One Password to Rule Them All

Programming, Web

Passwords are the new era plague. They are everywhere. Every system relies on passwords. People, unfortunately, are not designed to memorize all of them. The most common solution? Use one password for everything. If you ask one to create a password, one will use the very same password.
Passwords have some intrinsic problems:

  • difficult to create
  • difficult to remember
  • spread across several systems

Jeff Atwood wrote about the advantages of passphrases over passwords, but I’m still not convinced that it correctly addresses the problem. Using more robust brute force techniques, it will me in fact easier to break it, even if has several digits.
But when the person uses the same password over and over, there are some extra problems:

  • cross site vulnerability when one is hacked

Some use password wallets; programs that stores all your passwords in one place. However, you are putting all the eggs in a single basket. If this program gets hacked, all your passwords are exposed. Also, you have to keep a record of all sites you use, which facilitates even more the job a malicious hacker.

PasswordMaker

Suddenly I found about PasswordMaker on the FLOSS Weekly 84 on Twit, which opened my mind for a nice solution. The idea is to create a password generator using a central password combined with a unique id for each site, which can be its actual address! So, your job relies only on remembering one single password, and it will recalculate the actual password each time. One password to rule them all.
It solves some problems.

complex password generation

It can automatically generate very very very strong passwords using a several possible characters. the default 8 digits and 99 characters possible, generate 1 password in 9 227 446 944 279 201, much better than 110 075 314 176 passwords possible using a simple lowercase letters only. I personally use very long passwords. Configuring it to create a 20 digits password, it will be one in 8 179 069 375 972 310 000 000 000 000 000 000 000 000! much safer!

cross site safety

If Facebook is hacked, your Gmail account wont be compromised. If Flickr is invaded, your bank account will still be intact. Because each site uses a different password, you will be protected on all the others. And believe me, it’s site invasion and password leakage very common.

multiple profiles

Some sites have different password policies. Some require using letters and numers, some forbids special characters. Some require at least 8 digits, others restrict to 20. Using thie tool, you can change easily the different profiles and generate, each time, a password for each situation.

browser extensions

In their site, there are several plugins for all major browsers. They facilitates a lot the tool usage. I personally created a Chrome extension that uses the same algorithm.  I hope people like it.

no central repository

Nothing is stored in the computer nor the internet. You don’t have to keep track which sites you have accounts.
It still require non-software measures to make it work. You have to change your password in a regular basis (yearly maybe), among other atitutes.
It is not a silver bullet solution, but it addresses several problems.