2011-05-18 15:03:29 +00:00
-----
isHidden: false
menupriority: 1
kind: article
created_at: 2011-05-18T13:14:28+02:00
title: 40 character's passwords
author_name: Yann Esposito
author_uri: yannesposito.com
2011-10-26 08:49:00 +00:00
tags:
- password
- security
2011-05-18 15:03:29 +00:00
-----
2012-04-26 15:53:19 +00:00
blogimage("main.png","Title image")
2011-05-18 15:03:29 +00:00
begindiv(intro)
2012-05-02 15:43:56 +00:00
%tldr How I manage safely my password with success for some years now.
2011-05-18 15:03:29 +00:00
**`sha1( password + domain_name )`**
I memorize only one password.
I use a different password on all website.
enddiv
Disclamer, this is an unashamed attempt to make you download my iPhone app ;-).
You're always here?
Even if you won't download my app, you should read more.
My method doesn't necessitate my app.
It is both safe and easy to use everyday.
2011-06-08 14:52:30 +00:00
2011-05-18 15:03:29 +00:00
If you just want to _use_ the tools without searching to understand why it is safe, just jump at the [end of this article by clicking here ](#in-practice ).
2011-06-08 14:52:30 +00:00
2011-05-18 15:03:29 +00:00
## Why you should use a Password Manager?
2011-06-08 14:52:30 +00:00
> Even paranoid could have ennemies.
2011-05-18 15:03:29 +00:00
Imagine you find a really good password. You use it on GMail, Amazon, PayPal, Twitter, Facebook...
One day you see a nice online game you want to try.
They ask you your email and a password.
Some week passes, and the host machine of this online game is hacked.
Your mail and password is now in bad hands.
Unfortunately for you, you use the same password everywhere.
Then, the attacker can simply try your password everywhere.
On PayPal for example.
2011-06-08 14:52:30 +00:00
2011-05-18 15:03:29 +00:00
Well now, how could we fix that?
## Which methodology?
> the good, the bad _&_ the ugly
The mostly used method is to remember a subset of different passwords.
In the best cases, your remember about 13 password.
Some strong, some weak.
2011-06-08 14:52:30 +00:00
2011-05-18 15:03:29 +00:00
What to do if you use more online services
than your memory can handle?
2011-06-08 14:52:30 +00:00
2011-05-18 15:03:29 +00:00
A _bad_ solution would be to
chose passwords like this:
2011-06-08 14:52:30 +00:00
2012-05-02 15:43:56 +00:00
- twitter: `P45sW0r|)Twitter`
- gmail: `P45sW0r|)gmail`
- badonlinegame: `P45sW0r|)badonlinegame`
2011-05-18 15:03:29 +00:00
2011-06-08 14:52:30 +00:00
2011-05-18 15:03:29 +00:00
Unfortunately, if someone get your password on
badonlinegame, he could easily find your other passwords.
Of course you can imagine some better transformation. But it is hard to find a very good one.
2011-06-08 14:52:30 +00:00
2011-05-18 15:03:29 +00:00
Fortunately, there exists functions which handle exactly this problem.
_Hash Function_.
Knowing the result of a hash function, it is difficult to know what was their input.
For example:
2011-06-08 14:52:30 +00:00
2011-05-18 15:03:29 +00:00
< code class = "zsh" >
hash("P45sW0r|)") = 9f00fd5dbba232b7c03afd2b62b5fce5cdc7df63
< / code >
If someone has `9f00fd5dbba232b7c03afd2b62b5fce5cdc7df63` ,
2012-05-02 15:43:56 +00:00
he will have hard time to recover `P45sW0r|)` .
2011-05-18 15:03:29 +00:00
2011-06-08 14:52:30 +00:00
2011-05-18 15:03:29 +00:00
Let choose SHA1 as hash function.
Now the password for any website should
of the form:
2011-06-08 14:52:30 +00:00
2011-05-18 15:03:29 +00:00
< code lang = "zsh" >
sha1( master_password + domain_name )
< / code >
Where:
- `master_password` is your unique master password,
- `domain_name` is the domain name of the website you want the password for,
2011-06-08 14:52:30 +00:00
2011-05-18 15:03:29 +00:00
---
But what about some website constraint?
For example regarding the length of the password?
What to do if you want to change your password?
What to do if you want number or special characters?
This is why, for each website I need some other parameters:
2011-06-08 14:52:30 +00:00
2011-05-18 15:03:29 +00:00
- the login name
- the password's length,
- the password number (in order to change it),
- The output format: hexadecimal or base64.
2011-06-08 14:52:30 +00:00
2011-05-18 15:03:29 +00:00
## In practice?
Depending on my situation here are the tools I made _&_ use:
- On my Mac:
2012-08-19 20:24:42 +00:00
- I use the dashboard widget [YPassword ](http://yannesposito.com/Scratch/files/YPassword-1.7.zip )
2011-05-18 15:03:29 +00:00
- Sometimes, some password field are forbidden to paste into. For time like this, I use this AppleScript made tool: [ForcePaste ](http://yannesposito.com/Scratch/files/forcePaste.app.zip ).
- On my Linux Box: I use the script [ypassword ](http://github.com/yogsototh/getpass )
- On my iPhone: I use the [YPassword app ](http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=436268354&mt=8 )
- On any other computer:
- [Cappuccino Made YPassword ](http://yannesposito.com/Scratch/en/softwares/ypassword/web/ ) Web application
- [jQuery Made YPassword ](http://yannesposito.com/Scratch/en/softwares/ypassword/iphoneweb/ ) Web application
2011-06-08 14:52:30 +00:00
2011-05-18 15:03:29 +00:00
My password are at a copy/paste on all environment I use. I have some services for which I have password of 40 characters.
Now I use 10 character for most of my passwords.
Further more using shorter password make it even harder for an attaquer to retrieve my master password.
2011-06-08 14:52:30 +00:00
2011-05-18 15:03:29 +00:00
I would be happy to hear your thoughts on using this methodology.
