Sometime in 2008, MySpace had a data breach of nearly 260 million accounts. It exposed passwords that were weakly hashed and forced lowercase, making them relatively easy to crack1. In 2012, Yahoo Voice had a data breach of nearly half a million usernames and unencrypted passwords2. Now you may think to yourself, “I don’t care. I never use my old MySpace or Yahoo account,” but in the case of the Yahoo data breach, 59% of users also had an account compromised in the Sony breach of 2011, and were using the exact same password for both services3!
Using leaked usernames and passwords from one service to attempt to gain entry to other services is known as credential stuffing. People should use a different password for every website or service. Password reuse is one of the major ways online accounts become compromised. For the average person, using a password manager to generate unique passwords for every website and app may seem a bit cumbersome or complicated. But there is another way to have unique passwords for every website; passwords that can easily be remembered, yet are difficult to guess. The solution, often discouraged by security experts, is creating a password algorithm.
Creating a Password System
A password algorithm is simply a set of steps a person can easily run in his or her head to create a unique password for a website or mobile app. This lets people derive a password instead of having to memorize many complex passwords or use a password manager. The algorithm doesn’t have to be very complex. For example, here’s a simple one based on website domain names:
- Take the first three letters in a website’s domain name
- Move one letter backwards for the first two letters (e.g. D would become C, K would become J, A would become Z, etc.)
- Capitalize the 3rd letter
- Add the letters B1a3k (Black with two letters transposed to numbers)
- Add a hash (#)
- Count the number of letters in the domain name of the website and add it
- Add a period
- Count the number of letters in the TLD (e.g .com and .net would be 3, co.uk would be 4, .co would be 2)
With this hypothetical algorithm a Google.com login would be derived like so:
Using the same algorithm, let’s create a password for Penguindreams.org:
Please don’t actually use this specific algorithm. It’s just an example to help you come up with your own, yet I hope you can see the usefulness of the result. With a good password algorithm, you can consistently generate long passwords, with special characters, that are unique for every website and service, and are difficult to guess yet easy to derive. Algorithms may seem overwhelming at first, but once you come up with a solid one and start to use it, passwords become easier and easier to derive or recall. For the most common websites you use, you will begin to memorize those specific passwords over time without having to derive them.
If you want to store these password for reference, use a password manager which fully encrypts all your passwords using a highly secure master password. If you want to use something simpler like a spreadsheet, don’t save the actual password, but instead simply store the name of the website, app or service, along with a name for the password algorithm, which should have nothing to do with the algorithm itself. You can also have a notes field for exceptions, for example a website which doesn’t allow your special character or has other odd password requirements. Since changing password algorithms can be a difficult and intense process, choosing a good initial algorithm is important. Here are some general points for designing your password structure:
- Create an algorithm that will always generate a long password, preferably over twelve characters in length.
- Your algorithm should always generate complex passwords. Try to include at least one number, one capital letter and one special character.
- Try to come up with a system that is easy for you to remember, but would require considerable amount of time and several compromised passwords to figure out.
- Your algorithm should make sense to you, but the resulting password should appear similar to a randomly generated one in case it’s compromised by an attacker.
- Don’t ever explain your password algorthim to anyone, not even family members. Keep it safe and secure.
- If you need to dilvulge a password to someone, be sure to change it afterwards. You can come up with an algorthim to rotate your passwords for systems where they expire (e.g. by adding an incrementing number in the middle).
Why Not to use Password Algorithms
A good password system allows for different password for every service one uses, without the need for looking them up in a password manager, web browser extension or mobile app. However, they’re not commonly encouraged within the security industry because they do have several weaknesses.
- If someone is specifically targeting you and gets a hold of several passwords, a weak algorthim could allow an attacker to reverse engineer your system and find their way into your other accounts.
- A weak algorthim that doesn’t produce enough characters could lead to passwords that can be easily cracked upon data breaches.
- Many sites have odd password requirements and may not accept long passwords or special characters used in your algorthim, leading to having to note and remember many exceptions.
- Changing a password algorthim can be tedious if and when it needs to be done.
Having a spreadsheet of sites and their algorthims can help if you ever need to replace your algorthim. I personally have had three different algorthims throughout my life. I tend to only change a password to a new algorthim on sites I use commonly. If I discover an old system using an older algorthim, I’ll immediately change it and note it in my spreadsheet. A disadvantage of storing all this data in a spreadsheet is that if an attacker gets access to that document, they do now have a list of sites where you have an account, even if they don’t know any of your passwords. A more secure alternative to a spreadsheet is using a password manager, not nescesserally for the passwords themselves, but just the name, and possible exceptions, for each algorthim.
Security questions are another area where one needs to be careful. Many people have seen posts on social media asking people to list the street they grew up on and their first car, making that their “stripper name”. The results may seem comical, but they are also giving others access to potential security question answers. It’s best to use passwords for your security questions as well, either randomly generated via a password generator, or using another algorthim.
Unfortunately, even using passwords for security question answers may not mitigate all risks. A common trick in social engineering is to call a customer service representative. When asked a security question, an attacker may simply say, “I just typed in random characters,” if they know you use passwords for security questions. Some security experts recommend prefixing answers with something similar to “Accept only this exact string. It is a password: xdfge$#0,” although some websites will not allow you to put spaces or long strings in security quetion answers. I remember one time, when I was at a bank teller opening an account, the attendant asked, “Your mother’s maiden name has numbers in it?” to which I replied, “You use real answers for security questions instead of passwords? Aren’t you worried about identiy theft?”
There are no really good answers to security questions. You should pick a concept, either using generated passwords from a password manager or a unique security question algorthim, to try and mitigate attacks based on security questions and password resets. However be aware that good social engineering and talking to customer service representatives can potentially compromise accounts, even those with carefully crafted security question answers and two factor authentication.
When someone uses your information to create accounts or access existing accounts based on your credentials, it’s not simply identity theft. It’s outfright fraud. Strong passwords alone won’t protect you entirely, but they do go a considerable way to mitigating the potential damage from hackers. Security works in layers, and adding two-factor authorization, keeping e-mail addresses up to date and checking e-mail for account alerts can all help add layers of protection to keep your online presence secure.
Hacker Tries To Sell 427 Milllion Stolen MySpace Passwords For $2,800. 27 May 2016. Franceschi-Bicchierai. Motherboard. ↩
What do Sony and Yahoo! have in common? Passwords!. 12 July 2012. Troy Hunt. ↩