Archive for April, 2013

Password Security

April 24th, 2013

The Associated Press had their Twitter account hacked and someone posted a breaking news tweet stating that there had been two explosions at The White House and that Barack Obama was injured. It was retweeted widely and had an immediate impact on the US share market.


So attention turns to how such things happen – the easy answer is, probably, poor password security. Or at least that’s how it happens to most people – we reuse passwords on multiple sites because that’s the easiest thing to do. The risk, of course, is that once a password is stolen from any one of those sites our security is potentially threatened on all the other sites we use.

Then how do we avoid that risk? It’s easy – don’t use the same password on multiple websites. But that’s a problem because how many passwords, especially “good” ones, can we actually remember?

There are two approaches – one is to use a product like 1Password which will store random passwords for every site you use, you never even need to know them. The other commonly recommended option it to have tiered passwords – a throw away password for sites you don’t really care about, a more secure one for you social media accounts perhaps, another that you use for sites like TradeMe and PayPal, and then a totally separate one for you email accounts. This concept is outlined, for example, by the MIT Technology Review.

The first is good and very secure. But I don’t like it. It requires that I either use a third-party app or website to store everything – and I have to then access that app or site whenever I want to login to a website. It makes it difficult to get to my accounts on someone else’s computer, for example.

The second doesn’t reduce the risk, it just compartmentalises it. If you follow that regime then when someone hacks your Facebook password they will also have your Twitter, LinkedIn and Tumblr passwords. Sure it means that attacks of the softest targets (message boards, blogs etc) aren’t going to let people get into your email, but that’s only a little bit better.

A Better Way

I don’t remember where I saw this idea first, but it made a lot of sense to me and I’ve been using it ever since.

Use a different password on (almost) every website, but remember them all. Easy, right?

Here’s how it works… Make up a moderately secure base password (letters, numbers, some symbols maybe – not a word) that you’ll be able to remember. Within that password you have a couple of variables that change for every website you visit.

Let’s imagine your chosen password was P4s$w0rD (not actually a great example) – you’d then decide to add variables at the beginning and the end perhaps, so now it’s xP4s$worDx – where x will change on each site. Now you decide how to determine your variables – maybe you pick the 1st and 3rd letters of the domain. So for Twitter you password is tP4s$w0rDi and on Facebook it’s fP4s$worDc – you’re remembering a password and a function for modifying it and you’re getting a password that’s unique to (almost) every site you use.

You can then also add tiers to this – have a different base password and method for different types of sites perhaps.

The only risk now is that someone gets at least two of your password and actively compares them to attempt to determine your methodology. Depending on your base password and method this could make it possible to guess the password you’d use on a third site, but it’s fairly unlikely you’d be targeted to that degree.

To combat that problem you could also add complexity to your password creation method – use 1st and 3rd letters for sites starting with A-M and 2nd and 4th letters for sites starting with N-Z for example. You can make it as complex as you like – all you have to remember is how to modify your base password for a given website.