Protect Yourself with Password Recipes

2010-12-14

Are you now more wary about your passwords after the Gawker incident? Good. The lesson is simple: if you supply a password to a website, expect it to get stolen. Malicious hackers succeed at getting user passwords all the time. And user data breaches are almost never as public as with what happened to Gawker. But if you follow two simple rules, you’ll be able to protect yourself from greater damage when the inevitable FAIL happens.

Rule #1: Don’t supply a password if you don’t have to. Many sites today offer registration via pre-existing accounts with Facebook, Google, or Twitter. Take advantage of those. UPDATE: In February 2013, Twitter itself was compromised, but the method described below would have protected you against that attack.

Rule #2: When you do have to supply a password, you should always create a unique password for every single site. That way, if your password gets stolen from one site (and it will), only your account with that site will be compromised. Furthermore, your unique password should not contain any word in any language. It should be a nonsensical series of letters, numbers, and punctuation. Otherwise, attackers can guess your password through dictionary or brute-force attacks.

The lazy way to accomplish Rule #2 is through a password manager like 1Password or my personal favorite, LastPass. I prefer LastPass because it’s a simple browser extension and it’s free, while 1Password is a $40 desktop app. Both will generate unique, one-time passwords for your accounts, and store them securely. Of course, you still need a “master password” for those apps.

But I prefer managing passwords the old-fashioned way: using my mind. I don’t like completely relying on an app I may not have access to on the various devices I want to use.

So how do you generate a unique yet memorable password that’s unguessable by man and machine? Come up with your own password recipe for constructing a password based on the website’s domain name. To make this concrete, walk through this example with google.com:

1. There are 6 letters in “google” (the secondary-level domain), and 3 letters in “com” (the top-level domain). Multiply 6 by 3 to get 18. 18 is the first part of the password.
2. Now come up with a phrase you’ll remember, like “All’s well that ends well”. Take the first letter of each word to build the second part of your password, awtew. Note that this step has nothing to do with the website’s domain name, which is completely fine.
3. The next part of the password will be based on the “google” part of the domain name again. This time, we’ll take all the consonants and capitalize them: GGL.
4. Last, let’s subtract the 3 letters in “com” from the 6 letters in “google”: 3

So our password for Google would be 18awtewGGL3. Our password for Yahoo.com would be 15awtewYH2, while LifeHacker.com would have the password of 30awtewLFHCKR7. But of course, come up with your own recipe, don’t use the one above.

The idea is that you memorize four or five steps to build a unique but reconstructable password. Here are more ideas for individual steps for your password recipe:

• Choose different punctuation for different top-level domain names. % for .com, @ for .org, ! for .net, ^ for everything else.
• Pick out the first or second letter/consonant/vowel from the secondary-level domain name, and capitalize it or repeat it a couple times.
• Apply math in different ways. Multiply the number of vowels by your lucky number, then add 13. Or use division to come up with a remainder.
• Come up with a nonsense word to always use, but make sure it’s not in the dictionary or discoverable via Google. This is effectively the same as taking the first letter of each word from a longer phrase.
• Determine some universal rules that will make guessing your password even less likely. If the letter “a” is to be used, always use a capital “V” instead.

So that’s all there is to it: Come up with your own recipe for constructing passwords based on the domain name of the site. Make sure it’s repeatable and consistent – your formula should always produce the same password for the same domain.

I’ve been using this technique since 2005, when Steve Gibson recommended it on episode #5 of Security Now. Steve called it the “Personal Password Policy”, but I like the phrase “password recipe” better. Speaking of Steve, watch him review LastPass earlier this year. I personally use LastPass to remember my passwords, but I don’t let it generate passwords for me – that’s what my password recipe is for.