The Best Password Database: Your Mind

In the wake of Heartbleed, one particularly interesting side effect kept surfacing: users of Lastpass were encouraged to regenerate all "important" (read: All) passwords. 1Password, on the other hand, announced that they weren't affected. I think it's great that these password security options are promoting good practices. That said, OpenSSL's bug today is Agile's bug tomorrow. It's still software, and it's inevitable for it to become vulnerable someday.

The Solution

I don't remember where I first heard about the first version of this trick, but it's possible to make human-memorable, secure passwords from the website or app in question. Taking that one step further, if we build those passwords from a set of easy-to-remember building blocks, we can even write those passwords down!

Here's how it works. Let's say we want to make a new password for Facebook (which, according to this great tool, is "either fixed or unaffected"). Since this is the first password we're making, we'll first need some building blocks. Let's make a building block called name. Instead of just being the name, "Facebook", let's make it the name reversed, "koobecaf". To add to that, let's make a second building block, salt, that's a constant group of letters: "heartbleed".

The names of the building blocks can be written down, though their meaning remains secret. In our Password List, then, we'd write:

Facebook = name + salt

Anyone could read that, and never guess the actual password. Not only do they not know what to do with name, but they don't know what the salt is. Even if they attempted to break the password by brute force, the password is 18 characters long, which is great. According to this tool by Dropbox, the password would take "centuries" to crack. That's secure enough for me.

Tips

Example

Here is a sample of my actual password list, albeit pre-Heartbleed. It only uses three building blocks over seven passwords. (The whole list has seven building blocks, half of which are one-offs for weird password restrictions, over 48 passwords.)

AppSumo: ALG + ALT_SALT
BattleNet: ALG + ALT_SALT / 2
Coursera: ALG + SALT
DigitalOcean: ALG + SALT
Evernote: ALG + ALT_SALT
Evolve: ALG
Facebook: ALG + SALT
More Posts