few building blocks as possible, since they’re what you actually have to remember.
- Store your passwords someplace easily accessible. Even though it’s always a bad idea to write passwords down, you’re not writing down the password, just the building blocks needed to figure it out. So write them down on Post-its, put them in a notebook, store them in your Notes app on your phone, whatever it takes.
- A “salt” like I showed above is highly recommended. They’re easy to remember, and they can add a lot of security to a password.
- Some websites don’t allow long passwords. In that case, you’ll have to use shorter building blocks.
- Feel free to throw in other operators for those blocks, too. For example, one of my pre-Heartbleed passwords was
ALG + ALT_SALT / 2. That means it was the
ALGblock, then the first half of the
Here is a sample of my actual password list, albeit pre-Heartbleed. It only uses three building blocks over seven passwords. (The whole list has seven building blocks, half of which are one-offs for weird password restrictions, over 48 passwords.)
AppSumo: ALG + ALT_SALT BattleNet: ALG + ALT_SALT / 2 Coursera: ALG + SALT DigitalOcean: ALG + SALT Evernote: ALG + ALT_SALT Evolve: ALG Facebook: ALG + SALT