Domain Name Password Hash

What do you need from a modern password?

  1. Easy to remember
  2. Hard for someone else / a computer to guess
  3. Different for each website (because if you use the same password it’s great for crackers (criminal hackers) but bad for you)
  4. Passes most of the pointless requirements websites make of you

This solution meets all the requirements above but cheats by changing number 1 from “Easy to remember” to “Easy to calculate”

3 setup steps:

  1. Pick 3 different numbers between 1 and 9
  2. Pick a punctuation
  3. A sentence of 9 longish words.  Preferably each with 6 or more characters.  To remember it it helps to weave a story round them

So let’s say we choose:  4  2  1.  A ! for punctuation.  And for the sentence:

brazil forest aeroplane cumulus jupiter descend runway london hackney

These are all you need to remember.  NEVER WRITE THESE DOWN ANYWHERE (except maybe a bit of paper you keep somewhere very secure and then set fire to as soon as you have remember them all).  Now make a google spreadsheet or equivalent, like this example which only records what email address/username you used and for which website.

Calculating your password

Take the domain name of your website.  Say you’re logging in to  https://hotmail.com/inbox, the domain is hotmail.  The aim is to first convert hotmail and your 3 numbers into another 3 numbers.

So take your first number 4 and count that many letters into hotmail.  This gives you m which when you look in the alphabet lookup table gives you 5.  Do the same with your next number, 2, this is o in hotmail which is 6, finally 1 is h which is 3.  So you have 523.

Finally 523 is Jupiterforest!3.  You use the first two numbers to take the words from your 9 word sentence, make one letter into a capital, then put on your punctuation, add your number and you have a passwords for all your sites which are:

  1. Easy to remember calculate
  2. Hard for someone else to guess
  3. Different for each website
  4. Passes most of the silly requirements

I can usually do this in my head, without the lookup table in under 30 seconds.  It’s not as fast as some of the other solutions out their like LastPass.  The advantage is I’m relying solely on my brain to remember one easy to remember, long master password rather than putting all my eggs in one basket with another company.  In fact I can write that master password now (not that you’d ever do this…right?…!) after just having made it 10 minutes ago and only seeing it once.  I’d like to go to Brazil to see the forest and when I fly back in an aeroplane through cumulus cloud it’d be great to see jupiter in the sky before I land on the runway in London and go back to Hackney.  Damn missed one word.  Ah forgot descend!  Well you’ll get it pretty quickly.

Mixing it up (aka making it harder for others/computers to guess)

You can choose more than 3 numbers if you want more words in your passwords (great!).

You can put the number, punctuation and capital somewhere else.  I put them in the middle / end because I have found some *very* silly requirements where the password has to start with a letter and nothing else… no idea why.

You can have one or more of the numbers count from the end of the word backwards, so if 321 were all “backward” numbers, then they’d choose hotmail.com ail

You can have more (or less… not recommended) words in your sentence and just change the alphabet lookup.  The most extreme would be 26 letters but that would initially be pretty hard to count through your words in your head.

Edge cases

What if you produce the same number from looking up a letter?  For example if your numbers were 1 2 3 and you had the domain abc.com then a, b and c are all 1.  In this case it’s perfectly safe to just write Brazilbrazil!1  Alternatively you can add 1, so 111 becomes 123 (again).  You could of course add or substract.  And you could choose a number other than 1.  If you had  446 and you chose to subtract 5, the second 4 would loop back round the top to become 9, so it’d be 496.

What if you run out of letters in your domain name?  Take abc.com again, if you had 124, you can loop the 4 back round to the start i.e. treat the domain name as if it was abcabc… so the 4th letter is a, 5th is b, 6th is c, etc.

What if your password still isn’t being accepted?  Hopefully these will be very much in the minority.  Use the notes column to say: “no capitals allowed”, “no more than 10 letters” or maybe even hint at part of your password “use other punctuation”.  Once I have stored a temporary password in clear text in the spreadsheet but this was only for an account I didn’t care about and wouldn’t pose any risk if someone else had access to it (they couldn’t buy anything or pretend to be me to someone else, etc…).

What happens if you want to/have to change your password?  I have the column saying “password” and if the sentence is the same but my chosen numbers are different then I do 1.b or 1.c to indicate different numbers, you have more to remember but typically I only change one of the numbers.  One trick with some websites that force you to change your password is to change it to something else and then change it back to the first entry (unless of course they’re asking you to change it because they have been broken into… then you might want to actually change it to something different).

 

Let me know how you get on!  Remember this won’t guarantee you 100% security but it should help you improve it and I hope you find it as useful as I have.  Cheers 🙂

 

p.s. There was going to be a rant on here where I listed the websites that had ridiculous password requirements but there were so many and which such staggering “bizzarity” that it was longer than the actual article.  I decided to include only the highlights in the hope of shaming these organisations into improving:

justhost.com’s password generator suggestions produces things like: “idIoms bottl3$ merit luCk” and “o7BFBqDAh@w"

UK DVLA actually want you to make easier passwords, for example name9name$ is invalid but removing the number makes it valid?!

United Kingdom government authentication gateway website, which is as important as it sounds, limits your password to no more than 12 characters.  Incredible.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s