307 lines
No EOL
13 KiB
HTML
307 lines
No EOL
13 KiB
HTML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
|
|
|
|
|
|
<meta name="keywords" content="password, security">
|
|
|
|
<link rel="shortcut icon" type="image/x-icon" href="/Scratch/img/favicon.ico" />
|
|
<link rel="stylesheet" type="text/css" href="/Scratch/assets/css/main.css" />
|
|
<link rel="stylesheet" type="text/css" href="/Scratch/css/twilight.css" />
|
|
<link rel="stylesheet" type="text/css" href="/Scratch/css/idc.css" />
|
|
<link rel="alternate" type="application/rss+xml" title="RSS" href="http://feeds.feedburner.com/yannespositocomen"/>
|
|
|
|
<link rel="alternate" lang="fr" xml:lang="fr" title="Password Management" type="text/html" hreflang="fr" href="/Scratch/fr/blog/Password-Management/" />
|
|
<link rel="alternate" lang="en" xml:lang="en" title="40 character's passwords" type="text/html" hreflang="en" href="/Scratch/en/blog/Password-Management/" />
|
|
<script type="text/javascript" src="/Scratch/js/jquery-1.3.1.min.js"></script>
|
|
<script type="text/javascript" src="/Scratch/js/jquery.cookie.js"></script>
|
|
<script type="text/javascript" src="/Scratch/js/index.js"></script>
|
|
<!--[if lt IE 9]>
|
|
<script src="http://ie7-js.googlecode.com/svn/version/2.1(beta4)/IE9.js"></script>
|
|
<![endif]-->
|
|
<title>40 character's passwords</title>
|
|
</head>
|
|
<body lang="en" class="article">
|
|
<script type="text/javascript">// <![CDATA[
|
|
document.write('<div id="blackpage"><img src="/Scratch/img/loading.gif" alt="loading..."/></div>');
|
|
// ]]>
|
|
</script>
|
|
|
|
<div id="content">
|
|
|
|
<div id="choix">
|
|
<div class="return"><a href="#entete">↓ Menu ↓</a></div>
|
|
<div id="choixlang">
|
|
<a href="/Scratch/fr/blog/Password-Management/" onclick="setLanguage('fr')">en Français</a>
|
|
</div>
|
|
<div class="flush"></div>
|
|
</div>
|
|
<div id="titre">
|
|
<h1>
|
|
40 character's passwords
|
|
</h1>
|
|
|
|
</div>
|
|
<div class="flush"></div>
|
|
|
|
|
|
|
|
|
|
|
|
<div class="flush"></div>
|
|
<div id="afterheader">
|
|
<div class="corps">
|
|
<p><img alt="Title image" src="/Scratch/img/blog/Password-Management/main.png" /></p>
|
|
|
|
|
|
<div class="intro">
|
|
|
|
|
|
<p><span class="sc"><abbr title="Too long; didn't read">tl;dr</abbr>: </span> How I manage safely my password with success for some years now.<br />
|
|
<strong><code>sha1( password + domain_name )</code></strong><br />
|
|
I memorize only one password.
|
|
I use a different password on all website.</p>
|
|
|
|
|
|
</div>
|
|
|
|
|
|
<p>Disclamer, this is an unashamed attempt to make you download my iPhone app ;-).
|
|
You’re always here?
|
|
Even if you won’t download my app, you should read more.
|
|
My method doesn’t necessitate my app.
|
|
It is both safe and easy to use everyday.</p>
|
|
|
|
<p>If you just want to <em>use</em> the tools without searching to understand why it is safe, just jump at the <a href="#in-practice">end of this article by clicking here</a>.</p>
|
|
|
|
<h2 id="why-you-should-use-a-password-manager">Why you should use a Password Manager?</h2>
|
|
|
|
<blockquote>
|
|
<p>Even paranoid could have ennemies.</p>
|
|
</blockquote>
|
|
|
|
<p>Imagine you find a really good password. You use it on GMail, Amazon, PayPal, Twitter, Facebook…
|
|
One day you see a nice online game you want to try.
|
|
They ask you your email and a password.
|
|
Some week passes, and the host machine of this online game is hacked.
|
|
Your mail and password is now in bad hands.
|
|
Unfortunately for you, you use the same password everywhere.
|
|
Then, the attacker can simply try your password everywhere.
|
|
On PayPal for example.</p>
|
|
|
|
<p>Well now, how could we fix that?</p>
|
|
|
|
<h2 id="which-methodology">Which methodology?</h2>
|
|
|
|
<blockquote>
|
|
<p>the good, the bad <em class="pala">&</em> the ugly</p>
|
|
</blockquote>
|
|
|
|
<p>The mostly used method is to remember a subset of different passwords.
|
|
In the best cases, your remember about 13 password.
|
|
Some strong, some weak.</p>
|
|
|
|
<p>What to do if you use more online services
|
|
than your memory can handle?</p>
|
|
|
|
<p>A <em>bad</em> solution would be to
|
|
chose passwords like this:</p>
|
|
|
|
<ul>
|
|
<li>twitter: <code>P45sW0r|)Twitter</code></li>
|
|
<li>gmail: <code>P45sW0r|)gmail</code></li>
|
|
<li>badonlinegame: <code>P45sW0r|)badonlinegame</code></li>
|
|
</ul>
|
|
|
|
<p>Unfortunately, if someone get your password on
|
|
badonlinegame, he could easily find your other passwords.
|
|
Of course you can imagine some better transformation. But it is hard to find a very good one.</p>
|
|
|
|
<p>Fortunately, there exists functions which handle exactly this problem.
|
|
<em>Hash Function</em>.
|
|
Knowing the result of a hash function, it is difficult to know what was their input.
|
|
For example:</p>
|
|
|
|
<pre class="twilight">
|
|
hash(<span class="String"><span class="String">"</span>P45sW0r|)<span class="String">"</span></span>) = 9f00fd5dbba232b7c03afd2b62b5fce5cdc7df63
|
|
</pre>
|
|
|
|
<p>If someone has <code>9f00fd5dbba232b7c03afd2b62b5fce5cdc7df63</code>,
|
|
he will have hard time to recover <code>P45sW0r|)</code>.</p>
|
|
|
|
<p>Let choose SHA1 as hash function.
|
|
Now the password for any website should
|
|
of the form:</p>
|
|
|
|
<p><code lang="zsh">
|
|
sha1( master_password + domain_name )
|
|
</code></p>
|
|
|
|
<p>Where:</p>
|
|
|
|
<ul>
|
|
<li><code>master_password</code> is your unique master password,</li>
|
|
<li><code>domain_name</code> is the domain name of the website you want the password for,</li>
|
|
</ul>
|
|
|
|
<hr />
|
|
<p>But what about some website constraint?
|
|
For example regarding the length of the password?
|
|
What to do if you want to change your password?
|
|
What to do if you want number or special characters?
|
|
This is why, for each website I need some other parameters:</p>
|
|
|
|
<ul>
|
|
<li>the login name</li>
|
|
<li>the password’s length,</li>
|
|
<li>the password number (in order to change it),</li>
|
|
<li>The output format: hexadecimal or base64.</li>
|
|
</ul>
|
|
|
|
<h2 id="in-practice">In practice?</h2>
|
|
|
|
<p>Depending on my situation here are the tools I made <em class="pala">&</em> use:</p>
|
|
|
|
<ul>
|
|
<li>On my Mac:
|
|
<ul>
|
|
<li>I use the dashboard widget <a href="http://yannesposito.com/Scratch/files/YPassword-1.6.zip">YPassword</a></li>
|
|
<li>Sometimes, some password field are forbidden to paste into. For time like this, I use this AppleScript made tool: <a href="http://yannesposito.com/Scratch/files/forcePaste.app.zip">ForcePaste</a>. </li>
|
|
</ul>
|
|
</li>
|
|
<li>On my Linux Box: I use the script <a href="http://github.com/yogsototh/getpass">ypassword</a></li>
|
|
<li>On my iPhone: I use the <a href="http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=436268354&mt=8">YPassword app</a></li>
|
|
<li>On any other computer:
|
|
<ul>
|
|
<li><a href="http://yannesposito.com/Scratch/en/softwares/ypassword/web/">Cappuccino Made YPassword</a> Web application</li>
|
|
<li><a href="http://yannesposito.com/Scratch/en/softwares/ypassword/iphoneweb/">jQuery Made YPassword</a> Web application</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>My password are at a copy/paste on all environment I use. I have some services for which I have password of 40 characters.
|
|
Now I use 10 character for most of my passwords.
|
|
Further more using shorter password make it even harder for an attaquer to retrieve my master password.</p>
|
|
|
|
<p>I would be happy to hear your thoughts on using this methodology.</p>
|
|
|
|
</div>
|
|
|
|
|
|
|
|
<div id="choixrss">
|
|
<a id="rss" href="http://feeds.feedburner.com/yannespositocomen">
|
|
Subscribe
|
|
</a>
|
|
</div>
|
|
<script type="text/javascript">
|
|
$(document).ready(function(){
|
|
$('#comment').hide();
|
|
$('#clickcomment').click(showComments);
|
|
});
|
|
function showComments() {
|
|
$('#comment').show();
|
|
$('#clickcomment').fadeOut();
|
|
}
|
|
document.write('<div id="clickcomment">Comments</div>');
|
|
</script>
|
|
<div class="flush"></div>
|
|
<div class="corps" id="comment">
|
|
<h2 class="first">comments</h2>
|
|
<noscript>
|
|
You must enable javascript to comment.
|
|
</noscript>
|
|
|
|
<script type="text/javascript">
|
|
var idcomments_acct = 'a307f0044511ff1b5cfca573fc0a52e7';
|
|
var idcomments_post_id = '/Scratch/en/blog/Password-Management/';
|
|
var idcomments_post_url = 'http://yannesposito.com/Scratch/en/blog/Password-Management/';
|
|
</script>
|
|
<span id="IDCommentsPostTitle" style="display:none"></span>
|
|
<script type='text/javascript' src='/Scratch/js/genericCommentWrapperV2.js'></script>
|
|
|
|
</div>
|
|
|
|
<div id="entete" class="corps_spaced">
|
|
<div id="liens">
|
|
<ul><li><a href="/Scratch/en/">Home</a></li>
|
|
<li><a href="/Scratch/en/blog/">Blog</a></li>
|
|
<li><a href="/Scratch/en/softwares/">Softwares</a></li>
|
|
<li><a href="/Scratch/en/about/">About</a></li></ul>
|
|
</div>
|
|
<div class="flush"></div>
|
|
<hr/>
|
|
<div id="next_before_articles">
|
|
<div id="previous_articles">
|
|
previous entries
|
|
|
|
<div class="previous_article">
|
|
<a href="/Scratch/en/blog/2011-04-20-Now-hosted-on-github/"><span class="nicer">«</span> Now hosted on github</a>
|
|
</div>
|
|
|
|
|
|
<div class="previous_article">
|
|
<a href="/Scratch/en/blog/2011-01-03-Why-I-sadly-won-t-use-coffeescript/"><span class="nicer">«</span> Why I won't use CoffeeScript (sadly)</a>
|
|
</div>
|
|
|
|
|
|
<div class="previous_article">
|
|
<a href="/Scratch/en/blog/2011-01-03-Happy-New-Year/"><span class="nicer">«</span> Happy New Year</a>
|
|
</div>
|
|
|
|
|
|
</div>
|
|
<div id="next_articles">
|
|
next entries
|
|
|
|
<div class="next_article">
|
|
<a href="/Scratch/en/blog/Haskell-Mandelbrot/">ASCII Haskell Mandelbrot <span class="nicer">»</span></a>
|
|
</div>
|
|
|
|
|
|
<div class="next_article">
|
|
<a href="/Scratch/en/blog/A-more-convenient-diff/">A more convenient diff <span class="nicer">»</span></a>
|
|
</div>
|
|
|
|
|
|
<div class="next_article">
|
|
<a href="/Scratch/en/blog/Learn-Vim-Progressively/">Learn Vim Progressively <span class="nicer">»</span></a>
|
|
</div>
|
|
|
|
|
|
</div>
|
|
<div class="flush"></div>
|
|
</div>
|
|
</div>
|
|
|
|
|
|
<div id="bottom">
|
|
<div>
|
|
<a rel="license" href="http://creativecommons.org/licenses/by-sa/3.0/">Copyright ©, Yann Esposito</a>
|
|
</div>
|
|
<div id="lastmod">
|
|
Created: 05/18/2011
|
|
Modified: 10/26/2011
|
|
</div>
|
|
<div>
|
|
Entirely done with
|
|
<a href="http://www.vim.org">Vim</a>
|
|
and
|
|
<a href="http://nanoc.stoneship.org">nanoc</a>
|
|
</div>
|
|
<div>
|
|
<a href="/Scratch/en/validation/">Validation</a>
|
|
<a href="http://validator.w3.org/check?uri=referer"> [xhtml] </a>
|
|
.
|
|
<a href="http://jigsaw.w3.org/css-validator/check/referer?profile=css3"> [css] </a>
|
|
.
|
|
<a href="http://validator.w3.org/feed/check.cgi?url=http%3A//yannesposito.com/Scratch/en/blog/feed/feed.xml">[rss]</a>
|
|
</div>
|
|
</div>
|
|
<div class="clear"></div>
|
|
</div>
|
|
</body>
|
|
</html> |